how to get a notification when a user plugs in a new device?

Hi everybody,

I have developed a legacy driver and now I need to extend it to perform some
actions when a user plugs in a new PnP device.

I have read the DDK doc and from what I understand is that the bus driver
(for the device plugged in) gets notified and calls
IoInvalidateDeviceRelations and then the kernel PnP manager “kernel-mode PnP
Manager sends IRPs to the bus driver to gather information about the new
device, such as the device’s hardware IDs, compatible IDs, and device
capabilities. The IRPs include IRP_MN_QUERY_ID and
IRP_MN_QUERY_CAPABILITIES”

Ideally, I would like to be notified too when a device is plugged in so that
I can query the device myself.

And my question is: is there a way to get such notification, either from the
bus driver or from the kernel PnP manager?

ps: ideally before the kernel PnP manager has notified the user-mode PnP
manager.

thank you in advance,


Marco [www.neovalens.com]

There is no documented way to do this, especially when you want to
circumvent the pnp manager. Do you want to do this for particular
backplanes (ie all USB or PCI devices), or for a particular type (all
disks), or just every device in the machine? If it is for particular
type, you can register for device interface notifications for that type
and be notified after the device has been started. Once started, you
can query the ID or caps

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Marco Peretti
Sent: Thursday, November 18, 2004 8:12 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] how to get a notification when a user plugs in a new
device?

Hi everybody,

I have developed a legacy driver and now I need to extend it to perform
some
actions when a user plugs in a new PnP device.

I have read the DDK doc and from what I understand is that the bus
driver
(for the device plugged in) gets notified and calls
IoInvalidateDeviceRelations and then the kernel PnP manager "kernel-mode
PnP
Manager sends IRPs to the bus driver to gather information about the new

device, such as the device’s hardware IDs, compatible IDs, and device
capabilities. The IRPs include IRP_MN_QUERY_ID and
IRP_MN_QUERY_CAPABILITIES"

Ideally, I would like to be notified too when a device is plugged in so
that
I can query the device myself.

And my question is: is there a way to get such notification, either from
the
bus driver or from the kernel PnP manager?

ps: ideally before the kernel PnP manager has notified the user-mode
PnP
manager.

thank you in advance,


Marco [www.neovalens.com]


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Hi Doran

looks like my reply did not get through so I’ll give it a second try.

Right now I am interested in being notified of new devices being plugged on
either the USB or FireWire buses; ideally all buses (or backplanes?) that
accept hot pluggable devices but for now I can live with USB/1394 to begin
with.

the reason I need it is because we have a solution that allows unprivileged
users install PnP devices and we would like to control the device classes in
order to allow or not the installation.

Any other idea?

thanks,


Marco [www.neovalens.com]

“Doron Holan” wrote in message
news:xxxxx@ntdev…
There is no documented way to do this, especially when you want to
circumvent the pnp manager. Do you want to do this for particular
backplanes (ie all USB or PCI devices), or for a particular type (all
disks), or just every device in the machine? If it is for particular
type, you can register for device interface notifications for that type
and be notified after the device has been started. Once started, you
can query the ID or caps

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Marco Peretti
Sent: Thursday, November 18, 2004 8:12 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] how to get a notification when a user plugs in a new
device?

Hi everybody,

I have developed a legacy driver and now I need to extend it to perform
some
actions when a user plugs in a new PnP device.

I have read the DDK doc and from what I understand is that the bus
driver
(for the device plugged in) gets notified and calls
IoInvalidateDeviceRelations and then the kernel PnP manager “kernel-mode
PnP
Manager sends IRPs to the bus driver to gather information about the new

device, such as the device’s hardware IDs, compatible IDs, and device
capabilities. The IRPs include IRP_MN_QUERY_ID and
IRP_MN_QUERY_CAPABILITIES”

Ideally, I would like to be notified too when a device is plugged in so
that
I can query the device myself.

And my question is: is there a way to get such notification, either from
the
bus driver or from the kernel PnP manager?

ps: ideally before the kernel PnP manager has notified the user-mode
PnP
manager.

thank you in advance,


Marco [www.neovalens.com]



Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

ehm,. I meant Doron (sorry)


Marco [www.neovalens.com]

Yes, get signed drivers so that it doesn’t matter what level of
privilege the user has.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Marco Peretti
Sent: Thursday, November 18, 2004 1:57 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] how to get a notification when a user plugs in a new
device?

Hi Doran

looks like my reply did not get through so I’ll give it a second try.

Right now I am interested in being notified of new devices being plugged
on
either the USB or FireWire buses; ideally all buses (or backplanes?)
that
accept hot pluggable devices but for now I can live with USB/1394 to
begin
with.

the reason I need it is because we have a solution that allows
unprivileged
users install PnP devices and we would like to control the device
classes in
order to allow or not the installation.

Any other idea?

thanks,


Marco [www.neovalens.com]

“Doron Holan” wrote in message
news:xxxxx@ntdev…
There is no documented way to do this, especially when you want to
circumvent the pnp manager. Do you want to do this for particular
backplanes (ie all USB or PCI devices), or for a particular type (all
disks), or just every device in the machine? If it is for particular
type, you can register for device interface notifications for that type
and be notified after the device has been started. Once started, you
can query the ID or caps

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Marco Peretti
Sent: Thursday, November 18, 2004 8:12 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] how to get a notification when a user plugs in a new
device?

Hi everybody,

I have developed a legacy driver and now I need to extend it to perform
some
actions when a user plugs in a new PnP device.

I have read the DDK doc and from what I understand is that the bus
driver
(for the device plugged in) gets notified and calls
IoInvalidateDeviceRelations and then the kernel PnP manager “kernel-mode
PnP
Manager sends IRPs to the bus driver to gather information about the new

device, such as the device’s hardware IDs, compatible IDs, and device
capabilities. The IRPs include IRP_MN_QUERY_ID and
IRP_MN_QUERY_CAPABILITIES”

Ideally, I would like to be notified too when a device is plugged in so
that
I can query the device myself.

And my question is: is there a way to get such notification, either from
the
bus driver or from the kernel PnP manager?

ps: ideally before the kernel PnP manager has notified the user-mode
PnP
manager.

thank you in advance,


Marco [www.neovalens.com]



Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

AFAIK that does not work with client-side installs and, unfortunately, there
are still a lot fo drivers around which are not signed and which must be
dealt with.

Anyway, the problem I am trying to solve is not for our driver. Our product
allows the setting of privileges at the process level and it can be used in
conjunction with rundll32.exe (and newdev.dll) to allow unprivileged users
to install any device. I would like now to go further and control which
device class can be installed.

BTW, just granting the SeLoadDriver privilege is not enough as most
printers, for example, have a complex setup that requires administrative
privileges.

cheers,


Marco [www.neovalens.com]

“Doron Holan” wrote in message
news:xxxxx@ntdev…
Yes, get signed drivers so that it doesn’t matter what level of
privilege the user has.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Marco Peretti
Sent: Thursday, November 18, 2004 1:57 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] how to get a notification when a user plugs in a new
device?

Hi Doran

looks like my reply did not get through so I’ll give it a second try.

Right now I am interested in being notified of new devices being plugged
on
either the USB or FireWire buses; ideally all buses (or backplanes?)
that
accept hot pluggable devices but for now I can live with USB/1394 to
begin
with.

the reason I need it is because we have a solution that allows
unprivileged
users install PnP devices and we would like to control the device
classes in
order to allow or not the installation.

Any other idea?

thanks,


Marco [www.neovalens.com]


“Doron Holan” wrote in message
news:xxxxx@ntdev…
There is no documented way to do this, especially when you want to
circumvent the pnp manager. Do you want to do this for particular
backplanes (ie all USB or PCI devices), or for a particular type (all
disks), or just every device in the machine? If it is for particular
type, you can register for device interface notifications for that type
and be notified after the device has been started. Once started, you
can query the ID or caps

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Marco Peretti
Sent: Thursday, November 18, 2004 8:12 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] how to get a notification when a user plugs in a new
device?

Hi everybody,

I have developed a legacy driver and now I need to extend it to perform
some
actions when a user plugs in a new PnP device.

I have read the DDK doc and from what I understand is that the bus
driver
(for the device plugged in) gets notified and calls
IoInvalidateDeviceRelations and then the kernel PnP manager “kernel-mode
PnP
Manager sends IRPs to the bus driver to gather information about the new

device, such as the device’s hardware IDs, compatible IDs, and device
capabilities. The IRPs include IRP_MN_QUERY_ID and
IRP_MN_QUERY_CAPABILITIES”

Ideally, I would like to be notified too when a device is plugged in so
that
I can query the device myself.

And my question is: is there a way to get such notification, either from
the
bus driver or from the kernel PnP manager?

ps: ideally before the kernel PnP manager has notified the user-mode
PnP
manager.

thank you in advance,


Marco [www.neovalens.com]



Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> Ideally, I would like to be notified too when a device is plugged in so that

I can query the device myself.

WM_DEVICECHANGE or the service-based notification will help.

ps: ideally before the kernel PnP manager has notified the user-mode PnP
manager.

Impossible. First the kernel stuff will work, and only then the user stuff will
be notified.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Doesn’t this feature just turn into a privilege elevation hack? I mean,
unless you’re going to attestation-check the drivers that can be
installed or something…

Marco Peretti wrote:

AFAIK that does not work with client-side installs and, unfortunately, there
are still a lot fo drivers around which are not signed and which must be
dealt with.

Anyway, the problem I am trying to solve is not for our driver. Our product
allows the setting of privileges at the process level and it can be used in
conjunction with rundll32.exe (and newdev.dll) to allow unprivileged users
to install any device. I would like now to go further and control which
device class can be installed.

BTW, just granting the SeLoadDriver privilege is not enough as most
printers, for example, have a complex setup that requires administrative
privileges.

cheers,


…/ray..

Please remove “.spamblock” from my email address if you need to contact
me outside the newsgroup.

“Ray Trent” wrote in message
news:xxxxx@ntdev…
> Doesn’t this feature just turn into a privilege elevation hack? I mean,
> unless you’re going to attestation-check the drivers that can be installed
> or something…

Hi Ray,

good question: we do not know the answer yet. I do not think however that it
can be used to install any driver as rundll32.exe + newdev.dll is invoked by
the user mode PnP manager when a new physical device is hot-plugged into a
bus.

if that is not the case I would like to hear more about it.

cheers,

Marco

> WM_DEVICECHANGE or the service-based notification will help.

interesting: I have had a look at the doc but it appears as it is an after
the fact message.
May turn useful nonetheless … if I do not find a way to query device
capabilities before it is actually installed.

thanks,

Marco

Well, my point was this:

Let’s suppose the user *does* plug in an “allowed” device. Where do you
get the driver from that you’re planning to allow them to install? If
it’s a user-provided driver (i.e. the user can browse to a directory
containing the driver), then the user can provide a hacked driver that
gives them access they aren’t authorized for.

If you’re also planning on limiting the drivers that can be installed on
the newly plugged in device (via some kind of MD5 hash or something else
reasonably secure), that’s less of a worry. But was concerned when you
mentioned that you had to handle unsigned drivers.

Marco Peretti wrote:

“Ray Trent” wrote in message
> news:xxxxx@ntdev…
>
>>Doesn’t this feature just turn into a privilege elevation hack? I mean,
>>unless you’re going to attestation-check the drivers that can be installed
>>or something…
>
>
>
> Hi Ray,
>
> good question: we do not know the answer yet. I do not think however that it
> can be used to install any driver as rundll32.exe + newdev.dll is invoked by
> the user mode PnP manager when a new physical device is hot-plugged into a
> bus.
>
> if that is not the case I would like to hear more about it.
>
> cheers,
>
> Marco
>
>
>


…/ray..

Please remove “.spamblock” from my email address if you need to contact
me outside the newsgroup.

You cannot query the device to ask it its particular function. Pnp can
query for device capabilities, but they are generic (ie it can wake the
machine, it can be surprise removed, etc). The fact that is a disk is
determined by an INF match and the driver that is loaded on top of it.
What you are describing what you want to do is replace the pnp manager
or circumvent it. All the notifications built into the system are after
the fact, not before the fact.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Marco Peretti
Sent: Friday, November 19, 2004 1:50 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] how to get a notification when a user plugs in a new
device?

WM_DEVICECHANGE or the service-based notification will help.

interesting: I have had a look at the doc but it appears as it is an
after
the fact message.
May turn useful nonetheless … if I do not find a way to query device
capabilities before it is actually installed.

thanks,

Marco


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Ray,

Let’s suppose the user *does* plug in an “allowed” device. Where do you
get the driver from that you’re planning to allow them to install? If it’s
a user-provided driver (i.e. the user can browse to a directory containing
the driver), then the user can provide a hacked driver that gives them
access they aren’t authorized for.

now I get your point: I do not think that that is an issue as the user is
not involved at all besides plugging in the PnP device and providing the
vendor CD. All we do is changing the privileges of the rundll32.exe process
but we do not interfere at all with the setup process.

While not 100% foolproof it must be stated that our goal is to allow
organizations get away from having to grant end-users administrative
privileges and managing such privileges on a per-application basis.

If you’re also planning on limiting the drivers that can be installed on
the newly plugged in device (via some kind of MD5 hash or something else
reasonably secure), that’s less of a worry. But was concerned when you
mentioned that you had to handle unsigned drivers.

our solution does allow customers to select applications by a sha-1 hash but
we have been asked to allow as well the installation of PnP devices without
authorizing the setup.exe for each device. IT departments that have to
manage a remote workforce have to allow their employees to buy & use
printers but it requires an administrator to remotely log on and run the
setup.

cheers,


Marco [www.neovalens.com]

“Doron Holan” wrote in message
news:xxxxx@ntdev…
>>You cannot query the device to ask it its particular function. Pnp can
query for device capabilities, but they are generic (ie it can wake the
machine, it can be surprise removed, etc). The fact that is a disk is
determined by an INF match and the driver that is loaded on top of it.
What you are describing what you want to do is replace the pnp manager
or circumvent it. All the notifications built into the system are after
the fact, not before the fact.<<

ok – let’s forget that idea then …

May I take this occasion to ask how safe would it be to use the
“System-Supplied Device Setup Classes” for signed drivers?

Another idea I had was to query the driver .inf file once the user-mode PnP
manager will start the rundll.exe.exe process?

cheers,


Marco [www.neovalens.com]

Ah, but they are. The providing the vendor CD part is where you get the
elevation of privilege. Since you can’t control what is being
installed, you can’t know what the installation / vendor CD is doing.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Marco Peretti
Sent: Sunday, November 21, 2004 5:43 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] how to get a notification when a user plugs in a new
device?

Ray,

Let’s suppose the user *does* plug in an “allowed” device. Where do
you
get the driver from that you’re planning to allow them to install? If
it’s
a user-provided driver (i.e. the user can browse to a directory
containing
the driver), then the user can provide a hacked driver that gives them

access they aren’t authorized for.

now I get your point: I do not think that that is an issue as the user
is
not involved at all besides plugging in the PnP device and providing the

vendor CD. All we do is changing the privileges of the rundll32.exe
process
but we do not interfere at all with the setup process.

While not 100% foolproof it must be stated that our goal is to allow
organizations get away from having to grant end-users administrative
privileges and managing such privileges on a per-application basis.

If you’re also planning on limiting the drivers that can be installed
on
the newly plugged in device (via some kind of MD5 hash or something
else
reasonably secure), that’s less of a worry. But was concerned when you

mentioned that you had to handle unsigned drivers.

our solution does allow customers to select applications by a sha-1 hash
but
we have been asked to allow as well the installation of PnP devices
without
authorizing the setup.exe for each device. IT departments that have to
manage a remote workforce have to allow their employees to buy & use
printers but it requires an administrator to remotely log on and run the

setup.

cheers,


Marco [www.neovalens.com]


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I am not sure what you are asking. If the driver is signed, there is no
issue here b/c the driver installs w/out any user intervension.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Marco Peretti
Sent: Sunday, November 21, 2004 5:52 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] how to get a notification when a user plugs in a new
device?

“Doron Holan” wrote in message
news:xxxxx@ntdev…
>>You cannot query the device to ask it its particular function. Pnp can
query for device capabilities, but they are generic (ie it can wake the
machine, it can be surprise removed, etc). The fact that is a disk is
determined by an INF match and the driver that is loaded on top of it.
What you are describing what you want to do is replace the pnp manager
or circumvent it. All the notifications built into the system are after
the fact, not before the fact.<<

ok – let’s forget that idea then …

May I take this occasion to ask how safe would it be to use the
“System-Supplied Device Setup Classes” for signed drivers?

Another idea I had was to query the driver .inf file once the user-mode
PnP
manager will start the rundll.exe.exe process?

cheers,


Marco [www.neovalens.com]



Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Doron,

re-reading my question I have realized that I was not that clear – let me
address both of your comments and hopefully it will all become clear.

>I am not sure what you are asking. If the driver is signed, there is no
issue here b/c the driver installs w/out any user intervension. <<

I was referring to the vendor-supplied CD for the product setup. You are
correct for what concerns the signed drivers but many PnP devices, whether
signed or not, come with a CD that contains an installation program for
their applications.

>Ah, but they are. The providing the vendor CD part is where you get the
elevation of privilege. Since you can’t control what is being
installed, you can’t know what the installation / vendor CD is doing.<<

That is the tricky part: one could indeed fiddle with the vendor CD and
cheat rundll32.exe into starting another setup.exe. That is why, a few posts
ago, I asked how safe would it be to rely on that information for signed
drivers.

By safe I meant:

  1. how safe is to use the “setup class guid” -> relationship to device

and

  1. how safe would it be to rely on the cat file for signed drivers

And I think that I can answer #2 myself: not safe at all unless that cat
file contains the md5/sha-1 of the setup.exe to be run. One may verify the
integrity of the inf file by means of the cat file and , I think, the
relationship of the .cat file to driver binary but there is nothing about
the setup.exe.

One could take a vendor CD and make up his own with the original cat/inf/sys
but hos own application named setup.exe … correct?

Marco


Marco [www.neovalens.com]

The whole point of driver is signing is the trust of scenario #2. The
inf, cat and sys file are all signed.

As for scenario one, the setup class guid itself just indicates the type
of device being installed, not necessarily (the class guid does define
class upper filters which come into play) the drivers being installed
for the device. The class drivers usually associated with the class
guid can be trusted to a degree, but since the class drivers were
probably never tested with the device which is unsigned, there is no
guarantee of compatibility and full function until after it has gone
through WHQL testing.
d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Marco Peretti
Sent: Monday, November 22, 2004 12:11 AM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] how to get a notification when a user plugs in a new
device?

Doron,

re-reading my question I have realized that I was not that clear – let
me
address both of your comments and hopefully it will all become clear.

>I am not sure what you are asking. If the driver is signed, there is
no
issue here b/c the driver installs w/out any user intervension. <<

I was referring to the vendor-supplied CD for the product setup. You are

correct for what concerns the signed drivers but many PnP devices,
whether
signed or not, come with a CD that contains an installation program for
their applications.

>Ah, but they are. The providing the vendor CD part is where you get
the
elevation of privilege. Since you can’t control what is being
installed, you can’t know what the installation / vendor CD is doing.<<

That is the tricky part: one could indeed fiddle with the vendor CD and
cheat rundll32.exe into starting another setup.exe. That is why, a few
posts
ago, I asked how safe would it be to rely on that information for signed

drivers.

By safe I meant:

  1. how safe is to use the “setup class guid” -> relationship to device

and

  1. how safe would it be to rely on the cat file for signed drivers

And I think that I can answer #2 myself: not safe at all unless that cat

file contains the md5/sha-1 of the setup.exe to be run. One may verify
the
integrity of the inf file by means of the cat file and , I think, the
relationship of the .cat file to driver binary but there is nothing
about
the setup.exe.

One could take a vendor CD and make up his own with the original
cat/inf/sys
but hos own application named setup.exe … correct?

Marco


Marco [www.neovalens.com]


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

I suspect for marketing reasons this won’t be made clear to buyers of
your system, but I did want to make sure *you* realize that this will
allow unprivileged users a way to gain admin privileges by installing
their own uncertified drivers for “authorized devices”.

Marco Peretti wrote:

Ray,

>Let’s suppose the user *does* plug in an “allowed” device. Where do you
>get the driver from that you’re planning to allow them to install? If it’s
>a user-provided driver (i.e. the user can browse to a directory containing
>the driver), then the user can provide a hacked driver that gives them
>access they aren’t authorized for.

now I get your point: I do not think that that is an issue as the user is
not involved at all besides plugging in the PnP device and providing the
vendor CD. All we do is changing the privileges of the rundll32.exe process
but we do not interfere at all with the setup process.

While not 100% foolproof it must be stated that our goal is to allow
organizations get away from having to grant end-users administrative
privileges and managing such privileges on a per-application basis.

>If you’re also planning on limiting the drivers that can be installed on
>the newly plugged in device (via some kind of MD5 hash or something else
>reasonably secure), that’s less of a worry. But was concerned when you
>mentioned that you had to handle unsigned drivers.
>

our solution does allow customers to select applications by a sha-1 hash but
we have been asked to allow as well the installation of PnP devices without
authorizing the setup.exe for each device. IT departments that have to
manage a remote workforce have to allow their employees to buy & use
printers but it requires an administrator to remotely log on and run the
setup.

cheers,


…/ray..

Please remove “.spamblock” from my email address if you need to contact
me outside the newsgroup.

If the setup.exe program is referenced in the CopyFiles section of the
INF file, then it is signed too… *however*, and this is the important
part, running that setup.exe program is not itself subject to signing
checks, only copying it is.

On the other hand, most OEM’s setup.exe programs *aren’t* referenced in
the CopyFiles section of the INF. So even that meager protection is
rarely available.

If someone runs a setup.exe program from a CD, you shouldn’t give that
process privileges (unless perhaps you can somehow independently verify
that it’s *properly* signed). If you do, anyone can burn a CD with a
setup.exe program that does anything they want.

Marco Peretti wrote:

Doron,

re-reading my question I have realized that I was not that clear – let me
address both of your comments and hopefully it will all become clear.

>>I am not sure what you are asking. If the driver is signed, there is no

issue here b/c the driver installs w/out any user intervension. <<

I was referring to the vendor-supplied CD for the product setup. You are
correct for what concerns the signed drivers but many PnP devices, whether
signed or not, come with a CD that contains an installation program for
their applications.

>>Ah, but they are. The providing the vendor CD part is where you get the

elevation of privilege. Since you can’t control what is being
installed, you can’t know what the installation / vendor CD is doing.<<

That is the tricky part: one could indeed fiddle with the vendor CD and
cheat rundll32.exe into starting another setup.exe. That is why, a few posts
ago, I asked how safe would it be to rely on that information for signed
drivers.

By safe I meant:

  1. how safe is to use the “setup class guid” -> relationship to device

and

  1. how safe would it be to rely on the cat file for signed drivers

And I think that I can answer #2 myself: not safe at all unless that cat
file contains the md5/sha-1 of the setup.exe to be run. One may verify the
integrity of the inf file by means of the cat file and , I think, the
relationship of the .cat file to driver binary but there is nothing about
the setup.exe.

One could take a vendor CD and make up his own with the original cat/inf/sys
but hos own application named setup.exe … correct?

Marco


…/ray..

Please remove “.spamblock” from my email address if you need to contact
me outside the newsgroup.