How to install an upper filter over USBHUB.SYS

NTDEV
1

Hi, is there any way to install an upper filter for USBHUB.SYS? I want to control all the USB devices. So I have to find a way to install a filter on USBHUB.SYS? Could this work be done by simply modifying the registry? I tried to install my filter as an upper filter over USB controller by adding “UpperFilters” value on {36fc9e60-c465-11cf-8056-444553540000} class. But this didn’t work.

So how to install an upper filter for USBHUB.SYS? Do I have to create an INF file for my filter and use the SetupDi APIs to install? Actually I generated an INF file and tried to use DevCon.exe to install it. But DevCon failed when it called UpdateDriverForPlugAndPlayDevices(). The returned error is 0xE0000219. I used “USB\ROOT_HUB” as the hardware ID for my filter. I used the following DevCon command.

devcon install myfilter.inf USB\ROOT_HUB

And here is my INF file.

[Version]
Signature = “$Windows NT$”
Class=USB
ClassGUID={36fc9e60-c465-11cf-8056-444553540000}
Provider=%TF%
DriverVer= 07/27/2007

[DestinationDirs]
SDUSBWPD.Files = 12 ; %windir%\system32\drivers

[Manufacturer]
%TF%=TF

[TF]
%SDUSBWPDDesc%=SDUSBWPD_Inst,USB\ROOT_HUB

[SDUSBWPD_Inst.NT]
Include=usb.inf

[SDUSBWPD_Inst.NT.HW]
CopyFiles = SDUSBWPD.Files
AddReg = SDUSBWPD.AddReg.NT.HW

[SDUSBWPD_Inst.NT.Services]
AddService = SDUSBWPD,SDUSBWPD_Service_Inst

[SDUSBWPD_Service_Inst]
DisplayName = “SecureDoc USB Port Control Driver”
ServiceType = %SERVICE_KERNEL_DRIVER%
StartType = %SERVICE_DEMAND_START%
ErrorControl = %SERVICE_ERROR_NORMAL%
ServiceBinary = %12%\SDUSBWPD.sys
LoadOrderGroup = “pnp filter”

[SDUSBWPD.AddReg.NT.HW]
HKR,UpperFilters,0x00010008,SDUSBWPD

[SDUSBWPD.Files]
SDUSBWPD.sys

[Strings]

; *******Localizable Strings*******
TF= “Test Filter”
SDUSBWPDDesc= “USB Port Controller”

; *******Non Localizable Strings*******

SERVICE_BOOT_START = 0x0
SERVICE_SYSTEM_START = 0x1
SERVICE_AUTO_START = 0x2
SERVICE_DEMAND_START = 0x3
SERVICE_DISABLED = 0x4

SERVICE_KERNEL_DRIVER = 0x1
SERVICE_ERROR_IGNORE = 0x0
SERVICE_ERROR_NORMAL = 0x1
SERVICE_ERROR_SEVERE = 0x2
SERVICE_ERROR_CRITICAL = 0x3

REG_EXPAND_SZ = 0x00020000
REG_DWORD = 0x00010001

Is there anything wrong with my INF file?

Thanks.

2

What do you mean by “control all usb devices”. Do you want to filter
device traffic? fail device enumeration?

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.ca
Sent: Monday, July 30, 2007 9:58 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to install an upper filter over USBHUB.SYS

Hi, is there any way to install an upper filter for USBHUB.SYS? I want
to control all the USB devices. So I have to find a way to install a
filter on USBHUB.SYS? Could this work be done by simply modifying the
registry? I tried to install my filter as an upper filter over USB
controller by adding “UpperFilters” value on
{36fc9e60-c465-11cf-8056-444553540000} class. But this didn’t work.

So how to install an upper filter for USBHUB.SYS? Do I have to create an
INF file for my filter and use the SetupDi APIs to install? Actually I
generated an INF file and tried to use DevCon.exe to install it. But
DevCon failed when it called UpdateDriverForPlugAndPlayDevices(). The
returned error is 0xE0000219. I used “USB\ROOT_HUB” as the hardware ID
for my filter. I used the following DevCon command.

devcon install myfilter.inf USB\ROOT_HUB

And here is my INF file.

[Version]
Signature = “$Windows NT$”
Class=USB
ClassGUID={36fc9e60-c465-11cf-8056-444553540000}
Provider=%TF%
DriverVer= 07/27/2007

[DestinationDirs]
SDUSBWPD.Files = 12 ; %windir%\system32\drivers

[Manufacturer]
%TF%=TF

[TF]
%SDUSBWPDDesc%=SDUSBWPD_Inst,USB\ROOT_HUB

[SDUSBWPD_Inst.NT]
Include=usb.inf

[SDUSBWPD_Inst.NT.HW]
CopyFiles = SDUSBWPD.Files
AddReg = SDUSBWPD.AddReg.NT.HW

[SDUSBWPD_Inst.NT.Services]
AddService = SDUSBWPD,SDUSBWPD_Service_Inst

[SDUSBWPD_Service_Inst]
DisplayName = “SecureDoc USB Port Control Driver”
ServiceType = %SERVICE_KERNEL_DRIVER%
StartType = %SERVICE_DEMAND_START%
ErrorControl = %SERVICE_ERROR_NORMAL%
ServiceBinary = %12%\SDUSBWPD.sys
LoadOrderGroup = “pnp filter”

[SDUSBWPD.AddReg.NT.HW]
HKR,UpperFilters,0x00010008,SDUSBWPD

[SDUSBWPD.Files]
SDUSBWPD.sys

[Strings]

; *******Localizable Strings*******
TF= “Test Filter”
SDUSBWPDDesc= “USB Port Controller”

; *******Non Localizable Strings*******

SERVICE_BOOT_START = 0x0
SERVICE_SYSTEM_START = 0x1
SERVICE_AUTO_START = 0x2
SERVICE_DEMAND_START = 0x3
SERVICE_DISABLED = 0x4

SERVICE_KERNEL_DRIVER = 0x1
SERVICE_ERROR_IGNORE = 0x0
SERVICE_ERROR_NORMAL = 0x1
SERVICE_ERROR_SEVERE = 0x2
SERVICE_ERROR_CRITICAL = 0x3

REG_EXPAND_SZ = 0x00020000
REG_DWORD = 0x00010001

Is there anything wrong with my INF file?

Thanks.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

3

Hi Doron,

I want to implement the granular access control on all USB devices. Access to USB devices can be controlled either by denying all access, providing read only access or allowing full authorised access. Something like USB port control. That is why I need to install an upper filter over usbhub.sys.

Michael

4

----- Original Message -----
From:
To: “Windows System Software Devs Interest List”
Sent: Monday, July 30, 2007 11:08 AM
Subject: RE:[ntdev] How to install an upper filter over USBHUB.SYS

> Hi Doron,
>
> I want to implement the granular access control on all USB devices. Access
> to USB devices can be controlled either by denying all access, providing
> read only access or allowing full authorised access. Something like USB
> port control. That is why I need to install an upper filter over
> usbhub.sys.

I don’t know almost anything about the USB stack, but I wonder what you mean
by “read-only” access to a USB port. Many USB devices need “write”
operations in order to configure them upon initialization. The best that you
can do in that case is a no-access/full access control.

Just my two cents
GV

>
> Michael
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer

5

“read-only” access is for some USB storage devices, some WPDs (windows portable device) like a MP3 player.

6

You need to do this above each client driver, by the time usbhub sees
the i/o request, you could very well be in the wrong thread context, you
certainly will not see IRP_MJ_CREATEs at that level. Furthermore, you
would have to be a bus filter and dynamically attach to enumerated PDOs
as well as PDOs enumerated by usbccgp to be 100% effective in event
attempting to see all i/o.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.ca
Sent: Monday, July 30, 2007 11:09 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to install an upper filter over USBHUB.SYS

Hi Doron,

I want to implement the granular access control on all USB devices.
Access to USB devices can be controlled either by denying all access,
providing read only access or allowing full authorised access. Something
like USB port control. That is why I need to install an upper filter
over usbhub.sys.

Michael

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

7

xxxxx@yahoo.ca wrote:

Hi, is there any way to install an upper filter for USBHUB.SYS? I want to control all the USB devices.

No, you don’t. Not really. :wink: What do you hope to do? USB devices
don’t have that much in common.

So I have to find a way to install a filter on USBHUB.SYS? Could this work be done by simply modifying the registry? I tried to install my filter as an upper filter over USB controller by adding “UpperFilters” value on {36fc9e60-c465-11cf-8056-444553540000} class. But this didn’t work.

Did you reboot first? The UpperFilters value is only read when a device
of that class is detected.

So how to install an upper filter for USBHUB.SYS? Do I have to create an INF file for my filter and use the SetupDi APIs to install?

If it were me, I’d write an application to use the SetupDi APIs to tweak
the appropriate UpperFilters or LowerFilters value.

Actually I generated an INF file and tried to use DevCon.exe to install it. But DevCon failed when it called UpdateDriverForPlugAndPlayDevices(). The returned error is 0xE0000219. I used “USB\ROOT_HUB” as the hardware ID for my filter. I used the following DevCon command.

devcon install myfilter.inf USB\ROOT_HUB

Right. There is already a standard system driver that matches this ID.
It will be preferred over yours.

And here is my INF file.

[SDUSBWPD_Inst.NT]
Include=usb.inf

This doesn’t do anything. This makes the section of usb.inf available
to your INF, but you have to use Needs= to actually call one of the
sections in that file.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

8

xxxxx@yahoo.ca wrote:

I want to implement the granular access control on all USB devices. Access to USB devices can be controlled either by denying all access, providing read only access or allowing full authorised access. Something like USB port control. That is why I need to install an upper filter over usbhub.sys.

What do you think “read only access” means? Video cameras and USB audio
devices require that you send configuration commands before you can
stream data. Would you prevent that?

Are you really talking about restricting access to volumes on USB mass
storage devices?


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

9

Hi Michael,

Are you implementing similar to http://www.devicelock.com ?

  • Murali

On 7/30/07, xxxxx@yahoo.ca wrote:
>
> Hi Doron,
>
> I want to implement the granular access control on all USB devices. Access
> to USB devices can be controlled either by denying all access, providing
> read only access or allowing full authorised access. Something like USB port
> control. That is why I need to install an upper filter over usbhub.sys.
>
> Michael
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

10

To Doron: Thanks for your advice. Once I can find a way to install the usbhub.sys filter driver I’ll follow your suggestion.

11

To Murali A: Yes. I plan to implement the same thing.

12

To Tim: Actually I want to implement something like USB port control. The admin can set access control for each of the USB devices.

13

I was not suggesting that you be a bus filter (e.g. dynamically
attaching to usbhub PDOs). Writing this type of driver correctly is
infinitely hard b/c it is undocumented and not something we want on the
system. You are better off filtering above each device class driver
that you want to provide access control for. The correct semantics and
context will be on incoming i/o to the driver, not the i/o that the
driver sends down to the device.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.ca
Sent: Tuesday, July 31, 2007 6:27 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to install an upper filter over USBHUB.SYS

To Doron: Thanks for your advice. Once I can find a way to install the
usbhub.sys filter driver I’ll follow your suggestion.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

14

xxxxx@yahoo.ca wrote:

To Tim: Actually I want to implement something like USB port control. The admin can set access control for each of the USB devices.

I still don’t know what that means. As I said, if you were to say that
you wanted to implement read/write access control for USB Mass Storage
devices, I believe that can be implemented. It’s been done before.
But, for example, I don’t know what “access control” would mean for a
USB camera, nor how you would implement such a thing.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

15

Doron,

I’ve recently completed such a driver (dynamically attaching to usbhub
PDOs).
Can you explain some of the complexities ?

I want to make sure I didn’t miss anything.

Thanks,
Guy

Doron Holan wrote:

I was not suggesting that you be a bus filter (e.g. dynamically
attaching to usbhub PDOs). Writing this type of driver correctly is
infinitely hard b/c it is undocumented and not something we want on the
system. You are better off filtering above each device class driver
that you want to provide access control for. The correct semantics and
context will be on incoming i/o to the driver, not the i/o that the
driver sends down to the device.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.ca
Sent: Tuesday, July 31, 2007 6:27 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to install an upper filter over USBHUB.SYS

To Doron: Thanks for your advice. Once I can find a way to install the
usbhub.sys filter driver I’ll follow your suggestion.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

16

Detaching from them correctly is one of the biggest gotchas. You must
track the PDO’s reported state and behave like a bus driver, knowing
when to just process a pnp remove and when to delete (and detach in this
case) for a pnp remove. Also, given how different drivers process
remove (detach then send or send then detach) you cannot detach from the
stack like you do in a normal driver handling remove.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Guy Corem
Sent: Tuesday, July 31, 2007 12:17 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] How to install an upper filter over USBHUB.SYS

Doron,

I’ve recently completed such a driver (dynamically attaching to usbhub
PDOs).
Can you explain some of the complexities ?

I want to make sure I didn’t miss anything.

Thanks,
Guy

Doron Holan wrote:

I was not suggesting that you be a bus filter (e.g. dynamically
attaching to usbhub PDOs). Writing this type of driver correctly is
infinitely hard b/c it is undocumented and not something we want on
the
system. You are better off filtering above each device class driver
that you want to provide access control for. The correct semantics
and
context will be on incoming i/o to the driver, not the i/o that the
driver sends down to the device.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.ca
Sent: Tuesday, July 31, 2007 6:27 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] How to install an upper filter over USBHUB.SYS

To Doron: Thanks for your advice. Once I can find a way to install the
usbhub.sys filter driver I’ll follow your suggestion.

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

17

> As I said, if you were to say that

you wanted to implement read/write access control for USB Mass Storage
devices, I believe that can be implemented.

I would say such solution would be better off if it attaches itself above DISK.SYS, so that it can filter
IRP_MJ_READ and IRP_MJ_WRITE, instead of SCSI commands you would have to deal with if you
put your driver in between USBSTOR.SYS and DISK.SYS. After all, if USB device presents itself as a basic disk to the system, it can have multiple volumes on it, so that you may want, for example, to make volume X RO and volume Y RW. Certainly, in such case you would have to make sure that you are below PartMgr.sys on the storage stack - once FtDisk communicates with PartMgr via the private interface and PartMgr forwards the requests to DISK.SYS, attaching yourself above PartMgr is not going to lead you anywhere…

In other words, this task in itself is purely storage-based one, so that does not have that much to do with USB…

Filtering USBSTOR.SYS is a good option when you are more interested in device characteristics, rather than in reads and writes - for example, you may want to present a removable disk as a basic one to the system (or vice versa)…

Anton Bassov

18

To Guy Corem: Can you explain something on how you implement dynamically attaching to usbhub PDOs? That is what I am trying to implement. Do you use the SetupDiXXXX APIs? Thanks

19

To Tim and Anton: I don’t wanna just control the USB Mass Storage devices. I hope I can control all the USB devices like a MP3 player or PDA attached to PC by USB interface. That is why I have to put an upper filter for USBHUB.SYS.

20

xxxxx@yahoo.ca wrote:

To Tim and Anton: I don’t wanna just control the USB Mass Storage devices. I hope I can control all the USB devices like a MP3 player or PDA attached to PC by USB interface. That is why I have to put an upper filter for USBHUB.SYS.

MP3 players, memory sticks, and offline digital cameras are all
implemented as USB Mass Storage Devices. If the object is to prevent
files from being transferred to the device, then you definitely do want
to limit yourself to USB Mass Storage class. After all, you can’t
transfer files to a mouse.

You really need to think about the use cases and narrow your focus.
Otherwise, your task is hopeless. There is simply no way to look at an
arbitrary USB transaction and ask, “is this going to modify the
device?” Remember that, even on a mass storage device, you have to
allow “write” transactions to be sent, so that the file system driver
can tell it what sector it wants to read. You have to work on a higher
level.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.