IoCreateDeviceSecure and system service SID

Bryan_Ashby-2 · August 23, 2012, 5:04pm

Hello – long time lurker, first time poster

I have a WFP driver that creates a device that I need to communicate to via a system service. My service runs with it’s own SID (ChangeServiceConfig2() with SERVICE_CONFIG_SERVICE_SID_INFO, etc.). What I’m trying to do is secure the driver so that only the system, administrators, and my particular service can have control over it.

To do this, I’ve attempted to use IoCreateDeviceSecure() with the following SDDL:
D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GA;;;S-1-5-80-1867031239-3750773311-1785730948-282889891-1399149709)

(Where S-1-5-80-1867031239-3750773311-1785730948-282889891-1399149709 is the SID shown from sc showsid MyParticularServiceName)

Now, for the problem: When I ‘net start mydriver_wfp’ I get the following:
"System error 1332 has occurred.

No mapping between account names and security IDs was done. "

Using a well pre-defined SDDL constant such as SDDL_DEVOBJ_SYS_ALL_ADM_ALL works.

Any ideas?

Bryan_Ashby-2 · August 23, 2012, 6:02pm

I should add:

I did some searching around and it seems this may be possible (posting here to confirm) due to IoCreateDeviceSecure() only accepting “well known” SIDs?
I’ve also tried via my inf’s DefaultInstall section, e.g.:

[DefaultInstall]
…
AddReg = MyDevice.Security

[MyDevice.Security]
HKR,Security,“D:PAI(A;;FA;;;S-1-5-80-1867031239-3750773311-1785730948-282889891-1399149709)(A;f;;;BU)”