Hello all.
Has anyone tried to modify the default security descriptor applied to a
device created with NdisMRegisterDevice?
I tried in two ways:
- in the INF file, adding something like this
[.NT.HW]
AddReg =MySec.reg
[MySec.reg]
HKR,DeviceType,0x10001,0x00000022
HKR,Security,“D:(A;;GA;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)(A;;GA;;;RC)”
2. With the SetupDI API, enumerating the devices in the NET device class,
and calling
SetupDiSetDeviceRegistryProperty on my device with SPDRP_SECURITY_SDS
In both the cases, the “Security” key is correctly set under
HKLM\System\CCS\Enum\PCI<instanceid>\Security
but the Security key seems completely ignored.
Is there a special API (e.g. in the INetCfg stuff) that I need to use to
change the security of a descriptor created with NdisMRegisterDevice?
Thanks
GV
Gianluca,
No, I have not tried but I have some ideas. I recall that
NdisMRegisterDevice() is essentially a call to IoCreateDevice(). You might
check the PDEVICE_OBJECT->SecurityDescriptor field to see if it is NULL. If
it is not, then, perhaps NDIS is using IoCreateDeviceSecure() and specifying
some class guid and/or default SDDL.
In either case the resulting DO is *not* a PnP device object not associated
with any PnP stack so the INF based mechanism which sets security on
PDO/FDO/FiDO PnP device objects is probably just ignored.
Have you tried acquiring a handle to the DO and using ZwSetSecurityObject()
to attempt to change the DACL? (Again, I have not so I don’t know if it is
a likely path to success).
Good Luck,
-dave
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Gianluca Varenni
Sent: Thursday, October 02, 2008 7:11 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] NdisMRegisterDevice and security descriptors
Hello all.
Has anyone tried to modify the default security descriptor applied to a
device created with NdisMRegisterDevice?
I tried in two ways:
- in the INF file, adding something like this
[.NT.HW]
AddReg =MySec.reg
[MySec.reg]
HKR,DeviceType,0x10001,0x00000022
HKR,Security,“D:(A;;GA;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)(A;;GA;;;RC)”
2. With the SetupDI API, enumerating the devices in the NET device class,
and calling
SetupDiSetDeviceRegistryProperty on my device with SPDRP_SECURITY_SDS
In both the cases, the “Security” key is correctly set under
HKLM\System\CCS\Enum\PCI<instanceid>\Security
but the Security key seems completely ignored.
Is there a special API (e.g. in the INetCfg stuff) that I need to use to
change the security of a descriptor created with NdisMRegisterDevice?
Thanks
GV
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
HI Gianluca
I honestly think this is a no-can-do - which might be an API weakness. IIRC
NdisMRegisterDevice wraps IoCreateDevice and IoCreateSymbolicLink, not much
more.
Cheers,
Lyndon
“Gianluca Varenni” wrote in message
news:xxxxx@ntdev…
> Hello all.
>
> Has anyone tried to modify the default security descriptor applied to a
> device created with NdisMRegisterDevice?
>
> I tried in two ways:
>
> 1. in the INF file, adding something like this
>
> [.NT.HW]
> AddReg =MySec.reg
>
> [MySec.reg]
> HKR,DeviceType,0x10001,0x00000022
> HKR,Security,“D:(A;;GA;;;WD)(A;;FA;;;SY)(A;;FA;;;BA)(A;;GA;;;RC)”
>
> 2. With the SetupDI API, enumerating the devices in the NET device class,
> and calling
> SetupDiSetDeviceRegistryProperty on my device with SPDRP_SECURITY_SDS
>
> In both the cases, the “Security” key is correctly set under
> HKLM\System\CCS\Enum\PCI<instanceid>\Security
>
> but the Security key seems completely ignored.
>
> Is there a special API (e.g. in the INetCfg stuff) that I need to use to
> change the security of a descriptor created with NdisMRegisterDevice?
>
> Thanks
> GV
>
>