It seems the RamDisk sample does not work properly on Vista x64. A test certificate is used to sign the installation files (following the procedure in KMCS_Walkthrough.doc). The driver would load and start. But the device cannot be accessed in non administrative context. For example, select the drive letter in Explorer will pop up a “Access denied” error message, but notepad “Run as administrator” can open/read/write to the drive. Is there a “Run as administrator” for a driver file?
(My driver has the exact same problem and I posted a similar question a few days ago, but has not got any feedback. So I though I should check how RamDisk do it. RamDisk is pretty well-abused, someone out there must have run into this)
> -----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Friday, March 06, 2009 10:50 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] RamDisk and Vista x64It seems the RamDisk sample does not work properly on Vista
x64. A test certificate is used to sign the installation
files (following the procedure in KMCS_Walkthrough.doc). The
driver would load and start. But the device cannot be
accessed in non administrative context. For example, select
the drive letter in Explorer will pop up a “Access denied”
error message, but notepad “Run as administrator” can
open/read/write to the drive. Is there a “Run as
administrator” for a driver file?
I guess you mix two things. Drive letter access rights have nothing to
do with driver file access rigths or certificates. The problem is
probably security descriptor of the devices created by driver which
allow only admin access. It should be the same on x86 and x64 Vista and
also at XP running for non-privileged users. It is necessary to have
signed driver to have it running at Vista x64 but it isn’t enough.
Driver, once it starts, has to create devices the way non-privileged
users can access them.
Long time ago when I wrote virtual disk driver I had to change security
descriptors of created devices manually using undocumented functions.
I’m not quite sure about RamDisk sample but if devices are created PnP
way, it could be sufficient to set security descriptors in the INF file.
(have no idea what I’m speaking about? Start with reading Windows
Internals book)
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
I remember for user-mode apps that requires Admin rights, if the app is not signed, it will need to be “Run as Administrator” to work properly, but if it is signed and configured (using a manifest file(?)), the “Run as” is not necessary. So the silly question about “Run as” for a driver file.
It is strange that Ramdisk driver creates a device with proper access rights on all other versions of Windows, but x64 Vista. I’ll check setting security descriptors in INF file. Thanks.
> -----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Friday, March 06, 2009 11:37 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] RamDisk and Vista x64It is strange that Ramdisk driver creates a device with
proper access rights on all other versions of Windows, but
x64 Vista. I’ll check setting security descriptors in INF
file. Thanks.
Start with checking if the problem is really there. Examine device
security descriptor using WinObj tool. At both x64 and x86 Vista.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
I compared the security settings for a regular disk and the ramdisk device. RamDisk_r doesn’t have the “Everyone” group with “R” permission as the “HarddiskVolumeN”. Not sure if this is the cause of the problem (it doesn’t stop the device from working on pre-Vista versions of Windows), but now I have something to try. Thank you for the tip.
It can be but thighs changed in Vista and I’m not sure where security
check is applied. You can hook debugger and check it yourself. I’d start
with a breakpoint at return from SeAccessCheck() and make a condition
for access denied (or not OK). Then you can examine the stack to see how
it was called and for what device. Or you can start from the top and see
why user access was denied.
BTW, how is your RamDisk formatted? FAT or NTFS? If the second, it could
be a problem with root directory ACL, too.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@yahoo.com
Sent: Saturday, March 07, 2009 12:30 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] RamDisk and Vista x64I compared the security settings for a regular disk and the
ramdisk device. RamDisk_r doesn’t have the “Everyone” group
with “R” permission as the “HarddiskVolumeN”. Not sure if
this is the cause of the problem (it doesn’t stop the device
from working on pre-Vista versions of Windows), but now I
have something to try. Thank you for the tip.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminarsTo unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer
I call WdfDeviceInitAssignSDDLString in DeviceAdd to setup the security
attributes of RamDisk to be the same as HarddiskVolume1
(“D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GR;;;WD)(A;;GR;;;RC)”). The drive
letter for the RamDisk R: now shows up in Explorer and R/W accesses are
possible, but execution of files is not. I believe as you said, I’ll
need to set the ACL of the root directory (even if the file system if
FAT), but couldn’t find anywhere in the code to do so. Any suggestions
where to look? Thanks.
Michal Vodicka wrote:
It can be but thighs changed in Vista and I’m not sure where security
check is applied. You can hook debugger and check it yourself. I’d start
with a breakpoint at return from SeAccessCheck() and make a condition
for access denied (or not OK). Then you can examine the stack to see how
it was called and for what device. Or you can start from the top and see
why user access was denied.BTW, how is your RamDisk formatted? FAT or NTFS? If the second, it could
be a problem with root directory ACL, too.Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@yahoo.com
> Sent: Saturday, March 07, 2009 12:30 AM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] RamDisk and Vista x64
>
> I compared the security settings for a regular disk and the
> ramdisk device. RamDisk_r doesn’t have the “Everyone” group
> with “R” permission as the “HarddiskVolumeN”. Not sure if
> this is the cause of the problem (it doesn’t stop the device
> from working on pre-Vista versions of Windows), but now I
> have something to try. Thank you for the tip.
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online
> at http://www.osronline.com/page.cfm?name=ListServer
>
I added
[DiskInstall.NT.AddReg]
HKR,Security,“D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGX;;;WD)(A;;GRGX;;;RC)”
to the inf file and thing seems to work.
>I added
[DiskInstall.NT.AddReg]
HKR,Security,“D:P(A;;GA;;;SY)(A;;GA;;;BA)(A;;GRGX;;;WD)(A;;GRGX;;;RC)”to the inf file and thing seems to work.
You probably don’t need the (A;;GRGX;;;RC) part here. You already
gave the same access to everyone (WD) so the only way the “restricted”
ACE can make any difference is if somebody creates a restricted token
that doesn’t have the “everyone” SID, and that’s a really strange thing to
do (code running with such token wouldn’t be able to access resources
that have ACLs granting full control to everyone). And if someone is
paranoid enough to create such a token, it’s unlikely that they would
want any code running under this token to be able to access your device
anyway.
–
Pavel Lebedinsky/Windows Kernel Test
This posting is provided “AS IS” with no warranties, and confers no rights.
Thank you for the explanation. I’m not quite clear why “Restricted” is there. But when I look at Windows devices in WinObj, most (if not all) have admins, system, everyone, and restricted (sometimes more). The sample drives on the other hand always use “D:P(A;;GA;;;SY)(A;;GA;;;BA)”.