Hello Prasad,
Thanks for the information. It is indeed quite helpful. Although you
description helps explain why my network provider DLL is not able to remove
symbolic links when I logon as a “User”, I am now wondering how do I resolve
this? Should I require the users of my driver under Windows 2000 to manually
set the registry value of HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\ProtectionMode to 0 (or have the installer of my driver do so at
installation time)? Wouldnt such a change in registry increase security
risks?
I wonder why does lanmanwork since I am still able to disconnect drives
mapped to system in Microsoft Network. Should I try to temporarily set the
registry value to 0 in my network provider before calling DefineDosDevice to
remove MS-DOS name and then reset it to 1 immediately after that? Or is
there some other way to bypass this security restriction?
Thanks
Qasim
-----Original Message-----
From: Prasad Dabak [mailto:xxxxx@yahoo.com]
Sent: Monday, November 06, 2000 5:40 AM
To: File Systems Developers
Subject: [ntfsd] Re: Removing symbolic link/MS-DOS names on Windows 2000
Hello,
This is due to the permissions on ?? object
directory.
All the dosdevices such as C:, D: etc. are created as
symbolic links under this object directory.
Windows NT/2000 protects operating system base objects
like
?? to tighten up the security. This protection is
controlled by a registry value called “ProtectionMode”
under HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager
registry key.
Check out the following for more details.
http://support.microsoft.com/support/kb/articles/Q244/9/95.ASP
http://support.microsoft.com/support/kb/articles/Q222/1/59.ASP
http://msdn.microsoft.com/library/winresource/dnwinnt/S87D1.HTM
By default, on Windows 2000, this registry value is
set to 1
and on Windows NT 4.0, this is set to 0. Hence
ordinary user
does not have write access on ?? under Windows 2000
whereas
on NT 4.0, ordinary user has write access on ??.
Now, DefineDosDevice call is implemented by CSRSS
process. Since,
CSRSS process runs in system context, it has
permissions to add
objects under ??. However while removing/updating the
the DOS
device, CSRSS impersonates the client and hence fails
to
delete/update the symbolic link under ??.
The problem you are facing will happen with substed
drives
as well. e.g. You can subst a drive from ordinary user
account
however you can not delete that drive.
Also, if you set ProtectionMode to 1 on NT 4.0
machine, you
will face the problem on NT 4.0 as well.
Hope this helps.
-Prasad
— Qasim Zuhair wrote:
>
>
> Hello,
>
> I am having a problem under windows 2000 with my
> file system driver/network
> redirector. I do not see this problem under Windows
> NT. The redirector
> allows users map network drives to a specific type
> of file system on remote
> hosts. When connecting a drive, I assign a symbolic
> name/MS_DOS name to the
> NT device name
> in my network provider DLL as follows:
>
> DefineDosDevice (DDD_RAW_TARGET_PATH,
> pszDosDeviceName, pszNtDeviceName);
>
> Then, when the user disconnects the drive, I am
> removing the symbolic
> link/MS-DOS device name as follows:
>
> DefineDosDevice (DDD_RAW_TARGET_PATH|
> DDD_REMOVE_DEFINITION|
> DDD_EXACT_MATCH_ON_REMOVE, pszDosDeviceName,
> pszNtDeviceName);
> This works fine under Windows NT. It also works
> under Windows 2000 if I
> logon as an “Administrator”. However, if I logon as
> a “User” , then my
> network provider DLL fails to remove the symbolic
> link when the drive is to
> be disconnected. The errro message displayed is:
> “Access is denied”
> What am I doing wrong? Why is the symbolic name not
> removed for a “User”?
> Thanks
> Qasim
>
>
>
>
>
>
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> $subst(‘Email.Unsub’)
>
> .
> to $subst(‘Email.Unsub’)
>
> .
>
=====
Prasad S. Dabak
Director of Engineering, Windows NT/2000 Division
Cybermedia Software Private Limited
http://www.cybermedia.co.in
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698
__________________________________________________
Do You Yahoo!?
Thousands of Stores. Millions of Products. All in one Place.
http://shopping.yahoo.com/
—
You are currently subscribed to ntfsd as: xxxxx@Attachmate.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)