Re: Removing symbolic link/MS-DOS names on Windows 20-00

Hello Prasad,

Thanks for the information. It is indeed quite helpful. Although you
description helps explain why my network provider DLL is not able to remove
symbolic links when I logon as a “User”, I am now wondering how do I resolve
this? Should I require the users of my driver under Windows 2000 to manually
set the registry value of HKLM\SYSTEM\CurrentControlSet\Control\Session
Manager\ProtectionMode to 0 (or have the installer of my driver do so at
installation time)? Wouldnt such a change in registry increase security

I wonder why does lanmanwork since I am still able to disconnect drives
mapped to system in Microsoft Network. Should I try to temporarily set the
registry value to 0 in my network provider before calling DefineDosDevice to
remove MS-DOS name and then reset it to 1 immediately after that? Or is
there some other way to bypass this security restriction?


-----Original Message-----
From: Prasad Dabak []
Sent: Monday, November 06, 2000 5:40 AM
To: File Systems Developers
Subject: [ntfsd] Re: Removing symbolic link/MS-DOS names on Windows 2000


This is due to the permissions on ?? object
All the dosdevices such as C:, D: etc. are created as
symbolic links under this object directory.

Windows NT/2000 protects operating system base objects
?? to tighten up the security. This protection is
controlled by a registry value called “ProtectionMode”
under HKLM\SYSTEM\CurrentControlSet\Control\Session
registry key.

Check out the following for more details.

By default, on Windows 2000, this registry value is
set to 1
and on Windows NT 4.0, this is set to 0. Hence
ordinary user
does not have write access on ?? under Windows 2000
on NT 4.0, ordinary user has write access on ??.

Now, DefineDosDevice call is implemented by CSRSS
process. Since,
CSRSS process runs in system context, it has
permissions to add
objects under ??. However while removing/updating the
the DOS
device, CSRSS impersonates the client and hence fails
delete/update the symbolic link under ??.

The problem you are facing will happen with substed
as well. e.g. You can subst a drive from ordinary user
however you can not delete that drive.

Also, if you set ProtectionMode to 1 on NT 4.0
machine, you
will face the problem on NT 4.0 as well.

Hope this helps.


— Qasim Zuhair wrote:
> Hello,
> I am having a problem under windows 2000 with my
> file system driver/network
> redirector. I do not see this problem under Windows
> NT. The redirector
> allows users map network drives to a specific type
> of file system on remote
> hosts. When connecting a drive, I assign a symbolic
> name/MS_DOS name to the
> NT device name
> in my network provider DLL as follows:
> DefineDosDevice (DDD_RAW_TARGET_PATH,
> pszDosDeviceName, pszNtDeviceName);
> Then, when the user disconnects the drive, I am
> removing the symbolic
> link/MS-DOS device name as follows:
> DefineDosDevice (DDD_RAW_TARGET_PATH|
> pszNtDeviceName);
> This works fine under Windows NT. It also works
> under Windows 2000 if I
> logon as an “Administrator”. However, if I logon as
> a “User” , then my
> network provider DLL fails to remove the symbolic
> link when the drive is to
> be disconnected. The errro message displayed is:
> “Access is denied”
> What am I doing wrong? Why is the symbolic name not
> removed for a “User”?
> Thanks
> Qasim
> —
> You are currently subscribed to ntfsd as:
> To unsubscribe send a blank email to
> $subst(‘Email.Unsub’)
> .
> to $subst(‘Email.Unsub’)
> .

Prasad S. Dabak
Director of Engineering, Windows NT/2000 Division
Cybermedia Software Private Limited
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698

Do You Yahoo!?
Thousands of Stores. Millions of Products. All in one Place.

You are currently subscribed to ntfsd as:
To unsubscribe send a blank email to $subst(‘Email.Unsub’)