Hello,
Setting protection mode to 0 is not at all a good
idea, since it weakens the security. Also, the ??
object directory and other base system objects are
created by SMSS.EXE process during the early boot
sequence and the ProtectionMode value is queried at
that time. Hence, modifying the ProtectionMode
registry entry requires a reboot to take effect.
Lanman works because it’s drive map/unmap is done as
part of Workstation service which runs in services.exe
process and this service runs in local system account
and has access to ?? object directory.
To solve your problem, you can also implement a
similar solution in which you can write your own
service which will do drive map/unmap on behalf of the
application.
-Prasad
— Qasim Zuhair wrote:
>
>
> Hello Prasad,
>
> Thanks for the information. It is indeed quite
> helpful. Although you
> description helps explain why my network provider
> DLL is not able to remove
> symbolic links when I logon as a “User”, I am now
> wondering how do I resolve
> this? Should I require the users of my driver under
> Windows 2000 to manually
> set the registry value of
> HKLM\SYSTEM\CurrentControlSet\Control\Session
> Manager\ProtectionMode to 0 (or have the installer
> of my driver do so at
> installation time)? Wouldnt such a change in
> registry increase security
> risks?
>
> I wonder why does lanmanwork since I am still able
> to disconnect drives
> mapped to system in Microsoft Network. Should I try
> to temporarily set the
> registry value to 0 in my network provider before
> calling DefineDosDevice to
> remove MS-DOS name and then reset it to 1
> immediately after that? Or is
> there some other way to bypass this security
> restriction?
>
> Thanks
> Qasim
>
>
>
> -----Original Message-----
> From: Prasad Dabak [mailto:xxxxx@yahoo.com]
> Sent: Monday, November 06, 2000 5:40 AM
> To: File Systems Developers
> Subject: [ntfsd] Re: Removing symbolic link/MS-DOS
> names on Windows 2000
>
>
> Hello,
>
> This is due to the permissions on ?? object
> directory.
> All the dosdevices such as C:, D: etc. are created
> as
> symbolic links under this object directory.
>
> Windows NT/2000 protects operating system base
> objects
> like
> ?? to tighten up the security. This protection is
> controlled by a registry value called
> “ProtectionMode”
> under HKLM\SYSTEM\CurrentControlSet\Control\Session
> Manager
> registry key.
>
> Check out the following for more details.
>
>
http://support.microsoft.com/support/kb/articles/Q244/9/95.ASP
>
http://support.microsoft.com/support/kb/articles/Q222/1/59.ASP
>
http://msdn.microsoft.com/library/winresource/dnwinnt/S87D1.HTM
>
> By default, on Windows 2000, this registry value is
> set to 1
> and on Windows NT 4.0, this is set to 0. Hence
> ordinary user
> does not have write access on ?? under Windows 2000
> whereas
> on NT 4.0, ordinary user has write access on ??.
>
> Now, DefineDosDevice call is implemented by CSRSS
> process. Since,
> CSRSS process runs in system context, it has
> permissions to add
> objects under ??. However while removing/updating
> the
> the DOS
> device, CSRSS impersonates the client and hence
> fails
> to
> delete/update the symbolic link under ??.
>
> The problem you are facing will happen with substed
> drives
> as well. e.g. You can subst a drive from ordinary
> user
> account
> however you can not delete that drive.
>
> Also, if you set ProtectionMode to 1 on NT 4.0
> machine, you
> will face the problem on NT 4.0 as well.
>
> Hope this helps.
>
> -Prasad
>
> — Qasim Zuhair wrote:
> >
> >
> > Hello,
> >
> > I am having a problem under windows 2000 with my
> > file system driver/network
> > redirector. I do not see this problem under
> Windows
> > NT. The redirector
> > allows users map network drives to a specific type
> > of file system on remote
> > hosts. When connecting a drive, I assign a
> symbolic
> > name/MS_DOS name to the
> > NT device name
> > in my network provider DLL as follows:
> >
> > DefineDosDevice (DDD_RAW_TARGET_PATH,
> > pszDosDeviceName, pszNtDeviceName);
> >
> > Then, when the user disconnects the drive, I am
> > removing the symbolic
> > link/MS-DOS device name as follows:
> >
> > DefineDosDevice (DDD_RAW_TARGET_PATH|
> > DDD_REMOVE_DEFINITION|
> > DDD_EXACT_MATCH_ON_REMOVE, pszDosDeviceName,
> > pszNtDeviceName);
> > This works fine under Windows NT. It also works
> > under Windows 2000 if I
> > logon as an “Administrator”. However, if I logon
> as
> > a “User” , then my
> > network provider DLL fails to remove the symbolic
> > link when the drive is to
> > be disconnected. The errro message displayed is:
> > “Access is denied”
> > What am I doing wrong? Why is the symbolic name
> not
> > removed for a “User”?
> > Thanks
> > Qasim
> >
> >
> >
> >
> >
> >
> >
> > —
> > You are currently subscribed to ntfsd as:
> > xxxxx@yahoo.com
> > To unsubscribe send a blank email to
> > $subst(‘Email.Unsub’)
> >
> > .
> > to $subst(‘Email.Unsub’)
> >
> > .
> >
>
>
> =====
> Prasad S. Dabak
> Director of Engineering, Windows NT/2000 Division
> Cybermedia Software Private Limited
> http://www.cybermedia.co.in
> Co-author of the book “Undocumented Windows NT”
> ISBN 0764545698
>
>
> Do You Yahoo!?
> Thousands of Stores. Millions of Products. All in
> one Place.
> http://shopping.yahoo.com/
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@Attachmate.com
> To unsubscribe send a blank email to
> $subst(‘Email.Unsub’)
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> $subst(‘Email.Unsub’)
>
> .
> xxxxx@lists.osr.com
>
> —
> You are currently subscribed to ntfsd as:
> xxxxx@yahoo.com
> To unsubscribe send a blank email to
> $subst(‘Email.Unsub’)
>
>
=== message truncated ===
=====
Prasad S. Dabak
Director of Engineering, Windows NT/2000 Division
Cybermedia Software Private Limited
http://www.cybermedia.co.in
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698
Do You Yahoo!?
Thousands of Stores. Millions of Products. All in one Place.
http://shopping.yahoo.com/