Yes, you are right. I am not an expert in network
redirector area. But, yes, you should execute the
DefineDosDevice call from your service or from a
process which runs in an account which has write
permissions on ?? object directory.
-Prasad
— Qasim Zuhair wrote:
>
>
> Thanks again for the information. Actually, I
> already have an NT service for
> my network redirector. However, mapping and
> unmapping of drives happen in
> network provider DLL. According to your suggestion,
> I need to modify the
> implementation of NPAddConnection and
> NPCancelConnection functions in my
> network provider DLL to call into the NT service
> when mapping and unmapping
> drives. The NT service would then invoke
> DefineDosDevice API to map and
> unmap the drive. Is my understanding correct?
>
> Thanks
> Qasim
>
> -----Original Message-----
> From: Prasad Dabak [mailto:xxxxx@yahoo.com]
> Sent: Monday, November 06, 2000 6:52 AM
> To: File Systems Developers
> Subject: [ntfsd] Re: Removing symbolic link/MS-DOS
> names on Windows 20
> 00
>
>
> Hello,
>
> Setting protection mode to 0 is not at all a good
> idea, since it weakens the security. Also, the ??
> object directory and other base system objects are
> created by SMSS.EXE process during the early boot
> sequence and the ProtectionMode value is queried at
> that time. Hence, modifying the ProtectionMode
> registry entry requires a reboot to take effect.
>
> Lanman works because it’s drive map/unmap is done as
> part of Workstation service which runs in
> services.exe
> process and this service runs in local system
> account
> and has access to ?? object directory.
>
> To solve your problem, you can also implement a
> similar solution in which you can write your own
> service which will do drive map/unmap on behalf of
> the
> application.
>
> -Prasad
>
> — Qasim Zuhair wrote:
> >
> >
> > Hello Prasad,
> >
> > Thanks for the information. It is indeed quite
> > helpful. Although you
> > description helps explain why my network provider
> > DLL is not able to remove
> > symbolic links when I logon as a “User”, I am now
> > wondering how do I resolve
> > this? Should I require the users of my driver
> under
> > Windows 2000 to manually
> > set the registry value of
> > HKLM\SYSTEM\CurrentControlSet\Control\Session
> > Manager\ProtectionMode to 0 (or have the installer
> > of my driver do so at
> > installation time)? Wouldnt such a change in
> > registry increase security
> > risks?
> >
> > I wonder why does lanmanwork since I am still able
> > to disconnect drives
> > mapped to system in Microsoft Network. Should I
> try
> > to temporarily set the
> > registry value to 0 in my network provider before
> > calling DefineDosDevice to
> > remove MS-DOS name and then reset it to 1
> > immediately after that? Or is
> > there some other way to bypass this security
> > restriction?
> >
> > Thanks
> > Qasim
> >
> >
> >
> > -----Original Message-----
> > From: Prasad Dabak [mailto:xxxxx@yahoo.com]
> > Sent: Monday, November 06, 2000 5:40 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: Removing symbolic link/MS-DOS
> > names on Windows 2000
> >
> >
> > Hello,
> >
> > This is due to the permissions on ?? object
> > directory.
> > All the dosdevices such as C:, D: etc. are created
> > as
> > symbolic links under this object directory.
> >
> > Windows NT/2000 protects operating system base
> > objects
> > like
> > ?? to tighten up the security. This protection is
>
> > controlled by a registry value called
> > “ProtectionMode”
> > under
> HKLM\SYSTEM\CurrentControlSet\Control\Session
> > Manager
> > registry key.
> >
> > Check out the following for more details.
> >
> >
>
http://support.microsoft.com/support/kb/articles/Q244/9/95.ASP
> >
>
http://support.microsoft.com/support/kb/articles/Q222/1/59.ASP
> >
>
http://msdn.microsoft.com/library/winresource/dnwinnt/S87D1.HTM
> >
> > By default, on Windows 2000, this registry value
> is
> > set to 1
> > and on Windows NT 4.0, this is set to 0. Hence
> > ordinary user
> > does not have write access on ?? under Windows
> 2000
> > whereas
> > on NT 4.0, ordinary user has write access on ??.
> >
> > Now, DefineDosDevice call is implemented by CSRSS
> > process. Since,
> > CSRSS process runs in system context, it has
> > permissions to add
> > objects under ??. However while removing/updating
> > the
> > the DOS
> > device, CSRSS impersonates the client and hence
> > fails
> > to
> > delete/update the symbolic link under ??.
> >
> > The problem you are facing will happen with
> substed
> > drives
> > as well. e.g. You can subst a drive from ordinary
> > user
> > account
> > however you can not delete that drive.
> >
> > Also, if you set ProtectionMode to 1 on NT 4.0
> > machine, you
> > will face the problem on NT 4.0 as well.
> >
> > Hope this helps.
> >
> > -Prasad
> >
> > — Qasim Zuhair wrote:
> > >
> > >
> > > Hello,
> > >
> > > I am having a problem under windows 2000 with my
> > > file system driver/network
> > > redirector. I do not see this problem under
> > Windows
> > > NT. The redirector
> > > allows users map network drives to a specific
> type
> > > of file system on remote
> > > hosts. When connecting a drive, I assign a
> > symbolic
> > > name/MS_DOS name to the
> > > NT device name
> > > in my network provider DLL as follows:
> > >
> > > DefineDosDevice (DDD_RAW_TARGET_PATH,
> > > pszDosDeviceName, pszNtDeviceName);
> > >
> > > Then, when the user disconnects the drive, I am
> > > removing the symbolic
> > > link/MS-DOS device name as follows:
> > >
> > > DefineDosDevice (DDD_RAW_TARGET_PATH|
> > > DDD_REMOVE_DEFINITION|
> > > DDD_EXACT_MATCH_ON_REMOVE, pszDosDeviceName,
> > > pszNtDeviceName);
> > > This works fine under Windows NT. It also works
> > > under Windows 2000 if I
> > > logon as an “Administrator”. However, if I logon
> > as
>
=== message truncated ===
=====
Prasad S. Dabak
Director of Engineering, Windows NT/2000 Division
Cybermedia Software Private Limited
http://www.cybermedia.co.in
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698
__________________________________________________
Do You Yahoo!?
Thousands of Stores. Millions of Products. All in one Place.
http://shopping.yahoo.com/