Re: Removing symbolic link/MS-DOS names on Windows 20 00

Yes, you are right. I am not an expert in network
redirector area. But, yes, you should execute the
DefineDosDevice call from your service or from a
process which runs in an account which has write
permissions on ?? object directory.

-Prasad

— Qasim Zuhair wrote:
>
>
> Thanks again for the information. Actually, I
> already have an NT service for
> my network redirector. However, mapping and
> unmapping of drives happen in
> network provider DLL. According to your suggestion,
> I need to modify the
> implementation of NPAddConnection and
> NPCancelConnection functions in my
> network provider DLL to call into the NT service
> when mapping and unmapping
> drives. The NT service would then invoke
> DefineDosDevice API to map and
> unmap the drive. Is my understanding correct?
>
> Thanks
> Qasim
>
> -----Original Message-----
> From: Prasad Dabak [mailto:xxxxx@yahoo.com]
> Sent: Monday, November 06, 2000 6:52 AM
> To: File Systems Developers
> Subject: [ntfsd] Re: Removing symbolic link/MS-DOS
> names on Windows 20
> 00
>
>
> Hello,
>
> Setting protection mode to 0 is not at all a good
> idea, since it weakens the security. Also, the ??
> object directory and other base system objects are
> created by SMSS.EXE process during the early boot
> sequence and the ProtectionMode value is queried at
> that time. Hence, modifying the ProtectionMode
> registry entry requires a reboot to take effect.
>
> Lanman works because it’s drive map/unmap is done as
> part of Workstation service which runs in
> services.exe
> process and this service runs in local system
> account
> and has access to ?? object directory.
>
> To solve your problem, you can also implement a
> similar solution in which you can write your own
> service which will do drive map/unmap on behalf of
> the
> application.
>
> -Prasad
>
> — Qasim Zuhair wrote:
> >
> >
> > Hello Prasad,
> >
> > Thanks for the information. It is indeed quite
> > helpful. Although you
> > description helps explain why my network provider
> > DLL is not able to remove
> > symbolic links when I logon as a “User”, I am now
> > wondering how do I resolve
> > this? Should I require the users of my driver
> under
> > Windows 2000 to manually
> > set the registry value of
> > HKLM\SYSTEM\CurrentControlSet\Control\Session
> > Manager\ProtectionMode to 0 (or have the installer
> > of my driver do so at
> > installation time)? Wouldnt such a change in
> > registry increase security
> > risks?
> >
> > I wonder why does lanmanwork since I am still able
> > to disconnect drives
> > mapped to system in Microsoft Network. Should I
> try
> > to temporarily set the
> > registry value to 0 in my network provider before
> > calling DefineDosDevice to
> > remove MS-DOS name and then reset it to 1
> > immediately after that? Or is
> > there some other way to bypass this security
> > restriction?
> >
> > Thanks
> > Qasim
> >
> >
> >
> > -----Original Message-----
> > From: Prasad Dabak [mailto:xxxxx@yahoo.com]
> > Sent: Monday, November 06, 2000 5:40 AM
> > To: File Systems Developers
> > Subject: [ntfsd] Re: Removing symbolic link/MS-DOS
> > names on Windows 2000
> >
> >
> > Hello,
> >
> > This is due to the permissions on ?? object
> > directory.
> > All the dosdevices such as C:, D: etc. are created
> > as
> > symbolic links under this object directory.
> >
> > Windows NT/2000 protects operating system base
> > objects
> > like
> > ?? to tighten up the security. This protection is
>
> > controlled by a registry value called
> > “ProtectionMode”
> > under
> HKLM\SYSTEM\CurrentControlSet\Control\Session
> > Manager
> > registry key.
> >
> > Check out the following for more details.
> >
> >
>
http://support.microsoft.com/support/kb/articles/Q244/9/95.ASP
> >
>
http://support.microsoft.com/support/kb/articles/Q222/1/59.ASP
> >
>
http://msdn.microsoft.com/library/winresource/dnwinnt/S87D1.HTM
> >
> > By default, on Windows 2000, this registry value
> is
> > set to 1
> > and on Windows NT 4.0, this is set to 0. Hence
> > ordinary user
> > does not have write access on ?? under Windows
> 2000
> > whereas
> > on NT 4.0, ordinary user has write access on ??.
> >
> > Now, DefineDosDevice call is implemented by CSRSS
> > process. Since,
> > CSRSS process runs in system context, it has
> > permissions to add
> > objects under ??. However while removing/updating
> > the
> > the DOS
> > device, CSRSS impersonates the client and hence
> > fails
> > to
> > delete/update the symbolic link under ??.
> >
> > The problem you are facing will happen with
> substed
> > drives
> > as well. e.g. You can subst a drive from ordinary
> > user
> > account
> > however you can not delete that drive.
> >
> > Also, if you set ProtectionMode to 1 on NT 4.0
> > machine, you
> > will face the problem on NT 4.0 as well.
> >
> > Hope this helps.
> >
> > -Prasad
> >
> > — Qasim Zuhair wrote:
> > >
> > >
> > > Hello,
> > >
> > > I am having a problem under windows 2000 with my
> > > file system driver/network
> > > redirector. I do not see this problem under
> > Windows
> > > NT. The redirector
> > > allows users map network drives to a specific
> type
> > > of file system on remote
> > > hosts. When connecting a drive, I assign a
> > symbolic
> > > name/MS_DOS name to the
> > > NT device name
> > > in my network provider DLL as follows:
> > >
> > > DefineDosDevice (DDD_RAW_TARGET_PATH,
> > > pszDosDeviceName, pszNtDeviceName);
> > >
> > > Then, when the user disconnects the drive, I am
> > > removing the symbolic
> > > link/MS-DOS device name as follows:
> > >
> > > DefineDosDevice (DDD_RAW_TARGET_PATH|
> > > DDD_REMOVE_DEFINITION|
> > > DDD_EXACT_MATCH_ON_REMOVE, pszDosDeviceName,
> > > pszNtDeviceName);
> > > This works fine under Windows NT. It also works
> > > under Windows 2000 if I
> > > logon as an “Administrator”. However, if I logon
> > as
>
=== message truncated ===

=====
Prasad S. Dabak
Director of Engineering, Windows NT/2000 Division
Cybermedia Software Private Limited
http://www.cybermedia.co.in
Co-author of the book “Undocumented Windows NT”
ISBN 0764545698

__________________________________________________
Do You Yahoo!?
Thousands of Stores. Millions of Products. All in one Place.
http://shopping.yahoo.com/

> Yes, you are right. I am not an expert in network

redirector area. But, yes, you should execute the
DefineDosDevice call from your service or from a
process which runs in an account which has write
permissions on ?? object directory.

Another solution can be:

  • do not call DefineDosDevice in user mode at all.
  • use IoCreateSymbolicLink in your redir code, expose the functionality by
    the IOCTL, and write NP DLL to call this IOCTL instead of relying on user
    mode DefineDosDevice.

This way will bypass ProtectionMode at all.

Max