Running Driver Application in Vista

Hi,
My PCI device driver is unsigned. I have installed the driver in vista with administrator login(or user with UAC turned off).
I have created another user with admin priviliage. UAC is turned ON. But my application associated with the driver can not open my device unless “Run as administrator”. I dont want to do alike. I wan to run with user priviliage. What are the changes I have to do in my application for this. or is this commom to all unsigned drivers?

Please help me.

sree

Can you load the driver as part of a service, and have the service run with admin rights?
Sorry I don’t know about unsigned drivers on Vista ever so well, but I understand unsigned drivers cannot run without admin rights as part of DRM and the ongoing battle against malware, so its a good thing really. These guys have written a command line tool for loading unsigned drivers in Vista from the command line

http://www.rootkit.com/newsread.php?newsid=759

Also this article has a good code example for writing a basic service and launching a driver within the service context

http://www.codeproject.com/KB/system/driverdev.aspx

HTH

xxxxx@yahoo.co.uk wrote:

Can you load the driver as part of a service, and have the service run with admin rights?

Maybe, but how does that help you access the driver from a normal
application?

Sorry I don’t know about unsigned drivers on Vista ever so well, but I understand unsigned drivers cannot run without admin rights as part of DRM and the ongoing battle against malware, so its a good thing really.

You are mixing several unrelated topics here. The restrictions on
opening a driver have nothing to do with DRM or with driver signing.
Each driver establishes its security limitations when it creates its
device object, either by giving a specific security descriptor, or by
inheriting one from elsewhere in the driver stack.

An unsigned driver cannot even be loaded on Vista 64, but that has
nothing to do with applications.

These guys have written a command line tool for loading unsigned drivers in Vista from the command line

Posting that won’t make you any friends. In fact, that tool relied upon
a signed driver, and the certificate for their signature was revoked by
Microsoft, so in fact this tool no longer works.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks for your reply.
Now I have hope I can solve the problem.

Which are the security attributes are need to set?

current scenario

DevAttributes.SynchronizationScope = WdfSynchronizationScopeDevice;
DevAttributes.ExecutionLevel = WdfExecutionLevelPassive
DevAttributes.EvtCleanupCallback = MyEvtDeviceContextCleanup

ntStatus = WdfDeviceCreate(&DeviceInit,
&DevAttributes,
&Device);
if (!NT_SUCCESS(ntStatus))
{
SFGB_ERR(“Error creating device %S”, devPnPPath);
goto error_createdev;
}

CreateFile Settings
hDeviceHandle = CreateFile(szDeviceName, GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL);

I have not given any security settings in the inf file.

sree,

xxxxx@nestgroup.net wrote:

Thanks for your reply.
Now I have hope I can solve the problem.

Which are the security attributes are need to set?

current scenario

DevAttributes.SynchronizationScope = WdfSynchronizationScopeDevice;
DevAttributes.ExecutionLevel = WdfExecutionLevelPassive
DevAttributes.EvtCleanupCallback = MyEvtDeviceContextCleanup

ntStatus = WdfDeviceCreate(&DeviceInit,
&DevAttributes,
&Device);

You’re going to want to call WdfDeviceInitAssignSDDLString before you
call WdfDeviceCreate. I think you want the SDDL symbol
SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RWX_RES_RWX.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Tim,

You’re going to want to call WdfDeviceInitAssignSDDLString before you
call WdfDeviceCreate. I think you want the SDDL symbol
SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RWX_RES_RWX.

This works…Really thanks.

sree

Note this is not exactly doing what you think it is doing. if this is working in your kmdf driver, you are naming your FDO. Your PDO also has a name and its own security descriptor and the stack can be opened with the PDO name, circumventing your descriptor on the FDO. I wrote about this previously

http://blogs.msdn.com/doronh/archive/2007/04/18/having-two-names-is-not-necessarily-better-than-one.aspx

http://blogs.msdn.com/doronh/archive/2007/07/12/having-two-names-is-not-necessarily-better-than-one-part-2.aspx

I would recommend that you set the SDDL string in the INF, this way it is applied to all devices in the stack

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@nestgroup.net
Sent: Thursday, September 11, 2008 7:50 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Running Driver Application in Vista

Tim,

You’re going to want to call WdfDeviceInitAssignSDDLString before you
call WdfDeviceCreate. I think you want the SDDL symbol
SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RWX_RES_RWX.

This works…Really thanks.

sree


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Doron Holan wrote:

Note this is not exactly doing what you think it is doing. if this is working in your kmdf driver, you are naming your FDO. Your PDO also has a name and its own security descriptor and the stack can be opened with the PDO name, circumventing your descriptor on the FDO. I wrote about this previously

http://blogs.msdn.com/doronh/archive/2007/04/18/having-two-names-is-not-necessarily-better-than-one.aspx

http://blogs.msdn.com/doronh/archive/2007/07/12/having-two-names-is-not-necessarily-better-than-one-part-2.aspx

I would recommend that you set the SDDL string in the INF, this way it is applied to all devices in the stack

Although this is quite true, I would point out that in this case, he is
trying to RELAX the default security restrictions, not tighten them. An
app that goes directly to the PDO would lose that benefit.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

I agree, but I wanted to close the loop here in case someone else reads this thread later and wants to tighten the stack. Regardless of how the security is setup, IMHO, it should be consistent on the entire stack. By using the INF you get that. Furthermore, by using the INF you can change the security later *without* changing the driver (either by updating the INF or updating the registry)

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Friday, September 12, 2008 10:00 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] Running Driver Application in Vista

Doron Holan wrote:

Note this is not exactly doing what you think it is doing. if this is working in your kmdf driver, you are naming your FDO. Your PDO also has a name and its own security descriptor and the stack can be opened with the PDO name, circumventing your descriptor on the FDO. I wrote about this previously

http://blogs.msdn.com/doronh/archive/2007/04/18/having-two-names-is-not-necessarily-better-than-one.aspx

http://blogs.msdn.com/doronh/archive/2007/07/12/having-two-names-is-not-necessarily-better-than-one-part-2.aspx

I would recommend that you set the SDDL string in the INF, this way it is applied to all devices in the stack

Although this is quite true, I would point out that in this case, he is
trying to RELAX the default security restrictions, not tighten them. An
app that goes directly to the PDO would lose that benefit.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Absolutely.

I think this is the most important message that folks can take-away about FDO/PDO security. While my views on whether it’s OK to name FDOs (or whatever) are pretty well known, I absolutely agree that the stack needs to be consistent.

Of course, Tim’s right that in this particular case there’s no security risk… But, for the archives…

Peter
OSR

Hi,
As your suggestion I have modified my inf file

[ClassInstall32]
Addreg=CaptureClassReg
CopyFiles=SFGBCopyFiles

[CaptureClassReg]
HKR,0,“Image Capture Card”
HKR,Icon,-5
HKR,DeviceCharacteristics,0x10001,0x100
;SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RWX_RES_RWX
HKR,Security,“D:P(A;;GA;;;SY)(A;;GRGWGX;;;WD)(A;;GRGWGX;;;RC)”

Installed driver successfully. But I could not find the settings anywhere in the registry. Hope my inf settings are incorrect.

could you please tell me where is the error.
sree

The ClassInstall32 section is only run the first time a device in that class is installed. Even if you modify the class section in the inf on a subsequent install, it will not be evaluated. You need to clean out the registry of your class (which should not be too hard, you gave it a name that you can search for)

d

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@nestgroup.net
Sent: Monday, September 15, 2008 11:03 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] Running Driver Application in Vista

Hi,
As your suggestion I have modified my inf file

[ClassInstall32]
Addreg=CaptureClassReg
CopyFiles=SFGBCopyFiles

[CaptureClassReg]
HKR,0,“Image Capture Card”
HKR,Icon,-5
HKR,DeviceCharacteristics,0x10001,0x100
;SDDL_DEVOBJ_SYS_ALL_ADM_RWX_WORLD_RWX_RES_RWX
HKR,Security,“D:P(A;;GA;;;SY)(A;;GRGWGX;;;WD)(A;;GRGWGX;;;RC)”

Installed driver successfully. But I could not find the settings anywhere in the registry. Hope my inf settings are incorrect.

could you please tell me where is the error.
sree


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer