CreateFile() returns ERROR_ACCESS_DENIED to the user
in [Win32 Kernel]
|
Prev: About device class GUIDs and RegisterDeviceNotification()
Next: FindWindow fails for MessageBox displayed at Winlogon
From: SteM on 13 Nov 2006 11:34 Hello, I've written a small wdm driver for Win2000 to access an old custom hw on parallel port. The accesses are via a couple of DeviceIoControl() custom commands. It works fine, does exactly what i intended; however, it only works if I am logged in as Administrator (or equivalent). If I log in as a regular user (Power User) the call to CreateFile fails with ACCESS_DENIED. // Open driver rv = CreateFile ( ifDetail->DevicePath, 0, // Desidered access 0, // Share mode NULL, // Security attrb CREATE_NEW, // How to create FILE_FLAG_DELETE_ON_CLOSE, // File attribute NULL // Template file ); if (rv==INVALID_HANDLE_VALUE) { ....... Thanks in advance for any pointers... -- SteM
From: anton bassov on 13 Nov 2006 11:45 Hi mate This is just absolutely normal default behaviour - limited users have no access to devices by default. If you want non-privileged users to gain access to it, you have to EXPLICITLY allow the above (it is understandable that it can be done only from the Admin account) Anton Bassov SteM wrote: > Hello, > I've written a small wdm driver for Win2000 to access an old custom hw on > parallel port. > The accesses are via a couple of DeviceIoControl() custom commands. > It works fine, does exactly what i intended; however, it only works if I am > logged in as Administrator (or equivalent). > If I log in as a regular user (Power User) the call to CreateFile fails with > ACCESS_DENIED. > > // Open driver > rv = CreateFile ( > ifDetail->DevicePath, > 0, // Desidered access > 0, // Share mode > NULL, // Security attrb > CREATE_NEW, // How to create > FILE_FLAG_DELETE_ON_CLOSE, // File attribute > NULL // Template file > ); > > if (rv==INVALID_HANDLE_VALUE) > { > ...... > > > > Thanks in advance for any pointers... > -- > SteM
From: SteM on 13 Nov 2006 12:10 Thanks Anton, my guess was that, at least, open, close and DeviceIoControl was allowed ..... How can i solve ? Do i must modify user rights or driver rights ???? Thanks -- SteM "anton bassov" <soviet_bloke(a)hotmail.com> ha scritto nel messaggio news:1163436308.076405.201750(a)h54g2000cwb.googlegroups.com... > Hi mate > > This is just absolutely normal default behaviour - limited users have > no access to devices by default. If you want non-privileged users to > gain access to it, you have to EXPLICITLY allow the above (it is > understandable that it can be done only from the Admin account) > > Anton Bassov > > > SteM wrote: > > Hello, > > I've written a small wdm driver for Win2000 to access an old custom hw on > > parallel port. > > The accesses are via a couple of DeviceIoControl() custom commands. > > It works fine, does exactly what i intended; however, it only works if I am > > logged in as Administrator (or equivalent). > > If I log in as a regular user (Power User) the call to CreateFile fails with > > ACCESS_DENIED. > > > > // Open driver > > rv = CreateFile ( > > ifDetail->DevicePath, > > 0, // Desidered access > > 0, // Share mode > > NULL, // Security attrb > > CREATE_NEW, // How to create > > FILE_FLAG_DELETE_ON_CLOSE, // File attribute > > NULL // Template file > > ); > > > > if (rv==INVALID_HANDLE_VALUE) > > { > > ...... > > > > > > > > Thanks in advance for any pointers... > > -- > > SteM >
From: anton bassov on 13 Nov 2006 16:51 > Do i must modify user rights or driver rights ???? In actuality, none of the above.... You have to modify not user rights and DEFINITELY not driver rights, but access permission to your target device (i.e. its ACL) Check MSDN, namely, GetSecurityInfo()/SetSecurityInfo(), plus SetEntriesInAcl(), for more info Anton Bassov SteM wrote: > Thanks Anton, > my guess was that, at least, open, close and DeviceIoControl was allowed > .... > How can i solve ? > Do i must modify user rights or driver rights ???? > > Thanks > -- > SteM > > > "anton bassov" <soviet_bloke(a)hotmail.com> ha scritto nel messaggio > news:1163436308.076405.201750(a)h54g2000cwb.googlegroups.com... > > Hi mate > > > > This is just absolutely normal default behaviour - limited users have > > no access to devices by default. If you want non-privileged users to > > gain access to it, you have to EXPLICITLY allow the above (it is > > understandable that it can be done only from the Admin account) > > > > Anton Bassov > > > > > > SteM wrote: > > > Hello, > > > I've written a small wdm driver for Win2000 to access an old custom hw > on > > > parallel port. > > > The accesses are via a couple of DeviceIoControl() custom commands. > > > It works fine, does exactly what i intended; however, it only works if I > am > > > logged in as Administrator (or equivalent). > > > If I log in as a regular user (Power User) the call to CreateFile fails > with > > > ACCESS_DENIED. > > > > > > // Open driver > > > rv = CreateFile ( > > > ifDetail->DevicePath, > > > 0, // Desidered access > > > 0, // Share mode > > > NULL, // Security attrb > > > CREATE_NEW, // How to create > > > FILE_FLAG_DELETE_ON_CLOSE, // File attribute > > > NULL // Template file > > > ); > > > > > > if (rv==INVALID_HANDLE_VALUE) > > > { > > > ...... > > > > > > > > > > > > Thanks in advance for any pointers... > > > -- > > > SteM > >
From: Don Burn on 13 Nov 2006 17:06
Actually, a simpler way is to use IoCreateDeviceSecure with a SDDL string that allows geneal users access. -- Don Burn (MVP, Windows DDK) Windows 2k/XP/2k3 Filesystem and Driver Consulting http://www.windrvr.com Remove StopSpam from the email to reply "anton bassov" <soviet_bloke(a)hotmail.com> wrote in message news:1163454664.839974.119450(a)f16g2000cwb.googlegroups.com... >> Do i must modify user rights or driver rights ???? > > In actuality, none of the above.... > > You have to modify not user rights and DEFINITELY not driver rights, > but access permission to your target device (i.e. its ACL) Check MSDN, > namely, GetSecurityInfo()/SetSecurityInfo(), plus SetEntriesInAcl(), > for more info > > Anton Bassov > > SteM wrote: >> Thanks Anton, >> my guess was that, at least, open, close and DeviceIoControl was allowed >> .... >> How can i solve ? >> Do i must modify user rights or driver rights ???? >> >> Thanks >> -- >> SteM >> >> >> "anton bassov" <soviet_bloke(a)hotmail.com> ha scritto nel messaggio >> news:1163436308.076405.201750(a)h54g2000cwb.googlegroups.com... >> > Hi mate >> > >> > This is just absolutely normal default behaviour - limited users have >> > no access to devices by default. If you want non-privileged users to >> > gain access to it, you have to EXPLICITLY allow the above (it is >> > understandable that it can be done only from the Admin account) >> > >> > Anton Bassov >> > >> > >> > SteM wrote: >> > > Hello, >> > > I've written a small wdm driver for Win2000 to access an old custom >> > > hw >> on >> > > parallel port. >> > > The accesses are via a couple of DeviceIoControl() custom commands. >> > > It works fine, does exactly what i intended; however, it only works >> > > if I >> am >> > > logged in as Administrator (or equivalent). >> > > If I log in as a regular user (Power User) the call to CreateFile >> > > fails >> with >> > > ACCESS_DENIED. >> > > >> > > // Open driver >> > > rv = CreateFile ( >> > > ifDetail->DevicePath, >> > > 0, // Desidered access >> > > 0, // Share mode >> > > NULL, // Security attrb >> > > CREATE_NEW, // How to create >> > > FILE_FLAG_DELETE_ON_CLOSE, // File attribute >> > > NULL // Template file >> > > ); >> > > >> > > if (rv==INVALID_HANDLE_VALUE) >> > > { >> > > ...... >> > > >> > > >> > > >> > > Thanks in advance for any pointers... >> > > -- >> > > SteM >> > > |