CreateFile() failed on Vista returning ERROR_ACCESS_DENIED

Hello,

I am trying to open a USB device on Windows Vista using CreateFile(), the same program works perfectly fine on Windows XP, but on Vista it returns invalid handle with GetLastError code 5 (ERROR_ACCESS_DENIED).
I am running as admin, the code is:

hOut = CreateFile ( functionClassDeviceData->DevicePath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, // no SECURITY_ATTRIBUTES structure
OPEN_EXISTING, // No special create flags
0, // No special attributes
NULL); // No template file
if (INVALID_HANDLE_VALUE == hOut)
{
WhatHappen = GetLastError();
goto ERRORPROCESS;
}

I am pretty sure the device symbolic link is correct. The device is a Microsoft eHome infrared receiver with Media Center. Microsoft may have changed the driver for this device from XP to Vista, because I notice the device manager shows FILE_DEVICE_SECURE_OPEN characteristics property, which doesn’t exist on XP device manager property, for the same device. Do I need to do anything extra to open this device with FILE_DEVICE_SECURE_OPEN? Again, the same code works OK on XP, but not on Vista.
Any help is appreciated.

Thanks very much.

Isn’t it the same problem you have yesterday? Logged as an admin under Vista doesn’t necessarily mean process you run has admin privileges.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@yahoo.com[SMTP:xxxxx@yahoo.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, February 07, 2007 8:20 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] CreateFile() failed on Vista returning ERROR_ACCESS_DENIED

Hello,

I am trying to open a USB device on Windows Vista using CreateFile(), the same program works perfectly fine on Windows XP, but on Vista it returns invalid handle with GetLastError code 5 (ERROR_ACCESS_DENIED).
I am running as admin, the code is:

hOut = CreateFile ( functionClassDeviceData->DevicePath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL, // no SECURITY_ATTRIBUTES structure
OPEN_EXISTING, // No special create flags
0, // No special attributes
NULL); // No template file
if (INVALID_HANDLE_VALUE == hOut)
{
WhatHappen = GetLastError();
goto ERRORPROCESS;
}

I am pretty sure the device symbolic link is correct. The device is a Microsoft eHome infrared receiver with Media Center. Microsoft may have changed the driver for this device from XP to Vista, because I notice the device manager shows FILE_DEVICE_SECURE_OPEN characteristics property, which doesn’t exist on XP device manager property, for the same device. Do I need to do anything extra to open this device with FILE_DEVICE_SECURE_OPEN? Again, the same code works OK on XP, but not on Vista.
Any help is appreciated.

Thanks very much.

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Michal,

This one is different. I am running as administrator, and still have this problem. The one yesterday has been resolved, thank you very much.

Charles

Michal is asking whether your *process* is running as administrator, not you. Are you certain that your process is running with elevated rights? If so, how are you checking?

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Wednesday, February 07, 2007 11:45 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] CreateFile() failed on Vista returning ERROR_ACCESS_DENIED

Michal,

This one is different. I am running as administrator, and still have this problem. The one yesterday has been resolved, thank you very much.

Charles

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Arlie and Michal,

I perfectly understand your question. I right click on command prompt and choose Run as Admin, and the title bar of the command prompt says “Administrator: Command Prompt”.
The CreateFile() problem I described all happened under this setting.

Another point is that I used WinObj.exe, found my USB device’s symbolicLink under global objects, clicked on Security tab, and the Read/Write/Execute permissions are all disabled by default. However, it doesn’t take any changes I make, after enable all these, check it again, permissions are still disabled.
I even tried to physically log in using Administrator (enable that first, of course). All result still the same. Any suggestions?

Thanks,
Charles

xxxxx@yahoo.com wrote:

Michal,

This one is different. I am running as administrator, and still have this problem.

Logging in as administrator on Vista is not enough. When you log in as
administrator, the log in process GIVES UP the administrative rights.
You can get them back, but you have to ask for them specifically, on a
case by case basis. You must right-click the app and pick “run as
administrator”.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Ok, good. What’s the complete ACL on the device?

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Wednesday, February 07, 2007 12:06 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] CreateFile() failed on Vista returning ERROR_ACCESS_DENIED

Arlie and Michal,

I perfectly understand your question. I right click on command prompt and choose Run as Admin, and the title bar of the command prompt says “Administrator: Command Prompt”.
The CreateFile() problem I described all happened under this setting.

Another point is that I used WinObj.exe, found my USB device’s symbolicLink under global objects, clicked on Security tab, and the Read/Write/Execute permissions are all disabled by default. However, it doesn’t take any changes I make, after enable all these, check it again, permissions are still disabled.
I even tried to physically log in using Administrator (enable that first, of course). All result still the same. Any suggestions?

Thanks,
Charles

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

How do I check ACL?

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@yahoo.com[SMTP:xxxxx@yahoo.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, February 07, 2007 9:05 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] CreateFile() failed on Vista returning ERROR_ACCESS_DENIED

Another point is that I used WinObj.exe, found my USB device’s symbolicLink under global objects, clicked on Security tab, and the Read/Write/Execute permissions are all disabled by default. However, it doesn’t take any changes I make, after enable all these, check it again, permissions are still disabled.

Check permissions for the device, not for the symbolic link. Look where link points to and find the appropriate device under \Device.

I even tried to physically log in using Administrator (enable that first, of course). All result still the same. Any suggestions?

Try to post the exact name you’re using.

To avoid not-so-admin problems at Vista, disable UAC. It is IMO the only usable mode for developers.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

>To avoid not-so-admin problems at Vista, disable UAC. It is IMO the only
usable

mode for developers.

…to introduce issues at QA/customer sites which will have UAC on

The code must work with UAC on. This is for sure.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Maxim S. Shatskih wrote:

> To avoid not-so-admin problems at Vista, disable UAC. It is IMO the only usable mode for developers.
>

…to introduce issues at QA/customer sites which will have UAC on

The code must work with UAC on. This is for sure.

I understand the purity of what you are saying, but the original point
is well-taken. UAC really does make Vista terribly inconvenient for a
power user. There are many things that we need to do as part of the
development process (including the relatively benign regedit) that
trigger the disturbingly sudden screen-darkening UAC privilege dialog.

For that reason, I think the advice is sound. Developers are justified
in disabling UAC most of the time, but they should be darned sure to
test their stuff with UAC enabled to understand the end-user
experience. This is similar to the XP advice of testing as an
unprivileged user.

Personally, I simply will not run Vista on my development machines for
at least a couple of years. I hate it. Vista believes it is smarter
than I am, and prevents me from doing the things I want to do.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Tim Roberts[SMTP:xxxxx@probo.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, February 08, 2007 12:38 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] CreateFile() failed on Vista returning ERROR_ACCESS_DENIED

> …to introduce issues at QA/customer sites which will have UAC on
>
> The code must work with UAC on. This is for sure.

I understand the purity of what you are saying, but the original point
is well-taken. UAC really does make Vista terribly inconvenient for a
power user. There are many things that we need to do as part of the
development process (including the relatively benign regedit) that
trigger the disturbingly sudden screen-darkening UAC privilege dialog.

For that reason, I think the advice is sound. Developers are justified
in disabling UAC most of the time, but they should be darned sure to
test their stuff with UAC enabled to understand the end-user
experience. This is similar to the XP advice of testing as an
unprivileged user.

Thanks, you saved me from writing it. Anyway, Max has a good point. It is better if developer uses software under the same conditions as end users. But with Vista the price is too big and UAC is only tip of the iceberg.

Personally, I simply will not run Vista on my development machines for
at least a couple of years. I hate it. Vista believes it is smarter
than I am, and prevents me from doing the things I want to do.

You’re not alone. Recently I needed to test something at Vista running at various hardware. I asked whole company for it just to find none of developers has Vista installed at their computers. They run it within VMware just for test purposes. Only me and QA lab have it installed directly and I boot it only if really necessary to test something there.

It is really different from XP; I installed RTM immediatelly after release and I’m relatively happy with it since then. Similarly most coworkers.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

Ok, back to my original CreateFile() problem, the symbolic link name I pass to CreateFile() is exactly this:
\?\usb#vid_0471&pid_0815#ph00p5nx#{a5dcbf10-6530-11d2-901f-00c04fb951ed}

This same call works on XP, but got access denied on Vista. I have ruled out the possibility “run as admin” or not, and the Task Manager Process lists the process user name as Administrator.
I tried using MAXIMUM_ALLOWED when calling CreateFile(), instead of GENERIC_READ | GENERIC_WRITE, but the problem persists.
The SysInternals WinObj utility reports this symbolic object disabled for read/write permission, but I found the same on XP, and I can’t enable read/write on either XP or Vista in WinObj.
Any suggestions? I am really stuck in here.

Thanks,
Charles

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@yahoo.com[SMTP:xxxxx@yahoo.com]
Reply To: Windows System Software Devs Interest List
Sent: Thursday, February 08, 2007 4:32 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] CreateFile() failed on Vista returning ERROR_ACCESS_DENIED

Ok, back to my original CreateFile() problem, the symbolic link name I pass to CreateFile() is exactly this:
\?\usb#vid_0471&pid_0815#ph00p5nx#{a5dcbf10-6530-11d2-901f-00c04fb951ed}

ph00p5nx is your device serial number? Do you have only one device with this S/N connected?

This same call works on XP, but got access denied on Vista. I have ruled out the possibility “run as admin” or not, and the Task Manager Process lists the process user name as Administrator.
I tried using MAXIMUM_ALLOWED when calling CreateFile(), instead of GENERIC_READ | GENERIC_WRITE, but the problem persists.

Try to play with share attributes. I use 0 instead of share read + write.

The SysInternals WinObj utility reports this symbolic object disabled for read/write permission, but I found the same on XP, and I can’t enable read/write on either XP or Vista in WinObj.

I already told you to examine rights for the device and not symbolic link which is pointless.

Any suggestions? I am really stuck in here.

Check if the driver entry point for create IRP isn’t called. Access denied can be returned by driver itself.

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

I’ve found it less annoying than running as a limited user in XP/Srv03 for
the most part, because many operations that would just plain outright fall
over and fail before will let me retry with admin. I can see how it’d be
annoying if you were previously used to running as an admin, though.

The one thing that *does* bother me about UAC as a limited user is that it
removes the nice GUI functionality in Explorer to run a program as a
different nonadmin user. I can still do it via runas.exe, but that’s much
less convenient.

Why would I want to do such a thing, you might ask? Well, UAC and running
as a limited user, as a reality, does zero to protect malicious code from
deleting my documents (which, when you think about it, are really the only
important thing likely to be on typical computers anyway, not the OS files
which can be trivially replaced with a reinstall). For that, you need to
run lesser-trusted processes as a different user, and the removal of the
RunAs GUI makes that annoying. (Not to mention the fact that IE
intentionally refuses to start if it thinks you’re running under RunAs,
which is, for me, infuriating.)

–
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net
“Tim Roberts” wrote in message news:xxxxx@ntdev…
> Maxim S. Shatskih wrote:
>>> To avoid not-so-admin problems at Vista, disable UAC. It is IMO the only
>>> usable mode for developers.
>>>
>>
>> …to introduce issues at QA/customer sites which will have UAC on
>>
>> The code must work with UAC on. This is for sure.
>>
>
> I understand the purity of what you are saying, but the original point
> is well-taken. UAC really does make Vista terribly inconvenient for a
> power user. There are many things that we need to do as part of the
> development process (including the relatively benign regedit) that
> trigger the disturbingly sudden screen-darkening UAC privilege dialog.
>
> For that reason, I think the advice is sound. Developers are justified
> in disabling UAC most of the time, but they should be darned sure to
> test their stuff with UAC enabled to understand the end-user
> experience. This is similar to the XP advice of testing as an
> unprivileged user.
>
> Personally, I simply will not run Vista on my development machines for
> at least a couple of years. I hate it. Vista believes it is smarter
> than I am, and prevents me from doing the things I want to do.
>
> –
> Tim Roberts, xxxxx@probo.com
> Providenza & Boekelheide, Inc.
>
>

Next, you’ll need to figure out where in the device stack access is being denied. First, the I/O manager will map the symbolic link to the real device path, then will map the device path to the right device. (In some cases, there will be additional path elements, but in this case, there usually isn’t.) The I/O manager will check the ACL and either allow/deny access.

If the ACL check passes, then the I/O manager will create an IRP_MJ_CREATE IRP, and send it to the device driver that is on the top of the device stack. This device driver will do whatever it needs to do, and it can potentially decide to the fail the request and return STATUS_ACCESS_DENIED. Or, if it wants to allow the request, it will either complete it (with success), or forward it down the stack. If it forwards it down the stack, then each driver below it has an opportunity to allow/deny access.

I would suggest using an IRP tracker to see what’s going on. There are many IRP tracker packages, including one offered at osronline.com. Use “Select Device” to choose the device you want to filter on, run your program, and see what happens. Does the IRP get beyond the I/O manager? How many drivers are layered into the device stack that you’re interested in? etc.

You can also do this manually, with breakpoints, but it’s rather tedious.

From: xxxxx@lists.osr.com [xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com [xxxxx@yahoo.com]
Sent: Wednesday, February 07, 2007 7:32 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] CreateFile() failed on Vista returning ERROR_ACCESS_DENIED

Ok, back to my original CreateFile() problem, the symbolic link name I pass to CreateFile() is exactly this:
\?\usb#vid_0471&pid_0815#ph00p5nx#{a5dcbf10-6530-11d2-901f-00c04fb951ed}

This same call works on XP, but got access denied on Vista. I have ruled out the possibility “run as admin” or not, and the Task Manager Process lists the process user name as Administrator.
I tried using MAXIMUM_ALLOWED when calling CreateFile(), instead of GENERIC_READ | GENERIC_WRITE, but the problem persists.
The SysInternals WinObj utility reports this symbolic object disabled for read/write permission, but I found the same on XP, and I can’t enable read/write on either XP or Vista in WinObj.
Any suggestions? I am really stuck in here.

Thanks,
Charles

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

I run the OSR IRP tracker on Vista, and it shows CREATE major function completion status “ACCESS_DENIED, Info = 0x12f350”, in NTAPI call, NtCreateFile, from my program to target device “(0x83A45F00) usbcir”.
But on XP, the CREATE major function completed with success. Does that mean we have passed the ACL checking, and the I/O manager has call the target device driver, but that driver returns Access denied for IRP_MJ_CREATE IRP?
My device is a Micorsoft eHome infrared receiver, and runs the Vista built-in USBCIR driver, which I don’t have source code, of course. What should I do?

Thanks.
Charles

Did the IRP ever leave NtCreateFile? In other words, was it ever submitted to any device at all?

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Thursday, February 08, 2007 12:40 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] CreateFile() failed on Vista returning ERROR_ACCESS_DENIED

I run the OSR IRP tracker on Vista, and it shows CREATE major function completion status “ACCESS_DENIED, Info = 0x12f350”, in NTAPI call, NtCreateFile, from my program to target device “(0x83A45F00) usbcir”.
But on XP, the CREATE major function completed with success. Does that mean we have passed the ACL checking, and the I/O manager has call the target device driver, but that driver returns Access denied for IRP_MJ_CREATE IRP?
My device is a Micorsoft eHome infrared receiver, and runs the Vista built-in USBCIR driver, which I don’t have source code, of course. What should I do?

Thanks.
Charles

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Arlie,

The IRP tracker doesn’t show anything after the NtCreateFile failure. But on XP where everything is fine, I do see NtReadFile called with READ major function following the successful NtCreateFile SUCCESS return. So it looks like on Vista, the IRP doesn’t go anywhere once NtCreateFile denied access. But I notice the target device is different reported by IRP tracker, on XP it is IrBUS, on Vista it is USBCIR.

The ACL security descriptor for this device shows:
D:P(D;;GA;;;WD)

Which means denying all access to everyone. That’s why I can’t CreateFile() to it. My question is, how to get around this. This is a pre-installed Microsoft eHome IR transceiver device, the INF is pre-installed (USBCIR.INF) in \Windows\System32\DriverStore. This INF file has the above mentioned D:P(D;;GA;;;WD) ACL. No matter how I change this INF setting to A for Allow access, Vista always load the pre-defined original copy with the denial all ACL. I tried “pnputil.exe”, but it complains this INF is not OEM INF and refuses to do anything.
I tried to modify the DriverStore INF file, but I don’t have permission.
Please help.

Thanks,
Charles