Suppose you want to implement more security in your driver, specifically on your IOCTLs.  But, when you defined those IOCTLs, you created them with FILE_ANY_ACCESS.  Now, you wish you had specified either FILE_READ_ACCESS or FILE_WRITE_ACCESS, or both.

You can't change the IOCTL definitions if you have already written or distributed apps that use these IOCTLs.   What's a driver writer to do?  Use a new feature provided in the XP SP1 DDK precisely for this purpose.   Windows XP SP1 and Windows .NET set new flags in the IRP's I/O stack location flags word to indicate the access granted to a driver when processing an IOCTL.

The new flags added to the IRP are:

SL_READ_ACCESS_GRANTED -    This flag is set in IoStack->Flags of the IRP if the handle was opened with READ_DATA access.

SL_WRITE_ACCESS_GRANTED -  This flag is set in IoStack->Flags of the IRP if the handle was opened with WRITE_DATA access.

The function used to check this is:

NTSTATUS

IoValidateDeviceIoControlAccess(

    IN  PIRP    Irp,

    IN  ULONG   RequiredAccess);

The RequestAccess argument is an access mask, which may be FILE_READ_ACCESS, FILE_WRITE_ACCESS or both.

Returns:

 STATUS_SUCCESS

STATUS_ACCESS_DENIED

STATUS_INVALID_PARAMETER

You can use this function directly, if your code only needs to run on XP SP1 or later.  However, if you need your code to run on older systems, you can still call this function by including the header file WDMSEC.H and linking with the library WDMSEC.LIB.  Just like IoCreateDeviceSecure, this includes the code in your driver.  The function in the library also is aware of which system you're running on, and returns STATUS_SUCCESS on systems where these flags are not supported, so backward compatibility is guaranteed.