IoCreateDeviceSecure

The IoCreateDeviceSecure routine creates a named device object and applies the specified security settings.

NTSTATUS 
  IoCreateDeviceSecure(
    IN PDRIVER_OBJECT  DriverObject,
    IN ULONG  DeviceExtensionSize,
    IN PUNICODE_STRING  DeviceName  OPTIONAL,
    IN DEVICE_TYPE  DeviceType,
    IN ULONG  DeviceCharacteristics,
    IN BOOLEAN  Exclusive,
    IN PCUNICODE_STRING  DefaultSDDLString,
    IN LPCGUID  DeviceClassGuid,
    OUT PDEVICE_OBJECT  *DeviceObject,
    );

Parameters

DriverObject

Pointer to the driver object for the caller. Each driver receives a pointer to its driver object in a parameter to its DriverEntry routine. WDM function and filter drivers also receive a driver object pointer in their AddDevice routines.

DeviceExtensionSize

Specifies the driver-determined number of bytes to be allocated for the device extension of the device object. The internal structure of the device extension is driver-defined. The internal structure of the device extension is driver-defined. For more information about device extensions, see Device Extensions.

DeviceName

Optionally points to a buffer containing a zero-terminated Unicode string that names the device object. The string must be a full path name. If a name is not supplied, the FILE_AUTOGENERATED_DEVICE_NAME flag must be present in the DeviceCharacteristics parameter. (To create an unnamed device object, use the IoCreateDevice routine.)

DeviceType

Specifies one of the system-defined FILE_DEVICE_XXX constants that indicate the type of device (such as FILE_DEVICE_DISK, FILE_DEVICE_KEYBOARD, and so on), or a vendor-defined value for a new type of device. For more information, see Specifying Device Types. (Because a bus driver might not have information about a device's type, a device type value for a PDO can be specified in an INF AddReg directive.)

DeviceCharacteristics

Specifies one or more system-defined constants, ORed together, that provide additional information about the driver's device. For a list of possible device characteristics, see DEVICE_OBJECT. For more information on how to specify device characteristics, see Specifying Device Characteristics. Most drivers specify FILE_DEVICE_SECURE_OPEN for this parameter.

Exclusive

Specifies if the device object represents an exclusive device. Most drivers set this value to FALSE. For more information, see Specifying Exclusive Access to Device Objects.

DefaultSDDLString

Specifies a string representation for the default security settings of the device object. The security that is applied to the device object is derived from this string unless the system administrator places an override in the section of the registry identified by the DeviceClassGuid parameter.

The security setting is specified in a subset of Security Descriptor Definition Language (SDDL). A set of predefined constants (SDDL_DEVOBJ_XXX) are also provided. For more information, see Securing Device Objects.

DeviceClassGuid

Pointer to a GUID that identifies a section of the registry containing possible overrides for the DefaultSDDLString, DeviceType, DeviceCharacteristics, and Exclusive parameters.

DeviceObject

Pointer to a variable that receives a pointer to the newly created DEVICE_OBJECT structure. The DEVICE_OBJECT structure is allocated from nonpaged pool.

Return Value

IoCreateDeviceSecure returns STATUS_SUCCESS on success, or the appropriate NTSTATUS error code on failure. A partial list of the failure codes that could be returned by this function include:

STATUS_INSUFFICIENT_RESOURCES
STATUS_OBJECT_NAME_EXISTS
STATUS_OBJECT_NAME_COLLISION

Headers

Declared in wdmsec.h. Include wdmsec.h.

Comments

IoCreateDeviceSecure creates a named device object, applies the specified security settings, and returns a pointer to the object. The caller is responsible for deleting the object when it is no longer needed by calling IoDeleteDevice.

This routine is not part of the operating system. Drivers can use the routine by linking to wdmsec.lib. (The wdmsec.lib library first shipped with the Windows XP Service Pack 1 (SP1) and Windows Server 2003 editions of the DDK.)

Any driver that creates a named device object which is not guaranteed to have its security descriptor set by the INF file must use IoCreateDeviceSecure. For more information, see Creating a Device Object. The caller is responsible for setting certain members of the returned device object. For more information, see Initializing a Device Object and the device-type-specific documentation for your device.

Be careful to specify the DeviceType and DeviceCharacteristics values in the correct parameters. Both parameters use system-defined FILE_XXX constants and some driver writers specify the values in the wrong parameters by mistake.

The caller is responsible for setting certain fields in the returned device object, such as the Flags field, and for initializing the device extension with any driver-defined information. For other operations that are required on new device objects, see Initializing a Device Object and the device-type-specific documentation for your device.

The GUID specified by the DeviceClassGuid parameter determines the device setup class for the device object. (For more information about device setup classes, see Device Setup Classes.) Callers must provide a value so that system administrators can change the security settings for the device (for instance, to deny access to certain users). For more information, see Setting Device Object Registry Properties After Installation.

Non-WDM drivers specify a new GUID, one not already in use by an existing device setup class. Generate a new GUID by using the GuidGen.exe DDK tool.

WDM bus drivers that handle raw-mode capable devices can specify the device setup class of the device, but only if that class is guaranteed to already have been created. Otherwise, create a new GUID.

Device objects for disks, tapes, CD-ROMs, and RAM disks are given a Volume Parameter Block (VPB) that is initialized to indicate that the volume has never been mounted on the device.

If a driver's call to IoCreateDeviceSecure returns an error, the driver should release any resources that it allocated for that device.

Callers of IoCreateDeviceSecure must be running at IRQL = PASSIVE_LEVEL.

See Also

DEVICE_OBJECT, IoAttachDevice, IoAttachDeviceToDeviceStack, IoCreateSymbolicLink, IoDeleteDevice, IoCreateDevice