Hello everyone.
I’m trying to prevent mount usb flash using minifilter. I created minifilter driver and registered IRP_MJ_CREATE callback routing. Then I catch USBSTOR.SYS load file and return STATUS_ACCESS_DENIED.
It works, but I think it is not correct. Does USBSTOR.SYS use when flash mount? If no, how can we block USB correctly&
Thank a lot.
If you want to block access on a per user basis then use a mini-filter
and catch the pre-create calls to the USB device and block based on
callers context. If you want to block ALL access then block ALL
pre-creates to the device from all users. This won’t prevent the
‘mounting’ of the device, just access to the device.
To prevent the mounting, you could implement a bus filter driver and go
about it that way. But this is very complicated and prone to errors.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com http:</http:>
866.263.9295
------ Original Message ------
From: xxxxx@yahoo.com
To: “Windows File Systems Devs Interest List”
Sent: 5/26/2015 8:31:04 AM
Subject: [ntfsd] USB blocking minifilter driver
>Hello everyone.
>
>I’m trying to prevent mount usb flash using minifilter. I created
>minifilter driver and registered IRP_MJ_CREATE callback routing. Then I
>catch USBSTOR.SYS load file and return STATUS_ACCESS_DENIED.
>It works, but I think it is not correct. Does USBSTOR.SYS use when
>flash mount? If no, how can we block USB correctly&
>
>Thank a lot.
>
>—
>NTFSD is sponsored by OSR
>
>OSR is hiring!! Info at http://www.osr.com/careers
>
>For our schedule of debugging and file system seminars visit:
>http://www.osr.com/seminars
>
>To unsubscribe, visit the List Server section of OSR Online at
>http://www.osronline.com/page.cfm?name=ListServer
The simplest approach to this is to block all access as an upper disk
filter. There are a number of approaches for blocking things the simplest
being just fail all read/writes and IOCTL’s.
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Tuesday, May 26, 2015 10:31 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] USB blocking minifilter driver
Hello everyone.
I’m trying to prevent mount usb flash using minifilter. I created minifilter
driver and registered IRP_MJ_CREATE callback routing. Then I catch
USBSTOR.SYS load file and return STATUS_ACCESS_DENIED.
It works, but I think it is not correct. Does USBSTOR.SYS use when flash
mount? If no, how can we block USB correctly&
Thank a lot.
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
Block access on a per user basis is appropriate for me. But could you get a direction how to understand does user use USB or simple hard disk?
If you need it on a per user basis, then you need to do as Pete suggests and
fail the opens.
Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Wednesday, May 27, 2015 4:02 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] USB blocking minifilter driver
Block access on a per user basis is appropriate for me. But could you get a
direction how to understand does user use USB or simple hard disk?
NTFSD is sponsored by OSR
OSR is hiring!! Info at http://www.osr.com/careers
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer