Re[2]: USB blocking minifilter driver

As indicated by Don, fail the opens … to do this you need to register
a pre-create callback in the mini-filter driver as well as an
InitInstance callback. In the InitInstance callback, where the device is
mounted, determine that the device is the one you want to control. You
can query the bus type, get a device name, etc. There are many ways to
determine this depending on what the requirements are. Once you have
this information, initialize a volume context which you retrieve in your
pre-create. In your pre-create, retrieve the volume context and if the
users context is one which you want to fail for the given device, then
fail the open back to the caller.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com http:</http:>
866.263.9295

------ Original Message ------
From: xxxxx@yahoo.com
To: “Windows File Systems Devs Interest List”
Sent: 5/27/2015 2:01:30 AM
Subject: RE:[ntfsd] USB blocking minifilter driver

>Block access on a per user basis is appropriate for me. But could you
>get a direction how to understand does user use USB or simple hard
>disk?
>
>—
>NTFSD is sponsored by OSR
>
>OSR is hiring!! Info at http://www.osr.com/careers
>
>For our schedule of debugging and file system seminars visit:
>http://www.osr.com/seminars
>
>To unsubscribe, visit the List Server section of OSR Online at
>http://www.osronline.com/page.cfm?name=ListServer

I think there was some standard registry key to disable USBSTOR.


Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntfsd…
> Hello everyone.
>
> I’m trying to prevent mount usb flash using minifilter. I created minifilter driver and registered IRP_MJ_CREATE callback routing. Then I catch USBSTOR.SYS load file and return STATUS_ACCESS_DENIED.
> It works, but I think it is not correct. Does USBSTOR.SYS use when flash mount? If no, how can we block USB correctly&
>
> Thank a lot.
>

In the InitInstance callback I can determine that the device is (bus type). In the another thread of OSR forum I read: “IRP_MJ_CREATE IRP is sent only during file system mount.”
Is it possible to know this IRP for USB device or not?

I’m not sure what the first sentence has to do with the last two, but I’ll hazard to answer the final question.

An IRP_MJ_CREATE IRP indicates the media device object to which it is targeted (FileObject->DeviceObject or FileObject->Vpb->DeviceObject, and if there’s no Vpb then it’s not a media device). Presumably given the device object you can figure out what kind of device it is by asking it, though I’m not familiar with the particulars (NTDEV is a good place for a question about “how do I figure out if this arbitrary device object represent a USB device”). Of course, not all USB devices are used for storage, either, and other drivers can abstract away details (like volume managers), so figuring out if there is a USB device as part of a given volume object may not be trivial, either.

Tony
OSR

I will try to get more details in my question…
In the InitInstance callback I attach to volumes: HD, USB,… For example I have two USB. One of them I want to block. I know (using bus type, name, etc) USB I want to block. And in IRP_MJ_CREATE I want to prevent load USBSTOR.SYS just for USB I want to block. So, is it possible to know for wich USB USBSTOR.SYS was run?

By the time your file system filter is running, the chance to block USBSTOR
is long gone. But you already stated you wanted to control things on a
per-user basis, so you cannot block this anyway.

Don Burn
Windows Driver Consulting
Website: http://www.windrvr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Thursday, May 28, 2015 4:18 PM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] Re[2]: USB blocking minifilter driver

I will try to get more details in my question…
In the InitInstance callback I attach to volumes: HD, USB,… For example I
have two USB. One of them I want to block. I know (using bus type, name,
etc) USB I want to block. And in IRP_MJ_CREATE I want to prevent load
USBSTOR.SYS just for USB I want to block. So, is it possible to know for
wich USB USBSTOR.SYS was run?


NTFSD is sponsored by OSR

OSR is hiring!! Info at http://www.osr.com/careers

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer