Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Monthly Seminars at OSR Headquarters

East Coast USA
Windows Internals and SW Drivers, Dulles (Sterling) VA, 13 November 2017

Kernel Debugging & Crash Analysis for Windows, Nashua (Amherst) NH, 4 December 2017

Writing WDF Drivers I: Core Concepts, Nashua (Amherst) NH, 8 January 2018

WDF Drivers II: Advanced Implementation Techniques, Nashua (Amherst) NH, 15 January 2018


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 9  
13 Mar 11 13:27
ntdev member 44695
xxxxxx@sivaller.no-ip.org
Join Date:
Posts To This List: 113
check if calling since process super-user or administrator

Hello: I'm developper some IOCTL commands that I use on a Windows service. I would like these commands IOCTL return STATUS_ACCESS_DENIED IOCTL if the process is runned in user mode instead of super-root or administrator. Is exists a DDK function for checking if the user process calling the IOCTL command is executed in user mode or with right administrator? Thank you.
  Message 2 of 9  
13 Mar 11 13:41
Don Burn
xxxxxx@acm.org
Join Date:
Posts To This List: 3179
check if calling since process super-user or administrator

One way is to use SeCaptureSubjectContext and SeTokenIsAdmin. Take a look at the SeXXX operations, you can probably figure out a number of ways. Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr "xxxxx@sivaller.no-ip.org" <xxxxx@sivaller.no-ip.org> wrote in message news:157858@ntdev: > Hello: > I'm developper some IOCTL commands that I use on a Windows service. > > I would like these commands IOCTL return STATUS_ACCESS_DENIED IOCTL if the process is runned in user mode instead of super-root or administrator. > > Is exists a DDK function for checking if the user process calling the IOCTL command is executed in user mode or with right administrator? > > Thank you.
  Message 3 of 9  
13 Mar 11 14:24
Doron Holan
xxxxxx@microsoft.com
Join Date: 08 Sep 2005
Posts To This List: 10097
check if calling since process super-user or administrator

A better way is to acl your device so that you only allow reads to admins a= nd then in the ioctl definition, define that it requires read access (you c= an flip the logic for write if you want) instead of any access. Then the io= manager will do the check for you, no additional code needed. d dent from a phine with no keynoard -----Original Message----- From: Don Burn Sent: Sunday, March 13, 2011 10:42 AM To: Windows System Software Devs Interest List Subject: Re:[ntdev] check if calling since process super-user or administra= tor One way is to use SeCaptureSubjectContext and SeTokenIsAdmin. Take a look at the SeXXX operations, you can probably figure out a number of ways. Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr "xxxxx@sivaller.no-ip.org" <xxxxx@sivaller.no-ip.org> wrote in message news:157858@ntdev: > Hello: > I'm developper some IOCTL commands that I use on a Windows service. > > I would like these commands IOCTL return STATUS_ACCESS_DENIED IOCTL if t= he process is runned in user mode instead of super-root or administrator. > > Is exists a DDK function for checking if the user process calling the IOC= TL command is executed in user mode or with right administrator? > > Thank you. --- NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.o= sronline.com/page.cfm?name=3DListServer
  Message 4 of 9  
13 Mar 11 16:05
Peter Viscarola (OSR)
xxxxxx@osr.com
Join Date:
Posts To This List: 5949
List Moderator
check if calling since process super-user or administrator

<QUOTE> A better way is to acl your device ... Then the io manager will do the check for you, no additional code needed. </QUOTE> What Doron proposes, above, really is THE solution. It avoids putting complicated policy code in your driver (where it really doesn't belong), and if you specify the ACL in your INF file you should be all set. Peter OSR
  Message 5 of 9  
14 Mar 11 11:02
Ken Johnson
xxxxxx@valhallalegends.com
Join Date: 24 Jul 2008
Posts To This List: 1022
check if calling since process super-user or administrator

Be careful with SeTokenIsAdmin as this leaves it up to you to manually (sep= arately) verify that the caller is impersonating with an impersonation leve= l that delegates access to act on behalf of the user (i.e. SecurityImperson= ation or higher). - S -----Original Message----- From: xxxxx@lists.osr.com [mailto:bounce-444733-39741@lists.o= sr.com] On Behalf Of Don Burn Sent: Sunday, March 13, 2011 10:41 AM To: Windows System Software Devs Interest List Subject: Re:[ntdev] check if calling since process super-user or administra= tor One way is to use SeCaptureSubjectContext and SeTokenIsAdmin. Take a look = at the SeXXX operations, you can probably figure out a number of ways. Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr "xxxxx@sivaller.no-ip.org" <xxxxx@sivaller.no-ip.org> wrote in messag= e news:157858@ntdev: > Hello: > I'm developper some IOCTL commands that I use on a Windows service. > > I would like these commands IOCTL return STATUS_ACCESS_DENIED IOCTL if t= he process is runned in user mode instead of super-root or administrator. > > Is exists a DDK function for checking if the user process calling the IOC= TL command is executed in user mode or with right administrator? > > Thank you. --- NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit:=20 http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.o= sronline.com/page.cfm?name=3DListServer
  Message 6 of 9  
15 Mar 11 14:26
ntdev member 44695
xxxxxx@sivaller.no-ip.org
Join Date:
Posts To This List: 113
check if calling since process super-user or administrator

I need an example CRASH machine! ... ... case IOCTL_CMD_SERVICE_SETOWN: { PDEVICE_EXTENSION_MOTHER pd; irp->IoStatus.Information=0; KdPrintf(("[VFUM] set own service\n")); pd=gm(); if (pd!=NULL) { if (pd->hProcessService==NULL) { SECURITY_SUBJECT_CONTEXT sec={0}; SeCaptureSubjectContext(&sec); SeLockSubjectContext(&sec); if (SeTokenIsAdmin(sec.ClientToken)) { KdPrintf(("[VFUM] set own service OK\n")); pd->hProcessService=hpid; status=STATUS_SUCCESS; } else status=STATUS_ACCESS_DENIED; SeUnlockSubjectContext(&sec); SeReleaseSubjectContext(&sec); } else { KdPrintf(("[VFUM] set own service already executed\n")); status=STATUS_ACCESS_DENIED; } } else { status=STATUS_INTERNAL_ERROR; } } break; ... ... this code crash machine ; why ?
  Message 7 of 9  
15 Mar 11 14:49
Alex Grig
xxxxxx@broadcom.com
Join Date: 14 Apr 2008
Posts To This List: 3218
check if calling since process super-user or administrator

Drop this "Se" stuff altogether. Set an access control list (DACL) in the INF file for your driver, to only allow administrators write access, and read access to everybody. Make sure your "privileged" IOCTLs have FILE_WRITE_DATA attribute in their definition. That's all you have to do.
  Message 8 of 9  
15 Mar 11 17:16
Ken Johnson
xxxxxx@valhallalegends.com
Join Date: 24 Jul 2008
Posts To This List: 1022
check if calling since process super-user or administrator

This is incorrect usage of SeTokenIsAdmin and will grant access to non-admi= n users in some cases. Please use a DACL instead. - S -----Original Message----- From: xxxxx@lists.osr.com [mailto:bounce-444982-39741@lists.o= sr.com] On Behalf Of xxxxx@sivaller.no-ip.org Sent: Tuesday, March 15, 2011 11:27 AM To: Windows System Software Devs Interest List Subject: RE:[ntdev] check if calling since process super-user or administra= tor I need an example CRASH machine! ... ... case IOCTL_CMD_SERVICE_SETOWN: { PDEVICE_EXTENSION_MOTHER pd; irp->IoStatus.Information=3D0; KdPrintf(("[VFUM] set own service\n")); pd=3Dgm(); if (pd!=3DNULL) { if (pd->hProcessService=3D=3DNULL) { SECURITY_SUBJECT_CONTEXT sec=3D{0}; SeCaptureSubjectContext(&sec); SeLockSubjectContext(&sec); if (SeTokenIsAdmin(sec.ClientToken)) { KdPrintf(("[VFUM] set own service OK\n")); pd->hProcessService=3Dhpid; status=3DSTATUS_SUCCESS; } else status=3DSTATUS_ACCESS_DENIED; SeUnlockSubjectContext(&sec); SeReleaseSubjectContext(&sec); } else { KdPrintf(("[VFUM] set own service already executed\n")); status=3DSTATUS_ACCESS_DENIED; } } else { status=3DSTATUS_INTERNAL_ERROR; } } break; ... ... this code crash machine ; why ?=20 --- NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit:=20 http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.o= sronline.com/page.cfm?name=3DListServer
  Message 9 of 9  
16 Mar 11 10:33
Maxim S. Shatskih
xxxxxx@storagecraft.com
Join Date: 20 Feb 2003
Posts To This List: 10396
check if calling since process super-user or administrator

> SeCaptureSubjectContext(&sec); > SeLockSubjectContext(&sec); > if (SeTokenIsAdmin(sec.ClientToken)) Bad code. Instead, do the checks in CREATE only, not in IOCTL, and use = Parameters.Create.SecurityContext --=20 Maxim S. Shatskih Windows DDK MVP xxxxx@storagecraft.com http://www.storagecraft.com
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 03:09.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license