STATUS_ACCESS_DENIED issue

NTFSD
1

Hi,

I am working on Minifilter driver to filter IRP_MJ_CREATE and want to prevent opening of any desired executable; there are two ways to stop from opening application , one in PreOperation and other in PostOperation.

I m using one solution at a time

IN PRE-OPERATION CALLBACK

if(Data->Iopb->Parameters.Create.Options == 16777312 && Desired_Program_List(uStrPath))
{
DbgPrint(“Program Found…%ws\n”,uStrPath.Buffer);
if (nameInfo != NULL)
{
FltReleaseFileNameInformation( nameInfo );
}
Data->IoStatus.Status = STATUS_ACCESS_DENIED ;

Data->IoStatus.Information = 0 ;
FltSetCallbackDataDirty(Data);

return FLT_PREOP_COMPLETE ;

}

IN POST-OPERATION CALLBACK

if(Data->Iopb->MajorFunction == IRP_MJ_CREATE)
{

if(Data->IoStatus.Information == FILE_OPENED && Desired_Program_List(gPath) && Data->IoStatus.Status == STATUS_SUCCESS)
{
DbgPrint(“Program Found…%ws\n”,gPath.Buffer);
FltCancelFileOpen(FltObjects->Instance,FltObjects->FileObject);
Data->IoStatus.Status = STATUS_ACCESS_DENIED;
Data->IoStatus.Information = 0 ;

}
}
Problem is that…
Its occuring two times means I m getting two time print in DbgView when I set status = STATUS_ACCESS_DENIED, and giving error message.

Any solution to occur once and dont want to show any error message pop-up.

Thanks & Regards
Musharraf Hussain

2

xxxxx@yahoo.com wrote:

Any solution to occur once and dont want to show any error message pop-up.

The problem with this solution is that you are failing a request to open
a file either back to some other process launching the application or to
the application itself. In either case, you cannot avoid the popup
message. To avoid the message, there are several alternative ways to
stop the application from running, just read the archives of this list
and the solutions are given.

As for seeing the message twice, I bet when the message appears twice
they are not the same pre-post request. I would guess it has to do with
your Options check, it is allowing an access through the pre-operation
check and you are failing the post operation. Note that the calling
process will try to open it more than once in most cases when you do
fail the request.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

3

Hi Peter,

I couldn’t find the any other way to stop application running, means I want to stop from running of application whenever user try to run.

Plz help me if there are ways for this in Kernel Level.

Thanks

4

Popping up an error message or eating it up is totally an application
behavior. So, NO, there is no decent way of avoiding the error message.
But the question is “Why do you want to avoid the error message?”.
Coming to the question that you asked in the last post, refer to the
FILE_EXECUTE flag in the open options. This will help you achieve what you
want. But WITH error message.

Regards,
Ayush Gupta
AI Consulting

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:bounce-395842-
xxxxx@lists.osr.com] On Behalf Of xxxxx@yahoo.com
Sent: Monday, January 11, 2010 11:10 AM
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] STATUS_ACCESS_DENIED issue

Hi Peter,

I couldn’t find the any other way to stop application running, means I
want to stop from running of application whenever user try to run.

Plz help me if there are ways for this in Kernel Level.

Thanks

NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

5

xxxxx@yahoo.com wrote:

Hi Peter,

I couldn’t find the any other way to stop application running, means I want to stop from running of application whenever user try to run.

Plz help me if there are ways for this in Kernel Level.

A quick search of OSROnline/NTFsd found

http://www.osronline.com/showThread.cfm?link=158862

This has pointers to other threads as well.

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

6

I use this checking:

bExec = FlagOn( accessMask, FILE_EXECUTE ) && !FlagOn( accessMask,
FILE_WRITE_DATA ) && !FlagOn( accessMask, FILE_READ_EA );

works fine from Win2k to Win7
16-bit execs use FILE_READ_EA flag (but you can check if this exec is
invoked by ntvdm.exe)