Non-Admin User I/O
on
NDIS Intermediate (IM) Drivers

 

Symptoms

In many cases a NDIS miniport or intermediate drivers needs to have a device object and symbolic link that can be used for I/O access by companion user-mode application or service. These NDIS drivers are not permitted to IoCreateDeviceSecure or IoCreateDevice to create their device object. Instead, they must use the NdisMRegisterDevice method exported from the NDIS library,

The Windows DDK and WDK includes samples that illustrate the use of NdisMRegisterDevice, and when running as administrator the standard device-access CreateFile and DeviceIoControl calls used with non-NDIS devices work as expected.

However, when accessing the NDIS driver's device object by non-administrator users calls to CreateFile and DeviceIoControl can fail.

CreateFile Template

The following code snipped illustrates parameters passed to CreateFile that allow a non-administrator user to open a handle on the symbolic link created by NdisMRegisterDevice:

Note: For this method FLT_CREATE_FILE_STRING is defined in an external header...
HANDLE WINAPI
FltOpenControlChannel( void )
{
    HANDLE  Handle;
    //
    // Use CreateFile to Open the Handle
    //
    Handle = CreateFile(
        FLT_CREATE_FILE_STRING, // String defined in header file...
        MAXIMUM_ALLOWED,
        0,   // ShareMode
        NULL, // Security Attributes
        OPEN_EXISTING, // CreationDistribution
        FILE_ATTRIBUTE_NORMAL, // FlagsAndAttributes
        NULL // TemplateFile
        );
    if( Handle == INVALID_HANDLE_VALUE )
    {
        //
        // Special Handling For Accessing Device On Windows 2000 Terminal Server
        // ---------------------------------------------------------------------
        // See Microsoft KB Article 259131
        //
        Handle = CreateFile(
            FLT_GLOBALS_CREATE_FILE_STRING, // String defined in header file...
            MAXIMUM_ALLOWED,
            0,   // ShareMode
            NULL, // Security Attributes
            OPEN_EXISTING, // CreationDistribution
            FILE_ATTRIBUTE_NORMAL, // FlagsAndAttributes
            NULL // TemplateFile
            );
    }
    return (Handle);
}

 

IOCTL Code Definitions

Once the issue of failing CreateFile calls has been addressed one might also encounter failures when making DeviceIoControl calls from a non-administrator application. This can be fixed by specifying FILE_ANY_ACCESS as the access check when defining IOCTL codes. Here is a snippet:

#define IOCTL_FILTERIO_ENUMERATE _FILTERIO_CTL_CODE(1, METHOD_BUFFERED, FILE_ANY_ACCESS)

 

 

Topic Status
February 21, 2007 Information posted.
 

PCAUSA Home · Privacy Statement · Products · Ordering · Support · Utilities · Resources
Mailing Lists  · PCAUSA Newsletter · PCAUSA Discussion List
Rawether for Windows, Rawether .NET, WinDis 32 and NDIS Press are trademarks of Printing Communications Assoc., Inc. (PCAUSA)
Microsoft, MS, Windows, Windows Vista, Windows 95, Windows 98, Windows Millennium, Windows 2000, and Win32 are registered trademarks and Visual C++ and Windows NT are trademarks of the Microsoft Corporation.
Copyright © 1996-2007 Printing Communications Assoc., Inc. (PCAUSA)
Last modified: January 20, 2007