Re: CreateFile() returns ERROR_ACCESS_DENIED to the user

Will Administrator log in and then execute the code with these API's to
grant permissions for power users on the device driver and then do a
relogon with power user or there is some other place where the
permissions can be granted?

Well, you can do it the way you like (for example,
CreateProcessAsUser()may be quite helpfull), but keep in mind that, in
order to grant aceess permissions, one needs to be Admin - non-admin
users cannot grant permissions to themselves, can they??? Therefore,
the code thar runs these lines must be running under Admin account

Anton Bassov



sunk_bansal@xxxxxxxxxxx wrote:
Hi,

About granting ACL on device through
GetSecurityInfo()/SetSecurityInfo(), plus SetEntriesInAcl(), I want to
know as to when to grant these permissions?

Will Administrator log in and then execute the code with these API's to
grant permissions for power users on the device driver and then do a
relogon with power user or there is some other place where the
permissions can be granted?

Regards,
Sunil

anton bassov wrote:
Don,

Actually, a simpler way is to use IoCreateDeviceSecure with a SDDL string
that allows geneal users access.

In this particular situation, such approach is more reasonable - I
admit. However, I think the OP may need to modify access to various
kernel objects on more than one occasion in his future career, so it
would be a good idea for him to learn how to do it. In fact, I just
wonder how he managed to write a driver, in the first place - he seems
to be struggling with the basic NT concepts.....


Anton Bassov


Don Burn wrote:
Actually, a simpler way is to use IoCreateDeviceSecure with a SDDL string
that allows geneal users access.


--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply



"anton bassov" <soviet_bloke@xxxxxxxxxxx> wrote in message
news:1163454664.839974.119450@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Do i must modify user rights or driver rights ????

In actuality, none of the above....

You have to modify not user rights and DEFINITELY not driver rights,
but access permission to your target device (i.e. its ACL) Check MSDN,
namely, GetSecurityInfo()/SetSecurityInfo(), plus SetEntriesInAcl(),
for more info

Anton Bassov

SteM wrote:
Thanks Anton,
my guess was that, at least, open, close and DeviceIoControl was allowed
....
How can i solve ?
Do i must modify user rights or driver rights ????

Thanks
--
SteM


"anton bassov" <soviet_bloke@xxxxxxxxxxx> ha scritto nel messaggio
news:1163436308.076405.201750@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi mate

This is just absolutely normal default behaviour - limited users have
no access to devices by default. If you want non-privileged users to
gain access to it, you have to EXPLICITLY allow the above (it is
understandable that it can be done only from the Admin account)

Anton Bassov


SteM wrote:
Hello,
I've written a small wdm driver for Win2000 to access an old custom
hw
on
parallel port.
The accesses are via a couple of DeviceIoControl() custom commands.
It works fine, does exactly what i intended; however, it only works
if I
am
logged in as Administrator (or equivalent).
If I log in as a regular user (Power User) the call to CreateFile
fails
with
ACCESS_DENIED.

// Open driver
rv = CreateFile (
ifDetail->DevicePath,
0, // Desidered access
0, // Share mode
NULL, // Security attrb
CREATE_NEW, // How to create
FILE_FLAG_DELETE_ON_CLOSE, // File attribute
NULL // Template file
);

if (rv==INVALID_HANDLE_VALUE)
{
......



Thanks in advance for any pointers...
--
SteM



.

Relevant Pages

  • Re: jdbc permissions
    ... Using the SQL Server 2000 Driver for JDBC on a Java 2 Platform ... additional permissions. ...
    (microsoft.public.sqlserver.server)
  • Re: Word printing problems...
    ... You might first run Disk Utility - Repair Disk Permissions & see ... with printing are seldom the fault of the application. ... Print services are actually provided by the OS & the print driver. ... repairing permissions first - especially if this in an HP printer. ...
    (microsoft.public.mac.office.word)
  • Re: CreateFile() returns ERROR_ACCESS_DENIED to the user
    ... know as to when to grant these permissions? ... Will Administrator log in and then execute the code with these API's to ... wonder how he managed to write a driver, in the first place - he seems ... You have to modify not user rights and DEFINITELY not driver rights, ...
    (microsoft.public.win32.programmer.kernel)
  • Re: "Send as" and SBS Domain Power User
    ... We can "Send as" the normal domain user by using the domain power user ... You can remove the power user from the Account Operator group or deny the ... To deny user "Send as" permissions for power user: ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: Power User Vs. Admin
    ... An administrator is all powerful on the computer while a power user has ... application can be made to work if the user has the necessary permissions to ... the user that cause the application to fail and often these failures can ...
    (microsoft.public.windows.server.security)