We wrote a Windows device driver to access our custom PCI card. The driver uses CreateFile to get a handle to the card.
We recently had trouble at one installation were the card appeared to stop working. We tried replacing the card (the replacement appeared not work either). The computer vendor replaced the motherboard and both cards still failed to work. We put the cards in a different computer and both worked fine.
We now have the computer at our office for examination. The Windows Device Manager lists our card in Other Devices as usual and says it's working fine. However, our driver initialization fails when it attempts to connect to the card.
We created a test version of our driver with some extra debugging and determined that CreateFile is failing. It returns INVALID_HANDLE_VALUE as it is supposed to on failure. GetLastError indicates the error is Access is Denied.
Since we're logged into the system as a local administrator, what can deny access to the device?
You may want to try with a "Checked" build of the Windows kernel. This is a debug build that has much more diagnostic information available through a debug channel. Last time I used one (years ago), the build was available on MSDN, but my info is possibly out of date.
This doesn't sound like a device driver, CreateFile() is only available in a regular Win32 app. That also matches the error, device drivers are not subjected to security restrictions like Win32 apps are.
Yes, you may have trouble opening handles to devices with CreateFile(). I think the user account at least needs to have SE_BACKUP_PRIVILEGE. There were also changes in Vista, review the CreateFile docs, section "Physical disks and volumes" for the rules. The best place to find security gurus that can show you how to edit the account privileges is a serverfault.com
Related
Let's say we have an AWS instance with GPU capability. Also, only ec2-user/root users can install software on this server (nvidia drivers, CUDA, etc..). Now suppose ec2-user/root user types the command nvidia-smi and receives the following output:
Would a "regular" (non-root user or non ec2-user) user still get the same output? Or would he get something like NVIDIA-SMI has failed because it couldn’t communicate with the NVIDIA driver. Make sure that the latest NVIDIA driver is installed and running?
In other words, do regular users also have access to the GPU/CUDA if it has been installed by the root/ec2-user?
Yes, regular users should have access to GPU/CUDA, if you have not done anything unusual during the install. The only way you would get this kind of behavior mismatch (between root and ordinary user) would be if you had modified permissions on the device files. However a typical install will set permissions so that anyone can use the GPUs.
However even in the case where the device permissions are set in an unusual way, the difference would not result in that particular error message for the ordinary user, it would result in a permissions message.
That particular error message indicates a broken driver install, and the broken driver install will manifest itself for both root and ordinary users.
Note that the "broken driver install" statement here assumes you have already rebooted the instance, and are still seeing the message. If you have not yet rebooted the instance after driver install, that is recommended.
I need to implement a feature for a product.
Requirement:
A set of information has to be stored and it has to be deleted once the system (win / linux) is restarted.
If the application crashes, the information must still be available and accessible. But if the computer loses power, or if the user restarts the computer, the information should be deleted.
EDIT:
This program is a cross platform which runs both on windows10 and linux(CentOS). So i need to code for both platforms
Currently i have written that information to a xml file. I need to find a way to clear that information , when the system is rebooted.
Having a script which will delete that file is not an ideal option because of the security issues around the product.
I need to Disable/Enable a loaded device driver because the device "at times" when connected fails to load properly.
This device is controlled by the user and is POWERED AND UN-POWERED very frequently.
The program which needs to use the driver DETECTS a failure and needs to Disable/Enable which ALWAYS corrects the issue.
But using the SetupAPI methods causes the executable to require ADMIN rights (Windows 7 and Windows 10).
I'm not sure if I need to use "other" coding methods or if SIGNING the executable will remove the "requirement" to run as administrator?
Any ideas would be greatly appreciated.
The problem is that is any used can unload a driver, they'd be able to interfere with other users. Drivers are a shared resource.
"Signing" the executable makes a few warnings less scary but doesn't affect security.
I'm at my wits end with this super descriptive "Access denied" error. Here's the rundown so far. Please keep in mind there is A LOT of information, so I may leave some out by accident.
I am writing a time provider for the w32time service, this is NOT sysadmin stuff, it's not fixed by registering /unregistering the service
I suspect my dll is not configured correctly in such a way to produce the "Access Denied" error
Here's what I've done to try and figure out what's wrong with my dll:
-Ran it through depends and all required callback functions are exposed (TimeProvOpen, TimeProvClose, TimeProvCmd)
All permissions of the dll and it's whole directory hierarchy are read/write/modify now
Put some logging in the dll - nothing logs, meaning TimeProvOpen doesn't even get called!
I am most definitely administrator
I'm not sure what else to do. I enabled debug logs for the Windows Time Service and it is no more descriptive. Just says:
Starting 'mytimeprovider', dll: 'path'
Logging error: Time Provider 'mytimeprovider' failed to start due to the following error: Access is denied (0x80070005)
What else should I be looking for? What can cause access denied, even when permissions are good, and callback functions are exposed?
Unless you are a fabricator of some atomic time sync device with your computer why go through all this trouble ?.
I mean w32tm.exe can already sync with the tcp time protocol with other ip based time servers on the internet. the protocol is adjusting computer clock time depending on time gap, and can ignore to large gaps (or you can disable that). Just beter just be an ip based time source so you dont need to change the service itself (well i cannt imagine why someone would)
For your device, simply you could let it talk over tcp/ip in the same protocol as used by w32tm.exe service. You probaply could do that with an arduino, or pic, disbanding the whole windows OS and have a smaller clock device to sell.
BTW this service can keep track on multiple time services so its not so easy to fool.
Or wrap around time.exe to simply set the time
So my dll depends on a another static library built by an associate. As far as I can tell, my permissions issues are coming from there. When the other library is excluded, my dll is able to be loaded by the w32time service. I'm still trying to figure out how to include that other dll without errors.
At least it wasn't my fault, yay!
What would be the simplest way for an application I'm writing to block all Internet access on a Windows machine?
More details:
Windows: XP or higher
Application: A basic Win32 app written in C/C++.
Blocking: It needs to be able to block and unblock at will, ideally in a way that the user can't easily reverse. (By, say, right clicking on a network connection icon in the system tray.) Also, ideally, I'd like the method it uses to allow access to be restored should the user restart Windows or reset the machine, though I'd also be willing to have the app auto launch with Windows and unblock access upon startup if the machine was reset while in a blocked state.
Internet access: Primarily, I'd like to block conventional browsers from hitting conventional http/https sites. Secondarily, it would be nice to block IM clients and client-side social networking apps. It would also be nice, but not required, to still allow local networking for file sharing, etc. (Note that only the first requirement is absolute.)
Final notes: This is not meant to be a security utility, nor will its relationship to the user be adversarial (as, for example, with a parental control utility) so it's not important for it to use a scheme that can't be worked around by a determined user. (Consider that I intend for a reboot or reset to clear the blocking. This means that any workaround a user might discover that would take more effort than this is okay.)
Thanks!
p.s. I suspect that the Windows Firewall API won't work for me because this needs to work for users that haven't enabled the firewall or don't have admin privileges, but I'll be thrilled if I'm corrected on this.
It sounds like you're intending to run applications that you don't want to access the internet. Perhaps you could run them inside a virtual machine such as VirtualBox with networking disabled.
You could do it with a Winsock SPI. The Windows SDK has a sample (under Samples\netds\winsock\lsp) which implements what is called a layered service provider which allows you to hook all the user mode functions provided by Winsock and reject/modify the calls to block network access or redirect traffic to different locations. All installed winsock applications will be affected, so in your code you could have policys for what applications can go out and the like and disabled/enable on the fly. Now a determined person could find ways around this but it would be a pain.
That said this isn't trivial to do but the sample should get you most of the way there.
You cannot effectively or practically write your tool with only a user mode application.
What you need to write is a network I/O stack filter driver. This done by writing a Windows Driver. This is different from a Windows Win32 application. Drivers run in kernel mode and applications run in user mode.
On Windows Vista and later, the kernel mode Network Programming Interface (NPI) is designed for this. This is the same API that Windows Firewalls use. These are sometimes called the Winsock kernel (WSK) APIs.
In effect, you are writing a network firewall (more or less)
here are some links
Introduction to Winsock Kernel (WSK)
Windows Core Networking Blog
The Network Programming Interface Docs on MSDN
Note, your will likely need at least two components
Your driver
A Graphical application that a person can use to control your tool
If you want to do any monitoring, you will likely need a user mode service that collects data from your driver. This works better than trying to do this in the driver. In general, you should do the minimal amount of work in the driver.
A few notes:
You need to be very conscious of security when writing this kind of software. This is very much non trivial. Software that is network facing has the highest security requirements.
Be cognizant of performance.
Your driver and/or service must be aware of the context of a calling application. This is also a security boundary. For example, an application not running as administrator should not be able to control your driver.
take a look at firewall sourcecodes