none
Block USB flash drives in storage upper filter driver

    Question

  • Hi,

    I'm working on driver to block usb flash drives. I've took DickPerf storage upper filter driver as sample, then I've added USB bus detection in DeviceAdd routing as described in passThrough development.

    So the main open question is what is the correct way to block USB in my case?

    I've tried to return STATUS_ACCESS_DENIED in DiskPerfDispatchPnp:IRP_MN_START_DEVICE. It actually works, USB volume blocked and it isn't visible in list of removeable media in explorer. Nevertheless USB Mass Storage Device is still detected, it is visible in tray but it cann't be ejected using tray menu and looks like Windows hungs on shutdown.


    Wednesday, May 22, 2013 6:30 AM

Answers

  • Changing device type does not work for me.

    But I've found the solution. It is sufficiently to return STATUS_ACCESS_DENIED in IRP_MJ_READ and IRP_MJ_WRITE functions if device is connected over USB.

    if (FALSE != deviceExtension->UsbDevice)
    {
    	Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
    	IoCompleteRequest(Irp, IO_NO_INCREMENT);
    	return STATUS_ACCESS_DENIED;
    }


    Thursday, May 23, 2013 6:01 AM
  • It should be noted this does not block the drive as the original request asked for.  Not only can one still get at the drive, you can perform some operations.

    Not sure what you did wrong on changing the device type, but I have done this for clients multiple times with no problems.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Thursday, May 23, 2013 11:22 AM

All replies

  • I am not sure it works with the latest OS'es but in the past I checked for USB in AddDevice and when adding the filter device object made this a unique device type that was not a disk.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, May 22, 2013 11:16 AM
  • Hello Don,

    Thank you for answer.

    Unfortunatelly this method doesn't work, at least on Windows 7 x86.

    In this discusion social.msdn.microsoft.com/Forums/en-US/wdk/thread/b67322ae-e06b-4fd5-8266-c4a62f398c82  I've found alternative way to implement USB blocking. I mean disk mini filter. What do you think about it in the context of latest OSes?

    Also I've found that it is possible to change DriverObject pointer of the PhysicalDeviceObject in upper filter AddDevice routing. I've set DiskPerf driver as PhysicalDeviceObject DriverObject.

    The result looks some interesting:

    1) flash drive hasn't been mounted;

    2) it is visible in device manager as disk drive;

    3) Windows rebooted on flash driver eject. :)

    Wednesday, May 22, 2013 12:37 PM
  • Do not change the pointer, you are basically messing up the kernel.  You can change the device type and that should work. 

    A mini-filter is a file system concept not a disk concept, you would use a mini-filter if you don't mind it being mounted but want to make it inaccessible.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, May 22, 2013 12:56 PM
  • I've tried to change device type, but it does not work as well. I think that at the moment when filter driver AddDevice is called the functional driver (disk.sys) and the port driver (usbstor.sys) already initialized. So changing of the device type will not have any effect.

    If it is possible to prevent disk.sys functional driver AddDevice from beeing called for USB drives...

    What do you think?

    Wednesday, May 22, 2013 1:56 PM
  • No you do not mess with disk.sys or with its DEVICE_OBJECT's.  When a request comes down it comes via the top device object on the stack.  So it will see your filter device object with type UNKNOWN and not the disk device object you attach to.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Wednesday, May 22, 2013 2:02 PM
  • Changing device type does not work for me.

    But I've found the solution. It is sufficiently to return STATUS_ACCESS_DENIED in IRP_MJ_READ and IRP_MJ_WRITE functions if device is connected over USB.

    if (FALSE != deviceExtension->UsbDevice)
    {
    	Irp->IoStatus.Status = STATUS_ACCESS_DENIED;
    	IoCompleteRequest(Irp, IO_NO_INCREMENT);
    	return STATUS_ACCESS_DENIED;
    }


    Thursday, May 23, 2013 6:01 AM
  • It should be noted this does not block the drive as the original request asked for.  Not only can one still get at the drive, you can perform some operations.

    Not sure what you did wrong on changing the device type, but I have done this for clients multiple times with no problems.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr

    Thursday, May 23, 2013 11:22 AM