none
Is it possible to start a windows driver without adm rights? RRS feed

  • Question

  • I have a situation in which I have a driver, a DLL and one application which loads the DLL, all programmed by me. A second application also opens the DLL but its 3rd party software so I have no control over their code.

    Both applications have to share the handles to the same object of the driver. So I have to instantiate the driver in the DLL, and duplicate the handles so that when the apps open the DLL they share handles to the same driver object. The problem comes on starting and stopping the driver, because I need administrator rights to do that and my handle duplication then fails. I have tried changing the security to PROCESS_DUP_HANDLE and it failed anyway. It seems that a process with normal user rights cant duplicate handles from a process with administrator rights. Can it?

    I can require adm rights on my app, but the client would need to open the 3rd party app by right clicking and selecting to open it with adm rights, which is no elegant solution.

    So I am thinking about different ways to deal with this situation. Is it possible to start the driver without adm rights? I heard that with named shared memory I wouldnt need to duplicate the handles, however I tried it and it did not work. What other ways could I deal with this?

    Thanks guys!

    • Edited by RzRDigo Monday, February 23, 2015 5:04 PM
    Monday, February 23, 2015 5:03 PM

Answers

  • None admin users cannot manipulate drivers.  Would it be possible for you to create a service, that would be called from the DLL?  The service can run with admin privileges and administer the driver, and your DLL just sends requests to it?


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Monday, February 23, 2015 5:18 PM

All replies

  • None admin users cannot manipulate drivers.  Would it be possible for you to create a service, that would be called from the DLL?  The service can run with admin privileges and administer the driver, and your DLL just sends requests to it?


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Monday, February 23, 2015 5:18 PM
  • also, why duplicate the handle? why not have both processes open their own handle? much simpler

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Monday, February 23, 2015 5:31 PM
  • Yes, it is possible... took me a while to find out, but...
    by describing the Security Descriptor in the INF file one can change the required rights to load/unload drivers!
    Tuesday, March 10, 2015 8:59 PM
  • You can change the rights to open a device object, but as far as I know it won't allow you to load the driver just because you changed the INF.  Could you explain your extraordinary statement?


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Tuesday, March 10, 2015 9:37 PM
  • I am talking about loading the driver to kernel here, not creating an instance of a driver already loaded.

    In the AddService section of the driver INF file it is possible to set the security of the driver loading...

    This will let all users with any rights load and unload the driver for example:
    Security = "D:(A;OICI;GA;;;WD)"

    It is possible to define user groups, acess rights such as read, write, exec and so on.
    However, the documentation on the matter is very poor.

    Wednesday, March 11, 2015 1:56 PM
  • Actually the documentation is fine, but it certainly does not imply what you are stating.  The SDDL string provides a way to specify the access to the device object, not to loading the driver.  If you really are doing this give an example, since it is not supposed to happen, and you are claiming a major security flaw in Windows.


    Don Burn Windows Filesystem and Driver Consulting Website: http://www.windrvr.com

    Wednesday, March 11, 2015 2:06 PM
  • It is not a security fault, that is before driver installation not dynamically changed.
    So if the driver developer decides to let any process with any privilege start the driver its his decision.

    In my opinion the documentation is weak in that point... if you can find the definitions of the letters used and the structure of the SDDL string, I will take that back, but I searched a lot and did not find it.

    I just gave an example, try installing a driver with that security descriptor in the inf file and start it as a normal user.....

    Thursday, March 12, 2015 2:54 PM
  • I just gave an example, try installing a driver with that security descriptor in the inf file and start it as a normal user.....

    Maybe you're confusing security descriptor of a device (needed to open a device) and of the service (needed to start/stop the driver). The latter is not important for PnP drivers, the driver will start by itself. Is your driver PnP?

    -- pa

    Thursday, March 12, 2015 3:09 PM
  • In the AddService section of the driver INF file it is possible to set the security of the driver loading...
    This will let all users with any rights load and unload the driver for example:
    Security = "D:(A;OICI;GA;;;WD)"

    Then install the driver with the inf file e.g.:
    netcfg -l "path_to_inf" -c class -i ID

    Then when you try to load the driver with:
    net start driver_name
    Or
    sc start driver_name

    It will be loaded even if the command prompt is not with adm privilages.

    Friday, March 13, 2015 8:17 PM