locked
Hindering Filter Deletion in a Callout Driver RRS feed

  • Question

  • In this article (http://msdn.microsoft.com/en-us/library/windows/desktop/bb427375(v=vs.85).aspx), the sample code shows how to set a DACL to deny DELETE access rights for a WFP filter created by a user-mode app.

    Should a callout driver also do this in order to make its objects difficult for some process to delete them? If so, is there sample code available that shows this? The WFP sample driver defines a SID (wfpSamplerSID) but I don't see where it's used to create a DACL.

    Wednesday, April 24, 2013 3:57 PM

All replies

  • Doing this is optional, and you should only attempt it if you know what you are doing.  This ACLing is a rudimentary form of security for your objects, but can be fairly easily circumvented.

    The wfpSamplerSID is defined in the headers (inc\Identifiers.h), but was never used for the current incarnation of the WFPSampler.

    Hope this helps,


    Dusty Harper [MSFT]
    Microsoft Corporation
    ------------------------------------------------------------
    This posting is provided "AS IS", with NO warranties and confers NO rights
    ------------------------------------------------------------

    Friday, April 26, 2013 8:02 PM
    Moderator