none
SCSI - IOCTL_SCSI_PASS_THROUGH_DIRECT - Admin privileges RRS feed

  • Question

  • Hello,

    we are currently working on a cardreader whicht mounts the data of a smartcard (like a credit card) to a removable media comparable to a USB flash drive.

    The cardreader is hereby connected via USB.

    To check the PIN of the smartcard we use a "SET IDENTIFYING INFORMATION" SCSI command for which we use a self defined SCSI-CDB.

    The problem with this scenario is, that we cannot send data via DeviceIOControl (IOCTL_SCSI_PASS_THROUGH_DIRECT) on Windows Vista/7 since the Drive-Handle is not available without starting the application in elevation mode which we do not want to...

    Is there any possibility to exchange the data without the need for admin privileges? Would you exchange the information in another way?

    CD Burning Software can somehow access the drives in a similar way...

    Thanks!

    Regards, Stefan

    • Moved by Jesse Jiang Thursday, October 11, 2012 5:43 AM (From:Visual C++ General)
    Wednesday, October 10, 2012 9:31 AM

Answers

  • cd burnining software is some nasty software. usually they get this to work by installing their own filter driver and allowing access from a non admin account. there is a reason that SCSI PT is requires admin access, don't circumvent it.

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, October 11, 2012 6:55 AM

All replies

  • Hi ,

    I think your issue should be raised in the Windows WDK and Driver Development Forum

    I believe they will know more information of this issue than us, and I will move this one to that forum.

    Thanks for your understanding,

    Best regards,
    Jesse


    Jesse Jiang [MSFT]
    MSDN Community Support | Feedback to us

    Thursday, October 11, 2012 5:44 AM
  • cd burnining software is some nasty software. usually they get this to work by installing their own filter driver and allowing access from a non admin account. there is a reason that SCSI PT is requires admin access, don't circumvent it.

    d -- This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, October 11, 2012 6:55 AM
  • Hello,

    we are currently working on a cardreader whicht mounts the data of a smartcard (like a credit card) to a removable media comparable to a USB flash drive.

    The cardreader is hereby connected via USB.

    To check the PIN of the smartcard we use a "SET IDENTIFYING INFORMATION" SCSI command for which we use a self defined SCSI-CDB.

    The problem with this scenario is, that we cannot send data via DeviceIOControl (IOCTL_SCSI_PASS_THROUGH_DIRECT) on Windows Vista/7 since the Drive-Handle is not available without starting the application in elevation mode which we do not want to...

    Is there any possibility to exchange the data without the need for admin privileges? Would you exchange the information in another way?

    CD Burning Software can somehow access the drives in a similar way...

    Thanks!

    Regards, Stefan

    It's not a big deal to write a 100 lines of code driver opening a file in kernel mode and passing user-mode accessible handle back to caller in UM. Just make sure your user mode app can open driver interface for private communications.

    CD burning apps tend to use filter drivers but that's because they don't want to 1) software bus tracers to capture I/O traffic to reverse-engineer what they do with a particular device and 2) bypass other burning apps broken drivers "fixing" (read - breaking) I/O command sequence. That's why they usually end with totally unsupported "hook" based drivers. As you're probably not interested in neither 1) nor 2) I'd recommend to stick with a simple kernel helper :)

    -nismo

    P.S. We have all these drivers (all approaches) used in production for 10+ years so it's not something you cannot do.

    Sunday, October 14, 2012 10:32 AM
  • You'd do better to just stand up a small service to open the device and send whatever IO you need on behalf of the UM app.  Same model, inserting a trusted component as a proxy for the untrusted UM app, but you can write and debug it a zillion times more easily.

    Put all the implementation in the service, and just request the various operations from the UM app, secure the comm channel between the service and the UM app, and you'll have a robust and secure architecture.

    Monday, October 15, 2012 5:31 PM
  • I got it working now, by creating the file Handle with the volume Letter...
    Wednesday, October 17, 2012 2:10 PM