Access granted when ObOpenObjectByPointer request mode is KERNEL

BoomiP 1 Reputation point

Hi All,

I am studying minifilter driver concept and developed a sample driver that registers for prehandle create callback in the OB_OPERATION_REGISTRATION structure.
In the callback, I am checking for a specific target process id. Incase if the intended operation tries to open handle to that particular target process, I am masking off some flags for example process terminate flag.

When I test the minifilter driver using another driver that opens a handle to the specific process using the ObOpenObjectByPointer. When calling ObOpenObjectByPointer in the test driver code, I am requesting process terminate access. In minifilter prehandle create callback , I am masking off the terminate flag in the POB_PRE_OPERATION_INFORMATION->Parameters->CreateHandleInformation.DesiredAccess. But when I check the handle returned to my driver, it has termination access.. Why OS is reverting the denied access by my code. The Msdn doc says that in the ObOpenObjectByPointer, when accessmode is kernel the requested access always granted as per the below snippet.

If the AccessMode parameter is KernelMode, the requested access is always allowed. If AccessMode is UserMode, the requested access is compared to the granted access for the object.

This is sample code that test my driver:

status = ZwOpenProcess(&hProcess, GENERIC_READ, &obj, &Pid);

status = ObReferenceObjectByHandle(

if (!NT_SUCCESS(status))
// Re-open the process to get a kernel handle.
if (NT_SUCCESS(status = ObOpenObjectByPointer(
Could anyone explain what is happening here? I am confused by the OS behavior.


Windows Hardware Performance
Windows Hardware Performance
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Hardware Performance: Delivering / providing hardware or hardware systems or adjusting / adapting hardware or hardware systems.
1,513 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Lori Whippler Hollasch 1 Reputation point Microsoft Employee

    Hi BoomiP - Did you call FltSetCallbackDataDirty after "masking off the terminate flag in the POB_PRE_OPERATION_INFORMATION->Parameters->CreateHandleInformation.DesiredAccess"?

    If you are somewhat new to minifilter development, there are several driver samples that you can learn from.

    FYI that OSR is another great place to ask minifilter questions.

    0 comments No comments