CreateFile / CreatefileA getlasterror returns 5

Hari 21

I am trying to access a device in the device manager. (The device exposes some functionality, only after getting the handle I could perform IOCTL calls)

from the C++ app, I was able to get device details with the help of GUID.

I am getting the device path from SetupDiGetDeviceInterfaceDetail(). but with the device path, when I try to open using createfile / createFileA I am getting error code as 5, which is access denied.

I am in admin mode only. Below is the sample code.

#pragma comment(lib,"Setupapi.lib")


#ifdef __cplusplus
extern "C" {
#endif

#include <windows.h>
#include <tchar.h>

#include <setupapi.h>
#include <initguid.h>

#include <stdio.h>


class __declspec(uuid("{XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}")) guid;
GUID W_GUID = __uuidof(guid);

int main()
{
HDEVINFO                         hDevInfo;
SP_DEVICE_INTERFACE_DATA         DevIntfData;
PSP_DEVICE_INTERFACE_DETAIL_DATA DevIntfDetailData;
SP_DEVINFO_DATA                  DevData;


hDevInfo = SetupDiGetClassDevs(
&W_GUID, NULL, 0, DIGCF_DEVICEINTERFACE | DIGCF_PRESENT);

if (hDevInfo != INVALID_HANDLE_VALUE)
{
DevIntfData.cbSize = sizeof(SP_DEVICE_INTERFACE_DATA);
dwMemberIdx = 0;

bool result = SetupDiEnumDeviceInterfaces(hDevInfo, NULL, &W_GUID ,
dwMemberIdx, &DevIntfData);

DevData.cbSize = sizeof(DevData);

SetupDiGetDeviceInterfaceDetail(
hDevInfo, &DevIntfData, NULL, 0, &dwSize, NULL);

DevIntfDetailData = (PSP_DEVICE_INTERFACE_DETAIL_DATA)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, dwSize);
DevIntfDetailData->cbSize = sizeof(SP_DEVICE_INTERFACE_DETAIL_DATA);

SetupDiGetDeviceInterfaceDetail(hDevInfo, &DevIntfData,
DevIntfDetailData, dwSize, &dwSize, &DevData);


HANDLE _hDevice = CreateFile((LPCWSTR)DevIntfDetailData->DevicePath,
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_FLAG_OVERLAPPED,
NULL);

if (_hDevice == INVALID_HANDLE_VALUE)
{
int err = GetLastError();
if (err != 0)
{
std::cout << "error";
}
std::cout << _hDevice;
std::cout << "Error ";
}
SetupDiDestroyDeviceInfoList(_hDevice);
}
}
}

RLWA32 40,276 Reputation points

2022-05-13T10:48:58.99+00:00

Do you need GENERIC_WRITE in the call to CreateFile?

Anything about using IOCTLs for the device in related documentation?
Hari 21 Reputation points

2022-05-13T11:10:27.417+00:00

GENERIC_WRITE is not required, but since I was getting invalid handle, tried all combinations.
device documentation I have only guid and set of IOCTLs CTL codes.
RLWA32 40,276 Reputation points

2022-05-13T11:12:23.643+00:00

Try passing 0 instead of GENERIC_WRITE | GENERIC_READ. Also, try removing FILE_FLAG_OVERLAPPED.
Hari 21 Reputation points

2022-05-13T11:30:43.427+00:00

I tried as below:

HANDLE _hDevice = CreateFile((LPCWSTR)DevIntfDetailData->DevicePath,
0,
FILE_SHARE_READ |
FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL);

its the same Invalid Handle(0xffffffff) with getlasterror() as 5.
RLWA32 40,276 Reputation points

2022-05-13T12:42:18.853+00:00

Why are you using an (LPCWSTR) cast?

Also, if you are running as administrator have you tried enabling the debug privilege in your token?

enabling-and-disabling-privileges-in-c--
Hari 21 Reputation points

2022-05-13T13:00:21.5+00:00

LPCWSTR is my mistake in createfile, I was experimenting with createfileA and had to typecast from WCHAR to LPCWSTR. I corrected back.

I haven't tried enabling the debug privilege.. let me try it out.. thanks..
Junjie Zhu - MSFT 14,446 Reputation points Microsoft Vendor

2022-05-16T02:06:00.94+00:00

With @RLWA32 's help, is there any progress?
Hari 21 Reputation points

2022-05-16T04:01:56.737+00:00

Yes @Junjie Zhu - MSFT , I am enabling the debug privilege in my code.
Hari 21 Reputation points

2022-05-16T05:16:09.417+00:00

I added the code as below:

I see that GetCurrentProcess() returns 0xffffffff is this normal. When I searched it said its the way it returns.
so added different code to get the process handle as below:

DWORD pid = GetCurrentProcessId();
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);

Now I get the process handle, but still createfile is returning getlasterror as 5.
RLWA32 40,276 Reputation points

2022-05-16T08:10:40.713+00:00
Regarding the posted code -

Did you correctly copy the MS code for adjusting token privileges? Check the call to SetPrivilege for success or failure. Confirm that your code is running with elevated privilege as Administrator.

Check CreateFile return and upon failure call GetLastError immediately. Do not call any other Windows API function between calling CreateFile and calling GetLastError. You can call CloseHandle for the token afterwards.

Try removing FILE_SHARE_READ

If CreateFile continues to fail I suggest you pursue the issue with the device vendor since you have indicated that the documentation for using IOCTLs is virtually nonexistent.
Hari 21 Reputation points

2022-05-16T08:28:17.237+00:00

Yes I copied correctly.
The code returns success for the SetPrivilege ().

CreateFile() returns 0xfffffff and after that getlasterror() is returning 5.

after removing the FILE_SHARED_READ, I get the same error as 5.

the device driver doc has mentioned below details: and have followed the same.

As a WDM/KMDF driver and according to Microsoft recommendations the driver won’t be named. The driver will be of the system devices class. The driver will register an interface by calling IoRegisterDeviceInterface. The application will open the handle to the driver using the following sequence of functions:
SetupDiGetClassDevs
SetupDiEnumDeviceInterfaces
SetupDiGetDeviceInterfaceDetail //probing
SetupDiGetDeviceInterfaceDetail
CreateFile
DeviceIoControl
CloseHandle
SetupDiDestroyDeviceInfoList
RLWA32 40,276 Reputation points

2022-05-16T09:04:51.75+00:00

Perhaps the device has a very restrictive security descriptor. Can you obtain the security descriptor as an SDDL string? See SetupDiGetDeviceRegistryPropertyW function and SPDRP_SECURITY_SDS.
Hari 21 Reputation points

2022-05-17T05:28:59.733+00:00

I received the data as D:P(A;;GA;;;SY), but I couldn't convert into readable SDDL string format.
Hari 21 Reputation points

2022-05-17T07:31:52.843+00:00

I checked each of the data with sddl.h header file and was able to map:
D = SDDL_DACL
P = SDDL_PROTECTED.
A = SDDL_ACCESS_ALLOWED
GA = SDDL_GENERIC_ALL
SY = SDDL_LOCAL_SYSTEM
Doron Holan 1,801 Reputation points

2022-05-18T21:26:31.303+00:00

If you are authoring the device driver package, you can set the security descriptor for the device in the INF. By default devices are only accessible by SYSTEM and must be explicitly configured to allow broader access.

Accepted answer

RLWA32 40,276 Reputation points

2022-05-17T07:43:53.393+00:00
So it would appear that the security descriptor for your device only permits access to the SYSTEM account.
You can test this by using PsExec to open a command prompt window that is running under the SYSTEM account. In that command prompt window run your application.

To accomplish this -

Install PsExec

Open a command prompt window with elevated privileges that is running as an Administrator.

In the elevated command prompt run the command "psexec -s -i -d cmd"

A new command prompt window will open that is running as SYSTEM. You can confirm with the whoami command.

In the SYSTEM command prompt window run your application.
Please sign in to rate this answer.

2 people found this answer helpful.
Hari 21 Reputation points

2022-05-17T09:35:39.327+00:00

Yes.. i am able to get the createfile handle now.. this is good. thanks a lot.. :)

do we have any other way other than running from PsExec tool?

RLWA32 40,276 Reputation points

2022-05-17T10:30:14.127+00:00

Another way is to use a scheduled task. When creating the task you can configure it to run using the SYSTEM account. However, the process will be created in session 0 which is a non-interactive session so no user interface will be visible. So any output that you want to see should be written to a file instead.

Other possibilities depend upon writing code to use your administrator privileges to "steal" a token from a process that is running as SYSTEM. A common target for such token theft is the winlogon.exe process. Once you have obtained a handle to such a token you can use it for impersonation or to start a new process with CreateProcessAsUser. But these things are beyond the scope of this question.

Hari 21 Reputation points

2022-05-17T11:05:54.787+00:00

ok got it.
I will do few experiments and will figure out..

Thanks for the help and it was nice working with you @RLWA32 .

RLWA32 40,276 Reputation points

2022-05-17T11:07:52.693+00:00

Another possibility for you to consider is to modify the security descriptor for your device to permit administrator access.
Sign in to comment

CreateFile / CreatefileA getlasterror returns 5

0 additional answers