Controlling Device Access (WDM)
Access to a device is controlled by a security descriptor (and the ACL it contains). A security descriptor for a device object can be specified when the device object is created, or set in the registry.
Controlling Device Access for WDM Drivers
When a WDM driver (other than certain bus drivers) creates a device object, the Plug and Play manager determines a security descriptor for the device. The order of operations is as follows.
The PnP manager calls the driver's AddDevice routine.
The driver's AddDevice routine calls IoCreateDevice to create the device object and attach it to the device object stack.
The PnP manager updates the security descriptor for the newly-created device object.
For a WDM driver, the PnP manager determines the security descriptor for the device object as follows.
If the device has a security descriptor setting in the registry, it is applied to every object in the device stack.
Otherwise, if the device's setup class has a security descriptor setting in the registry, it is applied to every object in the device stack.
Otherwise, the PnP manager leaves the default security descriptor for each object unchanged. In this case, the default security descriptor for the stack is determined by the device type and device characteristics of the PDO.
For most device types and characteristics, the default security descriptor gives full access (GENERIC_ALL) to administrators, and read, write, and execute access (GENERIC_READ | GENERIC_WRITE | GENERIC_EXECUTE) access to everyone else.
For more information about how to set a security descriptor for a device or device setup class in the registry, see Setting Device Object Properties in the Registry.
If a device is operated in raw mode, then the PnP manager cannot determine a security descriptor for the device object. In that case, the bus driver must provide a security descriptor; see below.
Controlling Device Access for WDM Bus Drivers
A WDM bus driver must provide a security descriptor for the PDO of every device that can be operated in raw mode. Use IoCreateDeviceSecure to create the device object with a security descriptor.
If the bus driver does not operate a device in raw mode, then it is not required to supply a security descriptor. The PnP manager determines the security descriptor, as described above. The bus driver can supply a security descriptor if it must ensure that its PDOs have stricter security settings than the default descriptor. Any descriptor specified by the bus driver is overridden by settings in the registry.
For more information about creating device objects, see Creating a Device Object.
Controlling Device Access for Non-WDM Drivers
Non-WDM drivers must specify a default security descriptor and class GUID for any named device objects they create.
Use the IoCreateDeviceSecure routine to create the named device object and to specify the default security descriptor and class GUID for that device. The security descriptor is specified in a subset of SDDL. For more information, see SDDL for Device Objects.
The system overrides the default security descriptor with any security settings in the registry for the specified class GUID. The driver must specify its own unique GUID for the device. Use the GuidGen tool to generate a unique GUID. (GuidGen is included in the Microsoft Windows SDK.)
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for