J
Jean-Paul Blanc
Hi,
I wrote a small program using QueryDosDevice(...) API to get the volume name
associated to an unit name (A:, B:, C: etc.). I, then, use CreateFile(...)
and SetSecurityInfo(...) to modifie the DACL of the volume, so that I can
allow or deny users or groups to acces to the Unit. This is done dynamicaly
by a service detecting the unit arrival.
To be clear, the same thing can be done with :
SetNamedSecurityInfo ("\\\\.\\A:",
SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION|PROTECTED_DACL_SECURITY_INFORMATION,
NULL,
NULL,
paclNew,
NULL);
"\\.\A:" allow to open a volume and not the root of the unit as documented
in API CreateFile(...).
This works well on XP. On Vista it's different. The DACL on volume still
works for CDROM and Floppy, but it's no longer working for disk (removal or
not). On disks the DACL on volume just allow/deny the format.exe or
checkdisk;exe commands.
When i have a look to Microsoft documentation Removable storage device and
Windows Vista support"
(http://www.microsoft.com/whdc/device/storage/remstorperms.mspx) the "File
System Stack" being onthe top of "Volume Manager stack", ACL on Volume
should lock users access. The tool "Device tree V2.19" from OSR company
(http://www.osronline.com/) show the file system driver on the top of the
volume driver.
Sure i miss something. Anybody an explain what ? and how I can progamaticaly
, on Vista give ACL right to volumes. I saw that GPO allows to put default
ACLs on drivers class, is it the way ?
Thanks in advance.
JP
I wrote a small program using QueryDosDevice(...) API to get the volume name
associated to an unit name (A:, B:, C: etc.). I, then, use CreateFile(...)
and SetSecurityInfo(...) to modifie the DACL of the volume, so that I can
allow or deny users or groups to acces to the Unit. This is done dynamicaly
by a service detecting the unit arrival.
To be clear, the same thing can be done with :
SetNamedSecurityInfo ("\\\\.\\A:",
SE_FILE_OBJECT,
DACL_SECURITY_INFORMATION|PROTECTED_DACL_SECURITY_INFORMATION,
NULL,
NULL,
paclNew,
NULL);
"\\.\A:" allow to open a volume and not the root of the unit as documented
in API CreateFile(...).
This works well on XP. On Vista it's different. The DACL on volume still
works for CDROM and Floppy, but it's no longer working for disk (removal or
not). On disks the DACL on volume just allow/deny the format.exe or
checkdisk;exe commands.
When i have a look to Microsoft documentation Removable storage device and
Windows Vista support"
(http://www.microsoft.com/whdc/device/storage/remstorperms.mspx) the "File
System Stack" being onthe top of "Volume Manager stack", ACL on Volume
should lock users access. The tool "Device tree V2.19" from OSR company
(http://www.osronline.com/) show the file system driver on the top of the
volume driver.
Sure i miss something. Anybody an explain what ? and how I can progamaticaly
, on Vista give ACL right to volumes. I saw that GPO allows to put default
ACLs on drivers class, is it the way ?
Thanks in advance.
JP