views:

99

answers:

2

We wrote a Windows device driver to access our custom PCI card. The driver uses CreateFile to get a handle to the card.

We recently had trouble at one installation were the card appeared to stop working. We tried replacing the card (the replacement appeared not work either). The computer vendor replaced the motherboard and both cards still failed to work. We put the cards in a different computer and both worked fine.

We now have the computer at our office for examination. The Windows Device Manager lists our card in Other Devices as usual and says it's working fine. However, our driver initialization fails when it attempts to connect to the card.

We created a test version of our driver with some extra debugging and determined that CreateFile is failing. It returns INVALID_HANDLE_VALUE as it is supposed to on failure. GetLastError indicates the error is Access is Denied.

Since we're logged into the system as a local administrator, what can deny access to the device?

+1  A: 

You may want to try with a "Checked" build of the Windows kernel. This is a debug build that has much more diagnostic information available through a debug channel. Last time I used one (years ago), the build was available on MSDN, but my info is possibly out of date.

Greg Hewgill
+1  A: 

This doesn't sound like a device driver, CreateFile() is only available in a regular Win32 app. That also matches the error, device drivers are not subjected to security restrictions like Win32 apps are.

Yes, you may have trouble opening handles to devices with CreateFile(). I think the user account at least needs to have SE_BACKUP_PRIVILEGE. There were also changes in Vista, review the CreateFile docs, section "Physical disks and volumes" for the rules. The best place to find security gurus that can show you how to edit the account privileges is a serverfault.com

Hans Passant
Alright, a little searching for what SE_BACKUP_PRIVILEGE is indicates multiple policy settings are related to it. For all the ones mentioned, we do have permission.Also I just posted this question on serverfault. We'll see what they come up with.
Corin