Some work that i do requires that i dynamically install Kernel mode drivers on NT/Win2k. I was able to do this on both systems.

This is a kind of a security system, NDA prevents me from telling more...

Hellas now i face a new problem: dynamically instalation requires user to have driver install priveledges (aka only administarators can do it) ... but my clients ask that all users should be able to install such drivers ... :( arghh... is this even possible?

So ANY ideeas of how to do this (ie how a normal user to install a KMD driver without a restart of course) will be highly apreciated... :)

Of course all in ASM/MASM style if possible

Thx all
Posted on 2002-01-26 11:32:23 by BogdanOntanu
There is a thing called unprotect.exe at www.numega.com
which makes it possible for any user to start a driver service in NT
however "unprotecting" the service must be done as admin.
Have a look at that it might be what you need

http://www.compuware.com/products/numega/drivercentral/techtips/security1.htm

ftp://ftp.compuware.com/pub/numega/drivers/outgoing/utility/unprotect.exe
Posted on 2002-01-26 14:22:37 by Noodle
You can use the Service Control Manager to dynamically load and unload a NT Kernel Driver. Try to look for documentation about CreateService(), OpenSCManager() and OpenService().
Posted on 2002-01-27 04:24:55 by jmp $FCE2
No you cant
unless you first unprotect the service from admin mode
Posted on 2002-01-27 04:39:15 by Noodle
Bogdan,
it is possible to change your security settings via a couple of API calls, but i really don't know if it is possible to go to admin level (i would consider that ability a security risk, but knowing MS it will be possible :rolleyes: ). Another possibility: the user may only need to be in the 'power users' group to install the driver (i am not sure about this, you will have to try it).

OTOH, it is standard practice to tell the user running NT that they must have admin privileges to install an app. If the user is on a network, you could also have the network admin write a script to install it, or to run the install from a network point, as the network admin has admin privileges on all machines.

The restart can be avoided at install time, the restart is usually only required to actually run the app after it has been installed. If you don't mind the driver not being run until the next restart, then you have nothing to worry about. You could follow the same system that services use to install and run: if it gets run with the command line switch '/i', then it should install itself, if it gets run with the switch '/s' then it should run normally. Remember: the only real difference between a service and a driver is a registry entry.
Posted on 2002-01-28 04:07:21 by sluggy
Stop guessing and listen to Noodle ;).
Posted on 2002-01-28 07:36:05 by f0dder
My guess :) is that Noodle is right, after all it will be a security hole IF i will be able to do it, but i need it for a legitimate use...

Besides the local admin of that network will agree to me doing so, but hellas he can not tell his admin password to the users, or to me, nor can he come and install this driver on every machine, it has to be an automatic procedure... and the normal user must be unable to stop it

IF it is impossible to be done then so be it :(
(even if i will loose some contracts) but i want to be sure i have done/try everything that is legal and in my powers to do...
Posted on 2002-01-28 14:29:40 by BogdanOntanu
Well, a guess ;), couldn't the administrator make a network script
that "unprotects" the service? I assume such a script is / can be
run with administrative privileges. Looking at the unprotect tool,
it should be as simple calling it as "unprotect <service_name>".
I would be very surprised if there isn't a commandline (or scriptable)
way to install a service.
Posted on 2002-01-28 14:38:25 by f0dder
Hmmm... So far as I know the privelege to install drivers is a security setting in 2k.Look in Start- settings- Control Panel-Administrative Tools- Security Policy. I changed my settings not to bug me about drivers being signed or privelege or whatever. Also If it helps by default win2k WILL alow an average user to install PRINTER drivers. I'v never coded a driver before but couldn't your driver just pretend to be a printer driver? and then do other stuff anyhow? If all of my rambling was a waste of your'e time I apoligize. :)
Posted on 2002-01-29 07:06:34 by emonk
There a differences between the various driver classes. I wouldn't
be surprised if a printer driver doesn't require ring0 access, and is
therefore safe for a regular user to install.
Posted on 2002-01-29 09:02:21 by f0dder
vdd drivers in NT run in ring 3 and a user could possibly install those,
kmd drivers run in ring 0 and may NOT be installed by users ever, never never never never never never!!! (unless priorly unprotected as mentioned earlier)
Should you find a way of doing this you can certainly count on the next service pack to remove the possibility because only a very serious bug being exploited is ever going to make it possible.

I assume that my IE is broken and displays links that others cant see, because im quite sure i pasted one explaining the entire thing, complete with source code, even the net start service is mentioned on that page. please try scrolling up and see if you can see it, if its indeed invisible i will be happy to paste it again
Posted on 2002-01-29 09:38:49 by Noodle
Noodle, my IE must be broken too. What a coincidence.
Posted on 2002-01-29 09:43:56 by f0dder
I think your customer is missing the point. You write the software, his admin has to install it. After all it's his job.

Wether that admin wishes to do that station by station or via SMS (NT4-) or RIS(2k+) is his problem, not yours IMO.
You just have to supply correct installationsoftware with a need for userrights according to the security measures demanded by the code's context.
Posted on 2002-01-29 12:38:44 by Hiroshimator
Hiro: your ramblings are never a waste of time for me :)

But this autoinstall feature is "a request" from my customer, and as i stated before IF i can not find a way to safely (ough...hmmm) do it .... then i will have to admit it can not be done... a sad but true day for me ...

Noodle: send that link to me via email, please, if it can not be posted on this board (do not break The Rules!)
Posted on 2002-01-29 18:14:46 by BogdanOntanu
Bogdan, the links (as posted by noodle) are the following, and I cannot
see why they should be in violation with any rules.

http://www.compuware.com/products/numega/drivercentral/techtips/security1.htm
ftp://ftp.compuware.com/pub/numega/drivers/outgoing/utility/unprotect.exe
Posted on 2002-01-29 18:44:40 by f0dder