Security context in WMI paths

Security context in WMI paths: Posted by Maxim S. Shatskih on August 11th, 2003; Let's imagine there is some user (not necessary admin) who executes some
WMI app (possibly a .VBS script) talking to my kernel mode module.
In the WMI path of the kernel mode module, I would like to access the
credential information (token object) of the user who executes a script.

Is it possible? If yes - then how?

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com; Posted by Eliyas Yakub [MSFT] on August 11th, 2003; There are two issues here.

1) APIs to get security context information are not documented in the DDK.
You could workaround by using IFS Kit.
2)Is the WMI dispatch handler in the driver called in the context of the
caller? I asked this question to our WMI dev few months ago for some other
issue and here is the response:

"Are you using the WBEM apis (IWBemClassObject, etc.) ? If so then wbem will
call into a wmiprvse service and that service will do the call into the
kernel to get the data. I think it depends on the type of WBEM call to
determine if it will block the original caller. The WMI code in the kernel
will just forward the request as an irp to the top of the device stack in
the context it was invoked by user mode. If a device in the stack or target
device wants to pend and pass off to a worker thread then they can do this
if they want."

--
-Eliyas
This posting is provided "AS IS" with no warranties, and confers no rights.
http://www.microsoft.com/whdc/hwdev/driver/kb-drv.mspx

"Maxim S. Shatskih" <maxim@storagecraft.com> wrote in message
news:%23$lMC6$XDHA.1744@TK2MSFTNGP12.phx.gbl...; Posted by Maxim S. Shatskih on August 12th, 2003; No, it is executed in the process context of the WMI provider service
("wmiprvse" on XP).

Can I access the impersonation token of the current thread in the WMI paths to
make security decisions?

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com; Posted by Maxim S. Shatskih on August 14th, 2003; Anyway - having no authorization means in WMI is not good. The IOCTL interface
can provide them by Parameters.Create.SecurityContext in CREATE path. Too bad
WMI does not support them properly, since this is a very, very good facility of
controlling the drivers.

--
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
maxim@storagecraft.com
http://www.storagecraft.com

Similar Posts

How to disable UNC paths? (Networking) by eJunky1
cd drive paths (Basics) by odeek9
multiple security context on ASA (Routers) by bam
drive paths (Computers & Technology) by pcbutts1
# of paths in a grid. (Programming) by ray