Reputation: 7265
Can an administrator bypass MiniFilters ACCESS_DENIED?
I'm planning to develop a windows driver using a minifilter to prevent certain file manipulations (such as file access).
I checked this article that provides a good starting point on using this technology.
On the screenshots at the end of that article, any deletion of a protected file asks for administrator privileges. My question is: can a minifilter also prevent file manipulation from an administrator of the system ? If this is not the case, is there any way to prevent an administrator the file manipulation ?
Many thanks!
Upvotes: 0
Views: 250
Answers (1)
Reputation: 1306
A minifilter can still return STATUS_ACCESS_DENIED for an operation performed by an Administrator running with elevated privileges. This will prevent the operation from succeeding. But it's nigh impossible to completely prevent an Administrator from doing something, because they can unload your driver, or override any access controls you create to prevent them from doing so. I would consider it a waste of time to try preventing an Administrator from doing anything.
Upvotes: 1
Related Questions
- Block access to specific path with minifilters
- Intercept Process Access using a Windows MiniFilter Driver
- Minifilter Driver - CMD can still delete a file
- Minifilters vs File System Filters
- Accessing driver IOControl from user application without administrator priviledge
- Is there a way to communicate with a minifilter without requiring admin rights?
- USB blocking using minifilter driver (passThrough)
- Block file creation
- Can file system driver filters filter operations based on user id?