INFO: OpenEvent Fails in a Non-Administrator Account

Article translations Article translations
Article ID: 228785 - View products that this article applies to.
This article was previously published under Q228785
Expand all | Collapse all

SUMMARY

User applications running in a non-administrator account will fail (ERROR_ACCESS_DENIED) to open a named event that has been created in a device driver in the system process context.

MORE INFORMATION

One way (not the best way) to notify the user mode application of asynchronous events from a device driver is to create a named event in kernel mode using IoCreateNotificationEvent and allow the user application to open the event and wait on it. The most common problem with this approach is: if the driver creates the event in DriverEntry, which runs in the system process context, the event object inherits the default system security attributes. As a result, the application can open the event only if it runs in the administrator account. The other problem is that the user application cannot change the state of the event. It can only wait on the event.

Note that creating such an event visible in user mode is not possible in the driver entry on Windows 2000 and later. The Win32 subsystem is not loaded at this step and on Windows 2000 and later, this subsystem is responsible for creating the BasedNamedObject directory. This is the director where the event has to be created in order to be visible in user mode.

A simple workaround for this problem is to create the event in a driver routine that runs in the context of the process that wants to access the event. In this way, the event object will inherit the security attributes of the process and will be able to open the event.

But the best way to provide this kind of kernel-to-user notification is to create the event in user mode and send an IOCTL to the driver with the handle of the event. The driver in turn would get the address of the event object from the handle by using the ObReferenceObjectByHandle function and can signal the event from any arbitrary thread context at IRQL less than or equal to DISPATCH_LEVEL. When the driver no longer needs the event, it would call ObDereferenceObject to free the event. The following Microsoft Knowledge Base article has a link to a sample driver that demonstrates this technique:
176415 Event.exe Shows How to Share and Signal an Event Object
Another technique to notify the user application without using events is described in the following Knowledge Base article:
117308 INFO: How Drivers Notify User-Mode Apps of Asynchronous Events

Properties

Article ID: 228785 - Last Review: February 23, 2007 - Revision: 3.2
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
Keywords: 
kbinfo kbkmode KB228785

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com