DOCUMENT:Q243405
TITLE   :Device Drivers Create their Corresponding DeviceObject with FILE_DEVICE_SECURE_OPEN DeviceCharacteristics
PRODUCT :Windows NT
PROD/VER:4.0
OPER/SYS:WINDOWS NT
KEYWORD :kbbug4.00 kbfix4.00 

-------------------------------------------------------------------------------
The information in this article applies to:

 - Microsoft Windows NT Server version 4.0 
 - Microsoft Windows NT Server, Enterprise Edition version 4.0 
 - Microsoft Windows NT Workstation version 4.0 
-------------------------------------------------------------------------------

SYMPTOMS
========

When you open a device object in a program under the following conditions, it is
possible to obtain greater access to that object than the designated permissions
allow:

 - The device object has already been opened and you specify a relative file
   name of zero length to open a handle within that object.

 - The path specified to the device includes an additional trailing backslash
   name or character, and the device does not accommodate a parse routine.

This behavior particularly affects the following files in relation to I/O
Manager:

 - Floppy.sys (Floppy Driver in C:\winnt\system32\drivers\)

 - Netdetect.sys (Network Card Detection driver Driver in
   C:\winnt\system32\drivers\)

 - Parport.sys (Parallel Port Driver in C:\winnt\system32\drivers\)

 - Null.sys (NULL Driver in C:\winnt\system32\drivers\)

 - Beep.sys (BEEP Driver in C:\winnt\system32\drivers\)

 - Scsiport.sys (SCSI Port Driver in C:\winnt\system32\drivers\)

 - Tcpip.sys (TCP/IP driver in C:\winnt\system32\drivers\)

CAUSE
=====

It is the responsibility of a device driver of the corresponding device that
creates or opens a logical DeviceObject in the operating system name space with
IoCreateDevice() to represent the device. Detail of IoCreateDevice() can be
found on MSDN at
http://msdn.microsoft.com/library/ddkdoc/ntddk/native/ddk/kr/src/k104_22.htm.

On Windows NT 4.0 Service Pack 6a and earlier, the seven aforementioned device
drivers do not call IoCreateDevice() with the FILE_DEVICE_SECURE_OPEN
DeviceCharacteristics. The seven that are included in the C2 Update call
IoCreateDevice() with the FILE_DEVICE_SECURE_OPEN DeviceCharacteristics. The
Windows NT IO manager that services IoCreateDevice() performs the necessary
access check and audits the event if a relative file name of zero length is
specified or an additional trailing backslash name or character is included in
the path to the device.

NOTE: Other device drivers shipped with Windows NT 4.0 Service Pack 6a have been
tested for making the IoCreateDevice() call with the FILE_DEVICE_SECURE_OPEN
DeviceCharacteristics.

RESOLUTION
==========

The following files are available for download from the Microsoft Download
Center or Microsoft's FTP site. Click the file names below to download the
appropriate file:

English:

   x86:

   Microsoft Download Center: Q244599i.exe
   (http://download.microsoft.com/download/winntsp/Patch/SP6a_C2/NT4/EN-US/Q244599i.exe)

   FTP: Q244599i.exe       (ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postsp6a/c2-fix/Q244599i.exe)

   Alpha:

   Microsoft Download Center: Q244599a.exe
   (http://download.microsoft.com/download/winntsp/Patch/SP6a_C2/ALPHA/EN-US/Q244599a.exe)

   FTP: Q244599a.exe
   (ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postsp6a/c2-fix/Q244599a.exe)

French:

   x86:

   FTP: Q244599i.exe
   (ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/frn/nt40/hotfixes-postsp6a/c2-fix/Q244599i.exe)

   Alpha:

   FTP: Q244599a.exe
   (ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/frn/nt40/hotfixes-postsp6a/c2-fix/Q244599a.exe)

Spanish:

   x86:

   FTP: Q244599i.exe
   (ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/spa/nt40/hotfixes-postsp6a/c2-fix/Q244599i.exe)

   Alpha:

   FTP: Q244599a.exe
   (ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/spa/nt40/hotfixes-postsp6a/c2-fix/Q244599a.exe)

For more information about how to download files from the Microsoft Download
Center, please visit the Download Center at the following Web address

   http://www.microsoft.com/downloads/search.asp

and then click "How to use the Microsoft Download Center".

STATUS
======

Microsoft has confirmed this to be a problem in Windows NT 4.0.

Additional query words: c2 security_patch
============================================================================

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND.  MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  IN NO
EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.  SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.