Vista IO manager changes in handling FILE_DEVICE_SECURE_OPEN

After having the IO manager developer review my last 2 posts, he pointed out to me that the IO manager handling of FILE_DEVICE_SECURE_OPEN (FDSO) has changed slightly in Vista. News to me and probably news to all of you as well. The change involves the case where there is a file system mounted on a device object, or in other words, a device object which implements a namespace with no file system attached is not affected by the change. The old behavior (as I described earlier) skipped the security descriptor check on the device object if there was a path remaining after parsing for the device object name. In new Vista behavior, if the device object has the FDSO flag set, has a mounted file system, and its descriptor is not the OS default descriptor, the device’s descriptor will now be evaluated, whereas previous to Vista, it would have been skipped.

Why make this change? It was driven by a usage scenario for removable devices. The driver which enumerates the removable media volume can now alter the security descriptor and apply volume wide security settings regardless of the actual file system mounted on the drive. For instance, the volume device could be assigned a security descriptor which only allowed administrators to write to the volume or make the entire volume read only.