desowin
commented
1 year ago You can do that but USBPcapDriver will refuse to give capture data to not-elevated user-space applications. In fact, USBPcapCMD does not require elevated mode to query the corresponding root hub (which is used by extcap interface) - but that is the only action that non-elevated user-space application can do.
If you want to access capture data from not-elevated user-space, then you have to modify USBPcapDriver to allow it. The relevant code in driver is https://github.com/desowin/usbpcap/blob/1a8893cf4b704a9812a82440ef2e476e194cdd65/USBPcapDriver/USBPcapRootHubControl.c#L70-L78 and the SDDL string is https://github.com/desowin/usbpcap/blob/1a8893cf4b704a9812a82440ef2e476e194cdd65/USBPcapDriver/USBPcapRootHubControl.c#L21-L24
bowtiejicode
I am aware that USBPcapCMD.exe forces the application to run in elevated mode, but is it possible for someone to build their own user-land application (such that it runs without admin rights) to communicate with the filter driver (USBPcapDriver)?
I am not familiar with driver stuffs, so would appreciate if you can clarify my doubts