Starting the background service

The first time a new policy is defined and applied, the HP ProtectTools Device Locking/Auditing background service starts automatically, and it is set to start automatically whenever the system starts.

NOTE: A device profile must be defined before the background service prompt is displayed.

Administrators can also start or stop this service.

Stopping the Device Locking/Auditing service does not stop device locking. Two components enforce device locking:

Device Locking/Auditing service

DAMDrv.sys driver

Starting the service starts the device driver, but stopping the service does not stop the driver.

To determine whether the background service is running, open a command prompt window, and then type sc query flcdlock.

To determine whether the device driver is running, open a command prompt window, and then type sc query damdrv.

Device Class Configuration

Administrators can view and modify lists of users and groups that are allowed or denied permission to access classes of devices or specific devices.

The Device Class Configuration view has the following sections:

Device List—Shows all the device classes and devices that are installed on the system or that may have been installed on the system previously.

Protection is usually applied for a device class. A selected user or group will be able to access any device in the device class.

Protection may also be applied to specific devices.

User List—Shows all users and groups that are allowed or denied access to the selected device class or specific device.

The User List entry may be made for a specific user, or for a group in which the user is a member.

If a user or group entry in the User List is unavailable, the setting has been inherited from the device class in the Device List or from the Class folder.

Some device classes, such as DVD and CD-ROM, may be further controlled by allowing or denying access separately for read and write operations.

For other devices and classes, read and write access rights can be inherited. For example, read access may be inherited from a higher class, but write access may be specifically denied for a user or group.

NOTE: If the Read check box is cleared, the access control entry has no effect on read access to the device, but read access is not denied.

NOTE: The Administrators group cannot be added to the User List. Instead, use the Device Administrators group.

Example 1—If a user or group is denied write access for a device or class of devices:

48 Chapter 7 Device Access Manager for HP ProtectTools (select models only)