UAC: Bug or just poor error message?

[Marco Peretti]

Hi Everyobdy,

If you try to copy files from a network location to a local one where only
the TrustedInstaller user has write access then you get an error message
stating that your mapped drive refers to a location that is unavailable --
which is not true. In my opinion it should give an Access Denied error
message.

More details and a couple of screen shots can be found here:
http://leastprivilege.blogspot.com/2007/01/uac-unc.html


cheers,

Marco

 

[Paul Adare]

microsoft.public.windows.vista.security news group, <"Marco

If you try to copy files from a network location to a local one where only
the TrustedInstaller user has write access then you get an error message
stating that your mapped drive refers to a location that is unavailable --
which is not true. In my opinion it should give an Access Denied error
message.

TrustedInstaller is a service, not a user.

More details and a couple of screen shots can be found here:
http://leastprivilege.blogspot.com/2007/01/uac-unc.html

Your blog entry indicates that you're running Explorer elevated.
My understanding is that you can't do this. How are you running
it elevated?

 

[Marco Peretti]

TrustedInstaller is a service, not a user.

I know that, but the identity used is the TrustedInstaller SID,

Your blog entry indicates that you're running Explorer elevated.
My understanding is that you can't do this. How are you running
it elevated?

have simply navigated to Accessories->Explorer and have chosen Run
Elevated.

cheers,

Marco

 

[Paul Adare]

microsoft.public.windows.vista.security news group, <"Marco

I know that, but the identity used is the TrustedInstaller SID,

Right, just being precise here.

have simply navigated to Accessories->Explorer and have chosen Run
Elevated.

That doesn't actually get you an elevated instance of Explorer.

 

[David Hearn]

microsoft.public.windows.vista.security news group, <"Marco


Right, just being precise here.


That doesn't actually get you an elevated instance of Explorer.

What if you have the option "Launch folder windows in a separate
process" ticked? The issue I've heard is that all Explorer windows run
under the same process and therefore you cannot elevate just 1 window.
However, I've also heard it suggested that having separate processes
enabled means that you can elevate a new explorer window.

D

 

[Marco Peretti]

Your blog entry indicates that you're running Explorer elevated.

That doesn't actually get you an elevated instance of Explorer.

Don't have access to Vista today. I'll double-check tomorrow and report
here.

Marco

 

[Paul Adare]

microsoft.public.windows.vista.security news group, David Hearn

What if you have the option "Launch folder windows in a separate
process" ticked? The issue I've heard is that all Explorer windows run
under the same process and therefore you cannot elevate just 1 window.
However, I've also heard it suggested that having separate processes
enabled means that you can elevate a new explorer window.

That seems to do the trick, yes, thanks for the reminder!

 

[Paul Adare]

microsoft.public.windows.vista.security news group, <"Marco

Don't have access to Vista today. I'll double-check tomorrow and report
here.

I've tested it. Unless, as David points out, you run folder
windows in a separate process you don't actually get an elevated
instance.

 

[Marco Peretti]

Paul,

I've tested it. Unless, as David points out, you run folder
windows in a separate process you don't actually get an elevated
instance.

I have checked the machine setting and, since it was a new box, it did not
have that option set yet and I just made the mistake of assuming it was.
When I try to copy to a protected folder, from an elevated process, I get a
proper access denied dialog.


--
Cheers,

Marco

mperetti [at] beyondtrust [dot] com
http://leastprivilege.blogspot.com
http://www.beyondtrust.com
--

 

[Marco Peretti]

just one more info: when I try to copy to a protected location from a
regular exe ( no privs ) and elevate when prompted, I get an error message
about my share drive being unavailable instead of an access denied. that,
IMHO, is wrong.
--
Cheers,

Marco

mperetti [at] beyondtrust [dot] com
http://leastprivilege.blogspot.com
http://www.beyondtrust.com
--

Paul,

I've tested it. Unless, as David points out, you run folder
windows in a separate process you don't actually get an elevated
instance.

I have checked the machine setting and, since it was a new box, it did not
have that option set yet and I just made the mistake of assuming it was.
When I try to copy to a protected folder, from an elevated process, I get
a proper access denied dialog.


--
Cheers,

Marco

mperetti [at] beyondtrust [dot] com
http://leastprivilege.blogspot.com
http://www.beyondtrust.com

 

[Paul Adare]

microsoft.public.windows.vista.security news group, Marco

just one more info: when I try to copy to a protected location from a
regular exe ( no privs ) and elevate when prompted, I get an error message
about my share drive being unavailable instead of an access denied. that,
IMHO, is wrong.

Agreed, and sorry, I haven't had a chance to see if I get the
same results as you do.