UAC: Bug or just poor error message?

  • Thread starter Thread starter Marco Peretti
  • Start date Start date
M

Marco Peretti

Hi Everyobdy,

If you try to copy files from a network location to a local one where only
the TrustedInstaller user has write access then you get an error message
stating that your mapped drive refers to a location that is unavailable --
which is not true. In my opinion it should give an Access Denied error
message.

More details and a couple of screen shots can be found here:
http://leastprivilege.blogspot.com/2007/01/uac-unc.html


cheers,

Marco
 
microsoft.public.windows.vista.security news group, <"Marco
Peretti said:
If you try to copy files from a network location to a local one where only
the TrustedInstaller user has write access then you get an error message
stating that your mapped drive refers to a location that is unavailable --
which is not true. In my opinion it should give an Access Denied error
message.
Click to expand...

TrustedInstaller is a service, not a user.
More details and a couple of screen shots can be found here:
http://leastprivilege.blogspot.com/2007/01/uac-unc.html
Click to expand...

Your blog entry indicates that you're running Explorer elevated.
My understanding is that you can't do this. How are you running
it elevated?
 
TrustedInstaller is a service, not a user.

I know that, but the identity used is the TrustedInstaller SID,
Your blog entry indicates that you're running Explorer elevated.
My understanding is that you can't do this. How are you running
it elevated?
Click to expand...

have simply navigated to Accessories->Explorer and have chosen Run
Elevated.

cheers,

Marco
 
microsoft.public.windows.vista.security news group, <"Marco
Peretti said:
I know that, but the identity used is the TrustedInstaller SID,
Click to expand...

Right, just being precise here.
have simply navigated to Accessories->Explorer and have chosen Run
Elevated.
Click to expand...

That doesn't actually get you an elevated instance of Explorer.
 
Paul said:
microsoft.public.windows.vista.security news group, <"Marco


Right, just being precise here.


That doesn't actually get you an elevated instance of Explorer.
Click to expand...

What if you have the option "Launch folder windows in a separate
process" ticked? The issue I've heard is that all Explorer windows run
under the same process and therefore you cannot elevate just 1 window.
However, I've also heard it suggested that having separate processes
enabled means that you can elevate a new explorer window.

D
 
Your blog entry indicates that you're running Explorer elevated.
That doesn't actually get you an elevated instance of Explorer.
Click to expand...

Don't have access to Vista today. I'll double-check tomorrow and report
here.

Marco
 
microsoft.public.windows.vista.security news group, David Hearn
What if you have the option "Launch folder windows in a separate
process" ticked? The issue I've heard is that all Explorer windows run
under the same process and therefore you cannot elevate just 1 window.
However, I've also heard it suggested that having separate processes
enabled means that you can elevate a new explorer window.
Click to expand...

That seems to do the trick, yes, thanks for the reminder!
 
microsoft.public.windows.vista.security news group, <"Marco
Peretti said:
Don't have access to Vista today. I'll double-check tomorrow and report
here.
Click to expand...

I've tested it. Unless, as David points out, you run folder
windows in a separate process you don't actually get an elevated
instance.
 
Paul,
I've tested it. Unless, as David points out, you run folder
windows in a separate process you don't actually get an elevated
instance.
Click to expand...

I have checked the machine setting and, since it was a new box, it did not
have that option set yet and I just made the mistake of assuming it was.
When I try to copy to a protected folder, from an elevated process, I get a
proper access denied dialog.


--
Cheers,

Marco

mperetti [at] beyondtrust [dot] com
http://leastprivilege.blogspot.com
http://www.beyondtrust.com
--
 
just one more info: when I try to copy to a protected location from a
regular exe ( no privs ) and elevate when prompted, I get an error message
about my share drive being unavailable instead of an access denied. that,
IMHO, is wrong.
--
Cheers,

Marco

mperetti [at] beyondtrust [dot] com
http://leastprivilege.blogspot.com
http://www.beyondtrust.com
--

Marco Peretti said:
Paul,
I've tested it. Unless, as David points out, you run folder
windows in a separate process you don't actually get an elevated
instance.
Click to expand...

I have checked the machine setting and, since it was a new box, it did not
have that option set yet and I just made the mistake of assuming it was.
When I try to copy to a protected folder, from an elevated process, I get
a proper access denied dialog.


--
Cheers,

Marco

mperetti [at] beyondtrust [dot] com
http://leastprivilege.blogspot.com
http://www.beyondtrust.com
Click to expand...
 
microsoft.public.windows.vista.security news group, Marco
Peretti said:
just one more info: when I try to copy to a protected location from a
regular exe ( no privs ) and elevate when prompted, I get an error message
about my share drive being unavailable instead of an access denied. that,
IMHO, is wrong.
Click to expand...

Agreed, and sorry, I haven't had a chance to see if I get the
same results as you do.
 
Back
Top