Vista - UAC: Bug or just poor error message?

Hi Everyobdy,

If you try to copy files from a network location to a local one where only
the TrustedInstaller user has write access then you get an error message
stating that your mapped drive refers to a location that is unavailable --
which is not true. In my opinion it should give an Access Denied error
message.

More details and a couple of screen shots can be found here:
http://leastprivilege.blogspot.com/2007/01/uac-unc.html


cheers,

Marco

--
mperetti [at] beyondtrust [dot] com
www.beyondtrust.com

In article <eJZuMHhOHHA.3552@TK2MSFTNGP03.phx.gbl>, in the
microsoft.public.windows.vista.security news group, <"Marco
Peretti" <marco alla neovalens dot com>> says...

> If you try to copy files from a network location to a local one where only
> the TrustedInstaller user has write access then you get an error message
> stating that your mapped drive refers to a location that is unavailable --
> which is not true. In my opinion it should give an Access Denied error
> message.

TrustedInstaller is a service, not a user.

>
> More details and a couple of screen shots can be found here:
> http://leastprivilege.blogspot.com/2007/01/uac-unc.html

Your blog entry indicates that you're running Explorer elevated.
My understanding is that you can't do this. How are you running
it elevated?

--
Paul Adare - MVP Virtual Machines
Waiting for a bus is about as thrilling as fishing,
with the similar tantalisation that something,
sometime, somehow, will turn up. George Courtauld

> TrustedInstaller is a service, not a user.

I know that, but the identity used is the TrustedInstaller SID,

> Your blog entry indicates that you're running Explorer elevated.
> My understanding is that you can't do this. How are you running
> it elevated?

have simply navigated to Accessories->Explorer and have chosen Run
Elevated.

cheers,

Marco

--
mperetti [at] beyondtrust [dot] com
http://leastprivilege.blogspot.com
http://www.beyondtrust.com

In article <OqozLvhOHHA.3552@TK2MSFTNGP03.phx.gbl>, in the
microsoft.public.windows.vista.security news group, <"Marco
Peretti" <marco alla neovalens dot com>> says...

>
> > TrustedInstaller is a service, not a user.
>
> I know that, but the identity used is the TrustedInstaller SID,

Right, just being precise here.

>
> > Your blog entry indicates that you're running Explorer elevated.
> > My understanding is that you can't do this. How are you running
> > it elevated?
>
> have simply navigated to Accessories->Explorer and have chosen Run
> Elevated.

That doesn't actually get you an elevated instance of Explorer.

--
Paul Adare - MVP Virtual Machines
Waiting for a bus is about as thrilling as fishing,
with the similar tantalisation that something,
sometime, somehow, will turn up. George Courtauld

Paul Adare wrote:
> In article <OqozLvhOHHA.3552@TK2MSFTNGP03.phx.gbl>, in the
> microsoft.public.windows.vista.security news group, <"Marco
> Peretti" <marco alla neovalens dot com>> says...
>
>>> TrustedInstaller is a service, not a user.
>> I know that, but the identity used is the TrustedInstaller SID,
>
> Right, just being precise here.
>
>>> Your blog entry indicates that you're running Explorer elevated.
>>> My understanding is that you can't do this. How are you running
>>> it elevated?
>> have simply navigated to Accessories->Explorer and have chosen Run
>> Elevated.
>
> That doesn't actually get you an elevated instance of Explorer.

What if you have the option "Launch folder windows in a separate
process" ticked? The issue I've heard is that all Explorer windows run
under the same process and therefore you cannot elevate just 1 window.
However, I've also heard it suggested that having separate processes
enabled means that you can elevate a new explorer window.

D

>> > Your blog entry indicates that you're running Explorer elevated.
>> > My understanding is that you can't do this. How are you running
>> > it elevated?
>>
>> have simply navigated to Accessories->Explorer and have chosen Run
>> Elevated.
>
> That doesn't actually get you an elevated instance of Explorer.

Don't have access to Vista today. I'll double-check tomorrow and report
here.

Marco

In article <#ZDpWCiOHHA.1872@TK2MSFTNGP04.phx.gbl>, in the
microsoft.public.windows.vista.security news group, David Hearn
<david.hearn@newsgroup.nospam> says...

> What if you have the option "Launch folder windows in a separate
> process" ticked? The issue I've heard is that all Explorer windows run
> under the same process and therefore you cannot elevate just 1 window.
> However, I've also heard it suggested that having separate processes
> enabled means that you can elevate a new explorer window.
>

That seems to do the trick, yes, thanks for the reminder!

--
Paul Adare - MVP Virtual Machines
Waiting for a bus is about as thrilling as fishing,
with the similar tantalisation that something,
sometime, somehow, will turn up. George Courtauld

In article <eOtkxKiOHHA.3944@TK2MSFTNGP06.phx.gbl>, in the
microsoft.public.windows.vista.security news group, <"Marco
Peretti" <marco alla neovalens dot com>> says...

> >> > Your blog entry indicates that you're running Explorer elevated.
> >> > My understanding is that you can't do this. How are you running
> >> > it elevated?
> >>
> >> have simply navigated to Accessories->Explorer and have chosen Run
> >> Elevated.
> >
> > That doesn't actually get you an elevated instance of Explorer.
>
> Don't have access to Vista today. I'll double-check tomorrow and report
> here.
>

I've tested it. Unless, as David points out, you run folder
windows in a separate process you don't actually get an elevated
instance.

--
Paul Adare - MVP Virtual Machines
Waiting for a bus is about as thrilling as fishing,
with the similar tantalisation that something,
sometime, somehow, will turn up. George Courtauld

Paul,

> I've tested it. Unless, as David points out, you run folder
> windows in a separate process you don't actually get an elevated
> instance.

I have checked the machine setting and, since it was a new box, it did not
have that option set yet and I just made the mistake of assuming it was.
When I try to copy to a protected folder, from an elevated process, I get a
proper access denied dialog.


--
Cheers,

Marco

mperetti [at] beyondtrust [dot] com
http://leastprivilege.blogspot.com
http://www.beyondtrust.com
--

just one more info: when I try to copy to a protected location from a
regular exe ( no privs ) and elevate when prompted, I get an error message
about my share drive being unavailable instead of an access denied. that,
IMHO, is wrong.
--
Cheers,

Marco

mperetti [at] beyondtrust [dot] com
http://leastprivilege.blogspot.com
http://www.beyondtrust.com
--

"Marco Peretti" <tired_of_spam@hotmail.com> wrote in message
news:%23oiUn5tOHHA.3872@TK2MSFTNGP06.phx.gbl...
> Paul,
>
>> I've tested it. Unless, as David points out, you run folder
>> windows in a separate process you don't actually get an elevated
>> instance.
>
> I have checked the machine setting and, since it was a new box, it did not
> have that option set yet and I just made the mistake of assuming it was.
> When I try to copy to a protected folder, from an elevated process, I get
> a proper access denied dialog.
>
>
> --
> Cheers,
>
> Marco
>
> mperetti [at] beyondtrust [dot] com
> http://leastprivilege.blogspot.com
> http://www.beyondtrust.com
> --
>
>