locked
Windows 8 Issue with Drive Mapping and UAC Enabled (EnableLinkedConnections)

    Question

  • I've posted this to http://answers.microsoft.com/en-us/windows/forum/windows8_1_pr-files/windows-8-issue-with-drive-mapping-and-uac-enabled/2d1caf8c-31f5-4143-ae64-68796955751e but I was asked to repost it here.

    I know it's a "security" issue, and I've seen it rehashed in other places, but Windows 8 breaks the EnableLinkedConnections registry patch in an interesting way.

    Consider the following: Windows 8.1, Build 9431 (Though I've confirmed the issue exists in Windows 8 RTM)

    Do a fresh install - Vanilla Settings. No customization except for the Computer Name.

    1) "Disable" UAC by going into User Account Control settings and dragging the slider to the bottom. (I'm aware this doesn't completely disable UAC. Completely disabling UAC in the registry kills the App ecosystem, which is something I'm hoping to avoid)

    2) Enable Linked Connections by creating a DWORD named EnableLinkedConnections with a value of 1 in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

    3) Reboot the computer.

    4) Open a command prompt and map H: to something (If you don't have a network in your test environment, map it to \\localhost\c$\windows) - net use h: \\localhost\c$\windows

    5) In the same command prompt, change to H:, and do a DIR and see the contents of the folder as expected. (In my example, I get the contents of c:\windows)

    6) Open a command prompt, but this time, Open as Administrator.

    7) Run a "net use" and verify that the drive mapping is there. (Should see H: mapped)

    8) Change to H: do a DIR and see that the contents are actually the root folder of the drive mapping. (In my example, dir h: lists everything in c:\ and not c:\windows)

    9) Figuring this was a minor glitch, I decided to map the H: drive as administrator. (In the command prompt, net use h: /delete, then net use h: \\localhost\c$\windows - awesome. Now dir h: in the admin prompt works. Then, I go back to the non admin prompt and dir h: gives me a listing of the root directory again!

    This is completely broken! There are many applications that need drive letter access to be consistent between security contexts from a "Run as Administrator" standpoint. This USED to work in Windows Vista and 7.

    I know that turning off UAC using the registry (EnableLUA to 0) fixes this, but what's the point of Windows 8 if all the apps tell me that they won't run under the admin account? It just becomes an ugly version of Windows 7 with a bunch of non-functional icons.

    I also realize that I could completely disable "EnableLinkedConnections" and double-map each drive, but that's a pretty crappy workaround to accomplish something simple that's always just worked. I get that it could make the system more vulnerable, but it's Opt-In. I have to turn off UAC, I have to create a registry key, so it's not something I've done accidentally.

    Monday, July 15, 2013 4:02 PM

All replies

  • Thank you for the detailed evaluation and explanation.

    I have seen some Windows Networking oddities, in addition to some behavior I can only describe as "halting" (i.e., operations that should complete immediately take longer than expected, as though there has been some kind of error that must be retried).  I have not been evaluating the Windows 8.1 networking changes as specifically as you have, but have more been using network connections to get things set up for other evaluations.

    It's possible what you're describing could be related to some of the glitches I've seen with Windows 8.1's "Windows Networking", as it may be trying to find files from places where the underlying path has been inadvertently changed (and the operations are thus failing and falling back to another layer).  I'll look further into the behavior changes with and without the EnableLinkedConnections tweak now.

      

    -Noel


    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Monday, July 15, 2013 5:33 PM
  • Not meaning to be critical, but I see my "I have a problem too" post has been marked as "The Answer".

    Mr. President, that's not entiiiirely accurate...

     

    -Noel


    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Tuesday, July 23, 2013 9:43 PM
  • I've unmarked it, as I would love to see a resolution, not just a redirection from one place to another.

    Since the bug made it into the 8 RTM, I'm very sure it'll show up in 8.1 RTM and will continue to plague us. I guess the unofficial response from Microsoft is to either run as a limited user or to disable the app ecosystem. I'm not shocked, given all the other great decisions they've made in 2013.

    Wednesday, July 24, 2013 8:53 PM
  • Good!  I'd like to see a resolution too.

    It's pretty clear they have no desire to disable the app ecosystem.  But they really don't seem to have much desire to make an OS that facilitates work either.

      

    -Noel


    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Thursday, July 25, 2013 1:50 AM
  • Still nothing, I guess.

    This is a major shortcoming with regards to Windows 8 and 8.1.

    Thursday, August 01, 2013 5:36 PM
  • This is just one of a number of wakeup calls to us all to prompt a re-evaluation of whether we want UAC enabled at all in our working environments.

    It'd be a no brainer but for the fact that it's now required to be on in order to even run anything in Metro/Modern land.

    I've been dutifully trying to make my test systems here work as well as possible with UAC enabled, so as not to lose the potential for running/testing things on the "new" side, but MAN, there are just SO many irritations and hindrances brought about by having UAC enabled...  It's not worth it!  Things like having to answer multiple prompts to copy files, the inability to create shortcuts where you want them directly, magic with regard to where files in \ProgramData are really stored, stuff that doesn't work in applications...  UAC is just a friggin' hack job!

    I've pretty much come to the conclusion that, given our needs here, Metro/Modern does not currently hold the promise of anything useful enough to keep UAC on (in the EnableLUA sense).  Maybe that will change, but, for now I'm going to just disable UAC and move on.  Doing so makes the desktop livable for engineers who know what they're doing.  I'm going to take the view that UAC will be off until someone proves to me there's something I can't live without in a Metro/Modern app.  Perhaps in a few years that will be true and I'll re-evaluate.

    And please, before folks chime in on how much more secure a UAC-enabled system is (which is pure BS as a blanket statement), please understand that I am fully aware of what UAC does - quite likely more aware than most others.  Sure, for non-technical, uneducated, undisciplined users who just surf the net UAC can offer some protection, because their computers really do need protection from them and the web sites they visit.  But for power-users who are fully aware of what they're doing, and who have adopted good security practices, it's just a damned hindrance.  Turning it off makes them more productive, without exposure to significant additional risk.

    If you really, really want to do one easy thing that will GREATLY enhance your security - FAR more than UAC ever did - I recommend visiting this site and making use of the hosts file they provide:  http://winhelp2002.mvps.org/hosts.htm

     

    -Noel


    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Friday, August 02, 2013 5:35 PM
  • I'm probably just going to write an application that takes care of this for me. I can't be bothered with hoping that Microsoft will fix it.

    Thursday, August 08, 2013 6:08 PM