Unable to write Low Integrity process onto a Low Integrity folder on a VHD file RRS feed

  • Question

  • File creation in low integrity folder on a mounted VHD by a process running in low integrity, failed with Access denied.

    This can be simulated by following the below steps,

    1. Create a VHD and format using Disk Management tool.
    2. Mount the VHD file to drive letter for example E: , create a folder 'LOWIntegrityFolder' and run the 
    'icacls E:\LOWIntegrityFolder /setintegritylevel low' to set the mandatory label low. 

    3. Copy the 'cmd.exe' to folder E:\LOWIntegrityFolder and run the
     'icacls E:\LOWIntegrityFolder\cmd.exe /setintegritylevel low'

    4. Execute the 'cmd.exe'  [In process explorer integrity field is shown low]
    5. Try to Create the File "test.txt" inside E:\LOWIntegrityFolder

    File creation failed with access denied error.

    Friday, July 4, 2014 12:54 PM

All replies

  • I'm having the same issue here.

    Looks like it is allowed to create sub directories on VHD from LOW INTEGRITY processes, but not for files. It's as if FILE_ADD_SUBDIRECTORY is set, but FILE_ADD_FILE/FILE_WRITE_DATA is missing. ACL including Integrity level on filesystem is set to Full Control and LOW like Kat says here.

    Kat, do you have any progress on this? Anyone?

    Saturday, July 26, 2014 8:02 AM