แชร์ผ่าน


MIC and saving files

UAC has something called Mandatory Integrity Control or MIC. It is a security enhancement that is orthogonal to the existing Windows security model. Let me explain. The traditional security model was based on a token of a process. If a process was running under admin or Local System token, it had complete control over the machine. No limitations. Whether it was notepad or IE, an application running as admin had unlimited power over the box.

With Vista that is no longer the case. Every process gets a MIC level associated with it. There are four levels of interest: low, medium, high and system. (You can find them in the platform SDK in WinNT.h if you look for 3000L). User processes by default have medium level MIC, admin processes start with high, etc. The only process I know of that starts with a low MIC level by default is IE in protected mode.

Now you can have three processes, running as the same user but with three different MIC levels. By default if yostart notepad, it will run with medium level MIC. Launching IE with the default protected mode will give you a low level MIC and starting an admin tool that requires elevation will give you a high level MIC. A great way to see what’s going on is by using Sysinternals' ProcExplorer. Just double-click the application and check the security tab. The field you’re looking for is Mandatory Label.

I started playing around with MIC a little and wrote a little command line app. It duplicates a token and then lowers the MIC. Then it starts a new process with that token. Sample code on how to do this can be found in the LoRIE doc for developers. If I start notepad as an administrator (right-click icon under start\all programs\accesories, then run-as administrator) the MIC level is the default high for administrators. From that notepad instance I can obviously save to the root of the system drive. When I run my little command line app from an administrative prompt to lower the MIC part of the token to medium, all of a sudden I am no longer able to save to the system drive from notepad. If I take this even further and lower the MIC to low, I can’t even save to the default documents folder of my profile. The only location I can then save to is the IE sandbox (“c:\users\{user}\AppData\LocalLow”). So apparently the file system has an additional protection governed by the MIC level.