3

We have a legacy application on a number of client sites. In some cases clients need to have write access to a folder or two under the Program Files (x86) folder.

As time goes on more and more of the clients are enabling UAC on the servers so we are now running into a simple roadblock.

We can apply normal windows/share security, but they still don't have write access. In fact as a local admin I only have that privileges via an elevated program.

Short of changing the program's location (larger task) is there any way I can provide write access to a limited folder to limited users, while the dev effort to alter the program progresses?

I know I can disable the VirtualStore but I'm trying to avoid that.

Preet Sangha
  • 2,747
  • 2
  • 24
  • 27

2 Answers2

4

Short of rewriting the program, no. Writing to protected areas (including program files) requires elevation, regardless of the NTFS ACLs.

Here is a list of actions that trigger UAC.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
1

Try configuring the folders so that they have the required access conferred to a group that the account that is running the application is a member of. And not the Administrators group, as that would require elevation because by default the Administrator group membership is disabled.

This is not specific to system folders. If you were to attempt an activity like copying files to a folder that you had the required access via the Administrators group, elevation is required. It doesn't really matter where the folder is located.

Another possibility would be the integrity level of the folder. A process that is running in medium or low integrity level will not be able to write to a folder that is flagged for high integrity level. You can view the integrity level with icacls.exe, and the integrity level of the process/service using Process Explorer. 

C:\>icacls .
. BUILTIN\Administrators:(F)
  BUILTIN\Administrators:(OI)(CI)(IO)(F)
  NT AUTHORITY\SYSTEM:(F)
  NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
  BUILTIN\Users:(OI)(CI)(RX)
  NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
  NT AUTHORITY\Authenticated Users:(AD)
  Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • 1
    Actually %systemroot% and %programfiles% are "special" when it comes to UAC and require elevation when written to regardless of ACL. – MDMarra Nov 29 '12 at 02:08