12

I'm trying to find the name and documentation of an old windows feature I believe it was present in Windows Vista.

All I can remember is this. When you or an application tries to write to a file that doesn't have enough permissions to write, Windows silently creates a copy of the file at your APPDATA? directory.

You don't get an error and you believe the content has been written, but in reality, it's not, at least where you expect.

Please try to help me to try to know if this feature once existed.

shodanshok
  • 47,711
  • 7
  • 111
  • 180
MrCatacroquer
  • 243
  • 2
  • 5

2 Answers2

19

Sounds like UAC Virtualization.

Any writes to a system folder (or Registry) as a standard user were redirected to a location in the AppData folder so those apps that incorrectly assumed that all users run with full admin privileges would continue to work when migrating from Windows XP to Vista.

Greg W
  • 701
  • 1
  • 5
  • 8
  • 4
    Correct, except that I am pretty sure it is still working in Windows 10 today. – Peter Hahndorf Nov 27 '19 at 12:36
  • It’s still a part of UAC but I haven’t run into it in years. (You can disable it via policy so the write access is denied instead of “silently allowed”) – Greg W Nov 27 '19 at 12:37
  • 3
    It still happens in Windows 10 and Server 2019. I just spend an hour this afternoon trying to make a legacy application play nice on a Server 2019 RDS. Config files it was supposed to save in system32 kept ending up in the users %APPDATA% folder even though the program was started with "Run as administrator". (Could not disable UAC for various reasons.) Of course: on the next start it complained about missing config files. I had to move the files manually to system32 which was a real nuisance as some only got created on 1st time use of a specific function in the software. – Tonny Nov 27 '19 at 23:19
7

You are probably referring to the sandboxing done on processes with "low/medium integrity" flag. From Wikipedia:

Windows Vista and later editions include a "low" mode process running, known as "User Account Control" (UAC), which only allows writing in a specific directory and registry keys

Again, from another Wikipedia page:

Windows Vista defines four integrity levels: Low (SID: S-1-16-4096), Medium (SID: S-1-16-8192), High (SID: S-1-16-12288), and System (SID: S-1-16-16384).1 By default, processes started by a regular user gain a Medium IL and elevated processes have High IL.2 By introducing integrity levels, MIC allows classes of applications to be isolated, enabling scenarios like sandboxing potentially-vulnerable applications (such as Internet-facing applications). Processes with Low IL are called low-integrity processes, which have less access than processes with higher ILs where the Access control enforcement is in Windows.

shodanshok
  • 47,711
  • 7
  • 111
  • 180