9

I was doing some experimentation with integrity levels and icacls on Windows 7. I set mandatory integrity levels, so that I get something that looks like this:

C:\Debug>icacls test.exe
test.exe Everyone:(I)(RX)
                BUILTIN\Administrators:(I)(F)
                NT AUTHORITY\SYSTEM:(I)(F)
                Mandatory Label\Low Mandatory Level:(NW)

Successfully processed 1 files; Failed processing 0 files

However, I can't seem to remove the Mandatory Label now that it's been explicitly set. Originally, the output would've looked like this:

C:\Debug>icacls wdbp.exe
wdbp.exe Everyone:(I)(RX)
         BUILTIN\Administrators:(I)(F)
         NT AUTHORITY\SYSTEM:(I)(F)

Successfully processed 1 files; Failed processing 0 files

The default would be for it to simply inherit from the directory with no Mandatory Label. I've tried playing with the inheritance options of icacls, and tried removing the SID that corresponds with the Label, none of which show errors, but don't actually remove the Mandatory Label.

Anyone have any ideas?

craig65535
  • 3,439
  • 1
  • 23
  • 49
chut7
  • 103
  • 1
  • 4
  • 2
    I have successfully used chml.exe (see http://www.minasi.com/apps/) with the -rl option to remove the labels. – tovodeverett Jul 11 '13 at 21:53
  • 1
    @HarryJohnston, ISTM that what you say should be correct, i.e. explicitly setting a medium level should behave the same. However, when an explicitly medium integrity executable is run by the Windows 10 task scheduler, which runs at system integrity, using the "run with highest privileges" option, the token has admin privileges but medium integrity instead of high integrity. – Eryk Sun May 03 '17 at 05:27

0 Answers0