Login/Register
Creating a hard link mklink to a dll in system32 results in access denied
Asked Answered
windowscmdmklink
P

1

6

Scenario

I am currently looking at a security issue with the installer of my app. Even though the full context is probably irrelevant for my question here is what I am trying to do: https://skanthak.homepage.t-online.de/!execute.html

Problem

I do have a CMD with elevated privileges and am impersonated as SYSTEM which I did using PsExec from the Sysinternals suite (see this).

The current folder is a new and empty folder inside my user folder.

When I execute 

mklink /h version.dll C:\Windows\System32\version.dll

I get "Access Denied".

I have granted the "create symbolic links" permission to my user, system and administrators as described in an answer here.

I have removed write protection from the windows folder and all its subfolders as far as possible using an elevated explorer (Especially the version.dll is NOT write protected)

I am doing all this in a virtual machine hosted in HyperV. The virtual OS is Windows 7 Professional SP1.

Question

Why is the command failing with ACCESS DENIED?

Petronel answered 11/11, 2016 at 10:5 Comment(5)
What is the location of the link (not the target)? do you have sufficient access privileges there?Clench
The current folder is a new and empty folder inside my user folder. So if I am not mistaken just stating "version.dll" should resolve to <currentFolder>\version.dll, right? If so: I double checked that SYSTEM, my user and administrators have full accessPetronel
Yes, that's right!Clench
Note: I have tried that with other files (i.e. netvscres.dll) and that worked so access rights of the link should not be a problem...Petronel
Note that the "create symbolic links" privilege is irrelevant here, since you are attempting to create a hard link. Perhaps version.dll is in use? I don't see any connection between your question here and the link you provide. By the way, MSI files can run arbitrary code, so using an MSI-based installer is just as dangerous as running an executable.Marla
M
4

The issue you are running into is a matter of the security on the dll itself.

By default certain protected OS files only allow trusted installer full control to them, and set the trusted installer as the default owner of the file.

In order to create the Hardlink you must take ownership of the file from trusted installer (as otherwise, you cannot change the permissions on the file).

Once you are set the file owner you can change the permissions on the file to give your user full control. -- Afterward you can always set yourself back to the reduced set of permissions because you won't need them anymore unless you want to remove the hardlink

I have tested this method just now myself to verify it still worked, although in the past I had figured out how to reduce the need to less than full control but that is just a matter of manually sivving the possible special permissions so you can do that if you like(I believe Minimum is the full set of "file attributes" and "Special File Attributes" add/change/delete)

Anyway, glad to solve your issue. :)

Initially I had the same issue:

C:\Admin>mklink /h C:\Admin\testlink\version.dll C:\Windows\System32\version.dll
Access is denied.

After taking ownership of the file and giving my user full permissions the link was able to be made successfully:

C:\Admin>mklink /h C:\Admin\testlink\version.dll C:\Windows\System32\version.dll
Hardlink created for C:\Admin\testlink\version.dll <<===>> C:\Windows\System32\version.dll
Myo answered 11/11, 2016 at 22:20 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.