How to change file or folder integrity level?

[kosamja]

Taking ownership of file or folder doesnt allow me to edit it, is there any api to modify integrity level?

[spudw2k]

If you have the appropriate permissions, it looks like you could use the command line tool icacls to set the integrity level.

icacls  /setintegritylevel [(CI)(OI)]Level explicitly adds an integrity
        ACE to all matching files.  The level is to be specified as one
        of:
            L[ow]
            M[edium]
            H[igh]
        Inheritance options for the integrity ACE may precede the level
        and are applied only to directories.

https://blogs.msdn.microsoft.com/jolson/2007/11/12/whats-mandatory-integrity-control/

https://web.archive.org/web/20080513154947/http://www.securityfocus.com/print/infocus/1887

 

I also found this MDSN page - https://docs.microsoft.com/en-us/windows/desktop/api/securitybaseapi/nf-securitybaseapi-addmandatoryace

Edited May 15, 2019 by spudw2k

[kosamja]

Changed integrity level and taken ownership but still cant edit file even if I use admin account. Any idea what else needs to be disabled?

 

[argumentum]

I would copy the file to a FAT32 drive to loose what NTFS has. Edit it there.

[kosamja]

I still get access denied error in that case. Found this link: https://answers.microsoft.com/en-us/windows/forum/windows_10-files/access-denied-when-adding-folders-to-windowsapps/3e6bfbf7-9457-49b5-8fbd-94c430105993

It seems editing file I want is impossible unless there is anything else to change beside permissions and integrity level.

Edited May 24, 2019 by kosamja

[kosamja]

Found here (https://wimlib.net/forums/viewtopic.php?f=1&t=261&start=13) something about PROCESS_TRUST_LABEL_ACE  blocking changes to WindowsApps folder. Is it possible to modify PROCESS_TRUST_LABEL_ACE  so that it allows changes? What shoud content of _SYSTEM_PROCESS_TRUST_LABEL_ACE be?

https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/ntifs/ns-ntifs-_system_process_trust_label_ace

https://docs.microsoft.com/en-us/windows/desktop/api/winnt/ns-winnt-_ace_header

https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-mask

https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343

http://hakril.github.io/PythonForWindows/build/html/security.html#windows.security.SystemProcessTrustLabelACE

Edited May 24, 2019 by kosamja

[orbs]

@kosamja,

Windows has several protection mechanisms against users making changes to system files. and there is a good reason for that.

how certain are you that your reason for making changes to system files is better than their reason to prevent that?

bare in mind that even if you succeed on your test target, when going to deploy on a larger scale, high percentage of failures is inevitable.

i advise you either describe or rethink your purpose in all this, so we may help you find a better - perhaps officially supported - method to achieve your goal.

[kosamja]

I just want to edit taskbar context menu which is in explorer.exe.mui (menu 205) to remove some context menu entries, i am not aware of any other way to remove them beside editing explorer.exe.mui. But cant edit explorer.exe.mui inside of installed language packs because they are in WindowsApps folder

[JamoRulz]

To do that you have to take ownership of the file first, click apply and reopen the props menu. Then you make sure that the Administrators (or if you don't want to provide admin info every time. Then make the user account you want to be the only one with full access.) Then you can use the file like any other file with these perms.