The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

    Mastodon

  • Twitter Updates

  • My Flickr Stream

    20140508-Delphi-2007--Project-Options--Cannot-Edit-Application-Title-HelpFile-Icon-Theming20140430-Fiddler-Filter-Actions-Button-Run-Filterset-now20140424-VMware-Fusion-6.0.3.-no-reclaimable
    More Photos

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,860 other subscribers
«
»

Windows: running “mklink” as Administrator “You do not have sufficient privilege to perform this operation.”

Posted by jpluimers on 2019/08/19

Via “mklink” “You do not have sufficient privilege to perform this operation.”:

The [WayBackmklink tool can create NTFS links so multiple directory entries point to the same object.

It requires the [WayBackSeCreateSymbolicLinkPrivilege (in English Windows versions [WayBack] “Create symbolic links”) which is by default not granted to users as it can expose security vulnerabilities.

Even if a user in the Windows Administrators group has the privilege, it still cannot be executed from a regular command-prompt:

C:\Users\Develope>mklink "%temp%\Recycler" c:\$RECYCLE.BIN
You do not have sufficient privilege to perform this operation.

If you grant a regular user the privilege you can execute if from a regular command prompt.

However, as member of the Administrators group, you have to run this from an elevated command-prompt:

C:\Windows\system32>mklink "%temp%\Recycler" c:\$RECYCLE.BIN
symbolic link created for C:\Users\Developer\AppData\Local\Temp\Recycler <<===>> c:\$RECYCLE.BIN

The reason is that members of the Administrators group get two security tokens when they logon: an elevated full-access token and a regular filtered access token.

They key here are the words full-access and filtered: the elevated token gets more access permissions than the account is configured for, but the regular token gets less access permissions than the account is configured for.

This means that a standard command prompt will not get all the access you might exec, as the regular token is the access permissions minus the filtered permissions.

By now you probably guessed that – despite the documentation [WayBack] Windows Vista Application Development Requirements for User Account Control Compatibility leaving out SeCreateSymbolicLinkPrivilege – that is actually part of the filter. So the regular command-prompt lacks the SeCreateSymbolicLinkPrivilege permission and gives you an error message when executing mklink.

This is opposite to a regular user: if you grant it the “Create Symbolic Links” any command-prompt will get the SeCreateSymbolicLinkPrivilege permission.

–jeroen

via:

This entry was posted on 2019/08/19 at 06:00 and is filed under Power User, Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»