The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,513 other followers

Windows: running “mklink” as Administrator “You do not have sufficient privilege to perform this operation.”

Posted by jpluimers on 2019/08/19

Via “mklink” “You do not have sufficient privilege to perform this operation.”:

The [WayBackmklink tool can create NTFS links so multiple directory entries point to the same object.

It requires the [WayBackSeCreateSymbolicLinkPrivilege (in English Windows versions [WayBack] “Create symbolic links”) which is by default not granted to users as it can expose security vulnerabilities.

Even if a user in the Windows Administrators group has the privilege, it still cannot be executed from a regular command-prompt:

C:\Users\Develope>mklink "%temp%\Recycler" c:\$RECYCLE.BIN
You do not have sufficient privilege to perform this operation.

If you grant a regular user the privilege you can execute if from a regular command prompt.

However, as member of the Administrators group, you have to run this from an elevated command-prompt:

C:\Windows\system32>mklink "%temp%\Recycler" c:\$RECYCLE.BIN
symbolic link created for C:\Users\Developer\AppData\Local\Temp\Recycler <<===>> c:\$RECYCLE.BIN

The reason is that members of the Administrators group get two security tokens when they logon: an elevated full-access token and a regular filtered access token.

They key here are the words full-access and filtered: the elevated token gets more access permissions than the account is configured for, but the regular token gets less access permissions than the account is configured for.

This means that a standard command prompt will not get all the access you might exec, as the regular token is the access permissions minus the filtered permissions.

By now you probably guessed that – despite the documentation [WayBack] Windows Vista Application Development Requirements for User Account Control Compatibility leaving out SeCreateSymbolicLinkPrivilege – that is actually part of the filter. So the regular command-prompt lacks the SeCreateSymbolicLinkPrivilege permission and gives you an error message when executing mklink.

This is opposite to a regular user: if you grant it the “Create Symbolic Links” any command-prompt will get the SeCreateSymbolicLinkPrivilege permission.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: