Windows processes each have an "integrity level" in addition to a user token. Even if the user has sufficient access to a particular resource, no process can write to an object at a higher integrity level than itself. Most objects have Medium integrity, so processes at Low integrity can barely write anywhere.
To launch a process with Low integrity, you'll need PsExec:
psexec -l -i cmd.exe
That produces a command prompt running at low integrity, which you can see if you do a whoami /all. If you try writing to normal files/folders or Registry keys, you'll get an access-denied error.
No comments:
Post a Comment