Setting an Integrity
Level to "System"
Thanks for Mark Minasi's excellent
Windows Power Tools article, "Icacls
Shows Integrity" (June 2007, InstantDoc ID 95681). I tried the scenario
Mark describes regarding setting
an integrity level to "system" using
psexec. Here's what happened:
When I set the integrity level to "system" on a file, the file was marked
as Integrity system, but I can delete
it from Windows Explorer. When
I set "system" on a directory, the
directory was marked as Integrity
system, but I can't remove any file
in the directory or delete the directory itself. Any idea why this doesn't
work on a file?
—Marc Ochsenmeier
One of the weird things we learned
back in NT 101 is that, unlike everything else in Windows, there are two
different permissions that allow you
to delete a file, and you can delete
a file if you have either. The two
permissions are the "delete" permission on the file object itself, and the
"delete files and folders" permission
on the folder object that contains the
file. Because the folder is not System,
you get to sneak in the back door.
"Ah," you say, "Then why is it that a
medium process can't delete a high-integrity file sitting in a medium-integrity folder?" Simple: I filed a bug
about that during the testing process
and Microsoft put a patch on it for
the medium/high situation. They
never thought to patch the system
situation.
—Mark Minasi
Moving vs. Copying
on a Server
Eric Rux makes a good point—"Be
sure to teach users the difference
between moving and copying"—in
his article "Let's Get Organized: File
Server Basics" (May 2007, InstantDoc ID 95364). However, it's worth
noting the technical issue that a
file/folder move from one folder to another on the same server will also
bring the existing NTFS permissions
and potentially undo all your good
set-up work, whereas a copy will
leave these behind. Perhaps users
should be encouraged to move files/
folders to a structure that is used as
a staging area and then IT
staff perform a copy
and delete
to the final
destination
to cleanse
unwanted
permissions.
—Duncan
Priest
Stop the
Spread of
Malicious
Software
I just read Paul Thurrott's article "FBI
Identifies 1 Million Botnet Victims"
(June 2007, InstantDoc ID 96323),
and I'd like to respond to his comment, "Although the FBI can't find
every infected PC or contact all the
owners of these computers. . ." Maybe
not, but there is a lot that could be
done that isn't being done.
1. ISPs should close port 25 so
that users are forced to send mail
through a monitored port on the
ISP's server. Anyone having a
legitimate need to have port 25
open (e.g., a law firm needing its
own mail server for reasons of confidentiality) can ask to have their port
25 opened.
2. Monitor and meter other traffic
from subscribers to identify infected
systems.
3. Institute some kind of sender
verification.
4. Go after any US-based business that uses spamvertising.
Granted, some of them likely bought
their advertising service in ignorance
that the recipient list is suspect, but
many choose to look the other way,
and they must be held to account.
—Hafizullah Chishti
I just bought an Apple TV, and it suddenly dawned on me as I turned off the hibernate feature of my Windows XP box (so it will always be on when I need it to listen to music or watch TV programs) that the current power management models in both XP and Vista are lacking when you consider using your PC as a media device for your home.
I want my PC to do
the following:
1. After midnight,
if my computer is no
longer in use (and no
streaming media is
begin sent from it),
to go into the lowest
power-save mode possible (i.e.,
hibernate).
2. At 6:00 p.m., before I get home
from work, the computer should come
back up and be ready to stream media.
3. Any time the computer isn't in
use between midnight and 6:00 p.m.,
it should run in the lowest possible
power state but still listen for streaming media requests and wake up
immediately when a request is made.
I have read all about Vista power
management, and as far as I can tell,
Vista doesn't do any of the above. Yet
the items on my list are what I want
from power management in a media
hub computer that runs my house.
—Kendall Bennett
Thanks for the Tip
Today I restored my computer to its
last restore point because it had a
virus. After that, I couldn't update
my OS through Windows Update. I
Googled the problem and bumped
into your JSI FAQ site and Tip 10651.
My problem was solved in 5 minutes!
I love Google, Windowsitpro.com,
and Tip 10651!
—Joris de Bruijn
