Mapped drives (incl net use) missing from elevated processes eg UAC cmd run as administrator



Mapped drives created in Windows Explorer Tools -> Map network drive OR via command prompt (cmd.exe) net use command will not be visible in programs that “run as administrator” ie with elevated privileges.

Eg if you do Start Orb -> type “cmd” without the quotes into the search box -> right click on cmd and select “run as administrator”

…then you will get an command prompt running with elevated privileges.

(There other other ways to get an elevated cmd prompt if you dont want to be bothered by UAC.)

If you do net use in that command prompt to show mapped netowrk drives, you wont see the same as you see in un-elevated or in windows explorer.

The key tidbit going on here is that an administrtor accoutn has 2 access tokens, a filtered and regular. Regular is priviledged / elevated. Filtered has the privs filered out, if you will.

And mapped drives are associated with only 1 particular access token; 1 or the other, not both.

A key to understanding this mechanism is

This article is so important, i quote it below so that if it ever goes away it’ll still be here. And i quote it with its user comments, cuz they are also key, in this case. Good, hi quality comments.

One of the places this technet article is referecned is

Microsoft KB

That was a technet article. Microsoft’s offical KB on it is here, but IMHO not as informative (and contains a bug)

One of the places this KB article is referecned is


Unfortunately the suggestion in this KB article is wrong, i think. It suggests to do net use without a drive letter:

To work around this issue, use the net use command together with a UNC name to access the network location. For example, at a command prompt, type the following command, and then press Enter:

net use \\COMPUTERNAME\SHARENAME /user:USERNAME

I just tried this and it did not make the \\COMPUTERNAME\SHARENAME appear in the other net use listing.

Now it’s possible that even tho it did not appear in the net use listing, it did log me in in both prived and non-prived. I did not test this, cuz i was already logged in in both prived and non-prived and so it requires logging out to test and i cant do that right now for other reasons.


Quote of technet article

NOTE: the comments have important info, eg, some, but not all, ppl see the logon script that maps drives running at elevated privs, so that they see mapped drives elevated but not un-elevated; all hinges on what access token is in use when the logon script runs

Some Programs Cannot Access Network Locations When UAC Is Enabled

47 out of 70 rated this helpful Rate this topic

Updated: November 16, 2009

Applies To: Windows Server 2008 R2

Symptom

After you turn on User Account Control (UAC) in Windows Vista or Windows 7, programs may not be able to access some network locations. This problem may also occur when you use the command prompt to access a network location.

Cause

This problem occurs because UAC treats members of the Administrators group as standard users. Therefore, network shares that are mapped by logon scripts are shared with the standard user access token instead of with the full administrator access token.

When a member of the Administrators group logs on to a computer running Windows Vista or Windows 7 that has UAC enabled, the user runs as a standard user. Standard users are members of the Users group. If you are a member of the Administrators group and you want to perform a task that requires a full administrator access token, UAC prompts you for approval. For example, if you try to edit security policies on the computer, you are prompted. If you approve the action in the User Account Control dialog box, you can then complete the administrative task by using the full administrator access token.

When an administrator logs on to a computer running Windows Vista or Windows 7, the Local Security Authority (LSA) creates two access tokens. If LSA is notified that the user is a member of the Administrators group, LSA creates the second logon that has the administrator rights removed (filtered). This filtered access token is used to start the user’s desktop. Applications can use the full administrator access token if the administrator user provides approval in a User Account Control dialog box.

If a user is logged on to a computer running Windows Vista or Windows 7 and if UAC is enabled, a program that uses the user’s filtered access token and a program that uses the user’s full administrator access token can run at the same time. Because LSA created the access tokens during two separate logon sessions, the access tokens contain separate logon IDs.

When network shares are mapped, they are linked to the current logon session for the current process access token. This means that if a user uses the command prompt (cmd.exe) together with the filtered access token to map a network share, the network share is not mapped for processes that run with the full administrator access token.

Resolution

ImportantImportant
This section contains steps that modify the registry. Incorrectly editing the registry may severely damage your system or make your system unsafe. Before making changes to the registry, you should back up any data on the computer. For more information about how to back up and restore the registry, see article 322756 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=133378).

To work around this problem, configure the EnableLinkedConnections registry value. This value enables Windows Vista and Windows 7 to share network connections between the filtered access token and the full administrator access token for a member of the Administrators group. After you configure this registry value, LSA checks whether there is another access token that is associated with the current user session if a network resource is mapped to an access token. If LSA determines that there is a linked access token, it adds the network share to the linked location.

To configure the EnableLinkedConnections registry value

  1. Click Start, type regedit in the Start programs and files box, and then press ENTER.
  2. Locate and then right-click the registry subkey HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.
  3. Point to New, and then click DWORD Value.
  4. Type EnableLinkedConnections, and then press ENTER.
  5. Right-click EnableLinkedConnections, and then click Modify.
  6. In the Value data box, type 1, and then click OK.
  7. Exit Registry Editor, and then restart the computer.

 

Community Additions

ADD

Doesn’t work properly with Windows 8.x

On Windows 8 and Windows 8.1, ‘EnableLinkedConnections’ does enable mapped drives to appear for local Administrators however drives mapped to a subfolder of a share do not then map correctly. So if you try to map a drive to \\server\share\subfolder the mapped drive appears but is incorrectly mapped to \\server\share instead.
4/4/2014

Does This Open A Security Vulnerability?

There are articles all over the internet that quote this registry hack. Most (superuser.com, vistaheads.com, intelliadmin.com, winhelponline.com, and notably social.technet.microsoft.com) also state that using it opens a security hole.
Microsoft does not discuss (in the article above) whether this creates a security vulnerability or what it might be. I spent all morning trying to find this original article to find out what the security risk might be. I’m disappointed that it is not discussed.
So here are some questions:
• If there is a risk, what is it?
• If there is no risk, why isn’t it the default?
• Where did all those other sites get the idea that it is potentially dangerous?

6/25/2013

Article seems correct to me.

I am seeing results consistent with the article and different than the two previous comments. I am a domain admin and when I log in, the drives mapped in the login script are available in Explorer and at a command prompt without elevated privileges. When I run a command prompt as administrator, the drives are not available. In the elevated command window, the drives are listed by net use, but show a status of unavailable.
1/12/2013

Windows 7, 64bit and 32bit

Thank you, this solved my problem.

Some additonal information: I had a problem on my Windows 7 64bit system where mapped drives would not show when using the Win32Api function: GetLogicalDrives().

By adding the registry key, I was glad to see that my mapped drives were shown again.

However, on a my 32bit system, which does not have this registry key, mapped drives do get shown when using the Win32Api GetLogicalDrives() function…

10/2/2012

Problem description is misstated.

This problem description in this article needs to be updated. Some of the statements in it are the exact opposite of the truth about how UAC works.

Drives mapped by logon scripts are only available to processes the are launched using UAC elevation or Run As Administrator. However, this article incorrectly states the reverse — that they are only accessible to processes started by the filtered logon token. To verify this, create a simple logon script to map a drive. Make sure that this drive has not been manually mapped already. Then logon to the computer with UAC turned on using and administrator account. Open Windows Explorer and there will be no mapped drive shown there because the drive is not accessible to the filtered token which is what Windows Explorer and non-elevated processes use to run. Open a command prompt and try to change the directory to the mapped drive. Again, it is not accessible. However, if you open a command prompt using Run As Administrator, you will see that you are able to change the directory to the mapped drive.

Likewise, if you launch a program that requires UAC elevation or run a program as administrator, you will also see that drives mapped by logon scripts are available to those programs,but not to programs that do not run elevated.
Please also note that drives that are mapped manually using Windows Explorer or net use in an unelevated command prompt are not available to processes that use the elevated token (elevated through UAC or using Run As Administrator). To test, manually map a drive through Windows Explorer and launch a program that prompts for UAC elevation or use Run As Administrator. Using the program, try to open a file on the mapped drive. You will notice that the mapped drive is not available. However, if you open an elevated command prompt and then use the net use command to map a drive, it will then be available to the elevated program.

8/29/2012

Logon scripts and UAC

The text is incorrect imho. Windows 7 behaves like this: the logon script runs at the elevated account and mappings are made using this. After logon explorer starts with the standard account. Missing the registry key – the standard account does not see the mappings. Running an elevated cmd prompt reveals the mappings.

Important to note: the same behaviour is observed for accounts that are member of the Power Users group. No special permissions are given to the group but a logon script runs as Power Users, after logon the standard account does not see the mappings. There seems to be no way to elevate to a Power User. Hard to explain to your users. Ouch.
Best use the EnableLinkedConnections registry key to avoid this.

4/13/2011

2 thoughts on “Mapped drives (incl net use) missing from elevated processes eg UAC cmd run as administrator

  1. Pingback: Mapped network drives not showing in My Computer

  2. Pingback: Start program WITHOUT UAC, useful at system start and in batch files (use task scheduler) | Montgomery Minds

Leave a Reply

Your email address will not be published. Required fields are marked *