ReHIPS forum

English Subforum => Developers' Blog => Topic started by: fixer on July 12, 2017, 02:49:30 pm

Title: [Bug] ShellExecute and logged-in user
Post by: fixer on July 12, 2017, 02:49:30 pm
And once again we have logged-in user bug. This time it's ShellExecute or IShellWindows interface (e.g. SHOpenFolderAndSelectItems API that uses it). When the COM object is initialized, ALPC request is sent to explorer.exe that checks access against D:(A;;CCDCLC;;;PS)(A;;CCDC;;;SY)(A;;CCDCLC;;;BA) DACL. PS is substituted with user from explorer.exe token, that is real logged-in user. It means it'll be access denied for program running from any other user, no matter how it was started including runas.

This issue was found several months ago, it wasn't fixed then. I haven't checked it since, but I suspect it to remain broken for many years to come.