[Bug] ShellExecute and logged-in user

Started by fixer, July 12, 2017, 02:49:30 PM

Previous topic - Next topic

fixer

And once again we have logged-in user bug. This time it's ShellExecute or IShellWindows interface (e.g. SHOpenFolderAndSelectItems API that uses it). When the COM object is initialized, ALPC request is sent to explorer.exe that checks access against D:(A;;CCDCLC;;;PS)(A;;CCDC;;;SY)(A;;CCDCLC;;;BA) DACL. PS is substituted with user from explorer.exe token, that is real logged-in user. It means it'll be access denied for program running from any other user, no matter how it was started including runas.

This issue was found several months ago, it wasn't fixed then. I haven't checked it since, but I suspect it to remain broken for many years to come.