Windows Integrity Levels for extra security in Windows Vista - gHacks Tech News

ADVERTISEMENT

Windows Integrity Levels for extra security in Windows Vista

by Martin Brinkmann on March 30, 2008 in Windows - Last Update: November 10, 2017 - No comments

Microsoft build in a system called Windows Integrity Controls into Windows Vista which is basically a label for files that identifies their trustworthiness. What makes that interesting is the fact that the controls override the visible permissions of a file or folder.

Note: Chml was designed initially for Windows Vista, the operating system that Microsoft added the controls to. It works for the most part on new versions of Windows as well.

Six levels of trust can be assigned to files of the same or a lower permission level. Meaning that a normal user cannot change the integrity level of a file that he has no permissions for.

chml

The six integrity levels are Trusted Installer, System (operating system processes), High (administrators), Medium, (non-administrators), Low (temporary Internet files) and Untrusted.

  1. Trusted Installer
  2. System
  3. High
  4. Medium
  5. Low
  6. Untrusted

As you can see, even an administrator can't change the integrity level of files and folders that belong to Trusted Installers or System, at least not easily.

A command line tool is available that makes it quite easy to change the integrity level of files and folders. It is called CHML and available at a website that explains the process in detail.

The command "chml filename" displays the integrity level of that file. Modifying files and folders is only possible if changes are made in the Group Policy Editor:

  • Open gpedit.msc
  • Navigate to Computer Configuration / Windows Settings / Local Policies / User Rights Assignment
  • In the right-hand pane, you'll see an entry "Modify an object label;" open it
  • By default, there are no user accounts listing with this privilege. Add your user account.
  • Close the Group Policy Editor
  • Log off, then back on to finish getting the new privilege on your logon token

The basic command to change the integrity level of files or folders in Windows Vista is chml -i:u, l, m, h, or s. Only one letter is obviously needed as they stand for Untrusted, Low, Medium, High, or System.

Three additional options are available. The -nr, -nw and -nx options deny read, write and execute rights.

I did find the reference to Windows Integrity Levels at the Donation Coder forum where Skrommel was kind enough to create an Autohotkey Script that would add the functionality to the right-click menu.

Summary
Windows Integrity Levels for extra security in Windows Vista
Article Name
Windows Integrity Levels for extra security in Windows Vista
Description
Microsoft build in a system called Windows Integrity Controls into Windows Vista which is basically a label for files that identifies their trustworthiness.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: »

Comments

There are no comments on this post yet, be the first one to share your thoughts!

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.

Advertisement

Spread the Word

Ghacks Newsletter Sign Up

Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up

Advertisement

Popular Posts

Advertisement

Recently Updated

This Day in History

Advertisement

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.

© 2020 gHacks Technology News. All Rights Reserved.