Closed fcharlie closed 5 years ago
Excellent feature. This will be very beneficial and I am looking forward to it. Having folder and registry ACL permissions will be helpful especially for LPAC.
One thing that I noticed when playing with Pavel's RunAppContainer tool was that you had to specifically run RunAppContainer.exe as Administrator for the folder and registry permissions to work. Without RunAppContainer.exe run as Admin, those ACL permissions failed.
Currently, AppExec has been added to launch AppContainer separately. It supports opening file system permissions and registry permissions. There are two points to note here.
Currently, AppExec has been added to launch AppContainer separately. It supports opening file system permissions and registry permissions. There are two points to note here.
Repeat testing needs to consider whether AppContainer is deleted.
File system ACLs may not be properly configured in other partitions
Ok, I will test this thoroughly over the next few hours and I will let you know any details that I discover.
Is this expected to delete the files within the AppData\Local\Packages folder? Is this also expected to delete the AppContainer SID details in the registry?
Also, does it require running as Admin to set the ACL details?
Thank you. I will continue testing over the next few hours.
I have now had some time to play around with this some more. I tested all variations of regular AppContainer and LPAC, by running AppExec as regular user and as Admin. And combinations of Capabilities and such. Also tested many different AppContainer Names since that caused random SIDs for more testing.
Repeat testing needs to consider whether AppContainer is deleted.
I used the latest version of WinObjEx64 throughout this testing.
Sessions > 1 > AppContainerNamedObjects
I was able to see the successful creation of AppContainer/LPAC SIDs and successful deletion of each of those unique SIDs. No AppContainer SIDs left behind in this regard. In my opinion, this is a success.
File system ACLs may not be properly configured in other partitions
Yes, I have noticed this as well. I have been using AppExec to successfully create ACLs for my C: and D: drives. However, every attempt to create ACLs for my R: drive (RAMDisk - NTFS) has failed.
Actually, AppExec is creating to correct ACLs for my R: drive. But the testing programs (Notepad and cmd) both fail to access my R: drive. As a workaround, I just use 'icacls' commands for now which is working successfully.
Enable access some folder support. use
GetNamedSecurityInfo
SetEntriesInAcl
SetNamedSecurityInfo
Fun with AppContainers: https://scorpiosoftware.net/2019/01/15/fun-with-appcontainers/
https://github.com/zodiacon/RunAppContainer
Modifying the ACLs of an Object in C++