Change integrity level of System32 folder in Vista

I have been unsuccessful getting a Java WebStart application that should have AllPermissions to write a file to Windows/System32 on Vista or Windows 7. While I don't believe this is possible, perhaps there is a way to lower the integrity level of this folder to Medium?

I am getting desperate and am not above insane registry hacks to make this happen. We have a production app that runs fine on Windows XP however a new prospective client is unbending in their determination to ONLY maintain Windows 7 or Vista workstations.

I appreciate any help or suggestions and would especially love to hear from开发者_JS百科 anybody if this is impossible. Please no comments on how insecure and dangerous this can be, I am aware of the risks.

The proper solution is to have the required DLLs placed in the system32 folder from your installer.

Your MSI installer will know how to prompt the user to elevate to administrator, so you then have permission to add your files to the users System32 folder.

You will not be able to modify files in the users's System32 without them being (or elevating to) an administrator; that's a fundamental constraint of the secure operating system.

First of all, as the author of CHML -- the app you mentioned -- it's unfortunately not a great idea to lower the integrity of the Windows folder (as you've seen).

That said, there IS a way to get things back the way you want -- several, actually, but the easiest way is to

1) Create a bootable WinPE CD or USB stick 2) add my chml.exe executable 3) Boot your system

And at that point you could use chml to re-raise the integrity level. It works because under WinPE you ARE running as System, and can raise your IL. (The docs (ahem) DO mention this. :-)

I figured out how to do this for Vista but am really unnerved by what I have done.

There is a free program out there that you can download that will give you the ability to change the integrity level of a folder. http://www.minasi.com/apps/

Using this program however from the commandline will give you Access Denied when attempting to change System32 to Medium integrity. This is because the Administrator does not have explicit rights to this directory.

This is where it gets really scary, to give yourself Full Control on System32 you have to make Administrator the Owner of that directory. The current owner is TrustedInstaller originally.

So, I changed the Owner of System32 to Administrator, Gave Administrator FullControl, then used chml from an Adminstrator command prompt to give System32 Medium integrity.

I now wonder what the consequences could be of System32 having a different Owner, however if Vista allows you to do this out of the box then it can't be that bad. Right???