Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Symbolic link creation always requires elevation on Windows #7967

Closed
lzybkr opened this issue Oct 8, 2018 · 10 comments
Closed

Symbolic link creation always requires elevation on Windows #7967

lzybkr opened this issue Oct 8, 2018 · 10 comments
Labels
Area-FileSystem-Provider specific to the FileSystem provider Issue-Enhancement the issue is more of a feature request than a bug WG-Cmdlets-Management cmdlets in the Microsoft.PowerShell.Management module

Comments

@lzybkr
Copy link
Member

lzybkr commented Oct 8, 2018

Creating a symbolic link does not require elevation on Windows 10 if developer mode is enabled, but only if the link is created with SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE (see the docs). PowerShell appears to not pass this flag.

Steps to reproduce

In an unelevated session:

$target = New-TemporaryFile
New-Item -Name tmpsymlink -Target $target -Type SymbolicLink

Expected behavior

Link is created

Actual behavior

PS C:\Users\jason> $target = New-TemporaryFile
>> New-Item -Name tmpsymlink -Target $target -Type SymbolicLink
New-Item : Administrator privilege required for this operation.

Environment data

> $PSVersionTable
Name                           Value
----                           -----
PSVersion                      6.1.0
PSEdition                      Core
GitCommitId                    6.1.0
OS                             Microsoft Windows 10.0.17763
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0
@iSazonov iSazonov added Issue-Enhancement the issue is more of a feature request than a bug WG-Engine-Providers built-in PowerShell providers such as FileSystem, Certificates, Registry, etc. labels Oct 8, 2018
@iSazonov iSazonov mentioned this issue Oct 8, 2018
Closed
11 tasks
@jacktose
Copy link

Am I missing something, or is this still an issue on Win 10 2004? Developer mode enabled.

PS C:\Users\jack\Desktop\lntest> New-Item -Path "link.txt" -ItemType SymbolicLink -Value "target.txt"
New-Item : Administrator privilege required for this operation.
At line:1 char:1
+ New-Item -Path "link.txt" -ItemType SymbolicLink -Value "target.txt"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\jack\Desktop\lntest\target.txt:String) [New-Item], Unauthori
   zedAccessException
    + FullyQualifiedErrorId : NewItemSymbolicLinkElevationRequired,Microsoft.PowerShell.Commands.NewItemCommand

PS C:\Users\jack\Desktop\lntest> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.19041.1
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.19041.1
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

@aodhneine
Copy link

aodhneine commented Jun 3, 2021
edited

Still an issue on Windows 10 21390.1, with developer mode activated.

PS C:\Users\Freya\bin> New-Item -ItemType SymbolicLink -Target git-2.31.1\bin\git.exe -Path git.exe
New-Item : Administrator privilege required for this operation.
At line:1 char:1
+ New-Item -ItemType SymbolicLink -Target git-2.31.1\bin\git.exe -Path  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\Freya\...1.1\bin\git.exe:String) [New-Item], UnauthorizedAcc
   essException
    + FullyQualifiedErrorId : NewItemSymbolicLinkElevationRequired,Microsoft.PowerShell.Commands.NewItemCommand

PS C:\Users\Freya\bin> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.21390.1
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.21390.1
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

@iSazonov
Copy link
Collaborator

iSazonov commented Dec 3, 2021
edited by unfurl-links bot

Now new .Net API follow this.
See File.CreateSymbolicLink
https://github.com/dotnet/runtime/blob/a1b391bde7ef9e58c19f217ed367c8e8fea7cac3/src/libraries/Common/src/Interop/Windows/Kernel32/Interop.CreateSymbolicLink.cs#L45-L48

So we can consider replacing internal PowerShell code with the new API.

GitHub
.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps. - runtime/Interop.CreateSymbolicLink.cs at a1b391bde7ef9e58c19f217ed367c8e8fea7cac3 · dotnet/runtime

@iSazonov iSazonov added Area-FileSystem-Provider specific to the FileSystem provider WG-Cmdlets-Management cmdlets in the Microsoft.PowerShell.Management module and removed WG-Engine-Providers built-in PowerShell providers such as FileSystem, Certificates, Registry, etc. labels Dec 3, 2021
@AndrewSav
Copy link

The .Net API gives "A required privilege is not held by the client", when you are an administrator and not running an elevated PowerShell. I'm on Win 10 build 19044. Powershell 7.2.7

@WeihanLi WeihanLi mentioned this issue Nov 9, 2023
Closed
@microsoft-github-policy-service microsoft-github-policy-service bot added Resolution-No Activity Issue has had no activity for 6 months or more labels Nov 16, 2023
@jacktose
Copy link

Yep, still an issue:

PS C:\Users\jacktose\Desktop> New-Item -Path "link.txt" -ItemType SymbolicLink -Value "target.txt"
New-Item: Administrator privilege required for this operation.

PS C:\Users\jacktose\Desktop> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.3.9
PSEdition                      Core
GitCommitId                    7.3.9
OS                             Microsoft Windows 10.0.22631
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

@jacktose
Copy link

jacktose commented Nov 24, 2023
edited

Hello @microsoft-github-policy-service @iSazonov, this is still an issue. Should we to open a new issue instead of keeping this one? That can't be good “housekeeping.”

@lzybkr lzybkr reopened this Nov 27, 2023
@victormachado-ada-tech
Copy link

Please I just want to create a simple symlink without requiring administrator permission. What are the security concerns about creating a symlink? Why is it required to be admin to use this tool?

@microsoft-github-policy-service microsoft-github-policy-service bot removed the Resolution-No Activity Issue has had no activity for 6 months or more label Dec 6, 2023
@jacktose
Copy link

jacktose commented Dec 6, 2023

@lzybkr Can you reopen it again and stop the bot somehow?

@lzybkr
Copy link
Member Author

lzybkr commented Dec 11, 2023

I don't know anything about the bot.
Using 7.4, it seems to work without running as admin, so maybe it was fixed?

@brian6932 brian6932 mentioned this issue Dec 23, 2023
Merged
1 task
@kmahajan-cadfem kmahajan-cadfem mentioned this issue Jan 4, 2024
Open
2 tasks
@zaragozamartin91
Copy link

zaragozamartin91 commented May 11, 2024
edited

Issue still exists in Windows 10 + PowerShell v7.4.2

Message New-Item: Administrator privilege required for this operation. is yielded from the terminal.

$PSVersionTable prompt:

Name                           Value
----                           -----
PSVersion                      7.4.2
PSEdition                      Core
GitCommitId                    7.4.2
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-FileSystem-Provider specific to the FileSystem provider Issue-Enhancement the issue is more of a feature request than a bug WG-Cmdlets-Management cmdlets in the Microsoft.PowerShell.Management module
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add new symlink flag iSazonov/PowerShell
7 participants
@AndrewSav @lzybkr @zaragozamartin91 @aodhneine @jacktose @iSazonov @victormachado-ada-tech