How can I create symbolic links in Windows 8.1 without an admin command prompt?

8

3

I am hoping that someone can correct me where I'm going wrong when trying to create a symbolic link in Windows 8.1 without having to run cmd.exe as administrator.

Whenever I try to create a symlink from a regular command prompt, I get the usual permissions response...

C:\Users\MyUser>mklink symlink.txt mytextfile.txt
You do not have sufficient privilege to perform this operation.

... and it does work from an admin command prompt (as expected)...

C:\Users\MyUser>mklink symlink.txt mytextfile.txt
symbolic link created for symlink.txt <<===>> mytextfile.txt

However, it doesn't appear that any of the usual fixes are working in Windows 8.1 (at least, the fixes that I could find).

I've tried following the answer to How do I create a link in Windows 7 home premium as a regular user?, but it appears to have no effect.

I also have UAC set to its lowest level.

Is there anything else that I am missing?

Karl Nicoll

Posted 2014-11-13T13:48:21.570

Reputation: 386

2

– StackzOfZtuff – 2014-11-13T13:53:33.110

@StackzOfZtuff - Well, that's annoying. Thanks for the link, looks like I'm going to have to choose between UAC and no Metro apps. I don't think I'll ever understand what Microsoft were trying to do with UAC. – Karl Nicoll – 2014-11-13T14:13:53.513

Answers

9

Privilege missing in "filtered" token

Either disable UAC. Or with UAC enabled: after enabling SECreateSymbolicLinkPrivilege try with a non-admin account.

Explanation
It's catch 17. From how I read the MS-documentation.

If you have a blacklisted well-known admin-group in your user-account, then a second, non-elevated, token is created.

The relevant SeCreateSymbolicLinkPrivilege is filtered out when the non-elevated token is generated from the elevated token.

From MSDN: User Interface Privilege Isolation (UIPI):

Windows will create two access tokens for the user if either of the following is true: The user's account contains any of the following RIDs.
DOMAIN_GROUP_RID_ADMINS
[...]
What privileges the filtered token contain are based on whether the original token contained any of the restricted RIDS listed above. If any of the restricted RIDs were in the token, all of the privileges are removed except:
SeChangeNotifyPrivilege
SeShutdownPrivilege
SeUndockPrivilege
SeReserveProcessorPrivilege
SeTimeZonePrivilege

So the solution is to disable the second token generation altogether. Either by removing all the mentioned groups from your account, or by completely disabling UAC.

(Disclaimer: Paul Betts did the work. I just added some detail. See his answer here: https://stackoverflow.com/questions/15320550/secreatesymboliclinkprivilege-ignored-on-windows-8 )

StackzOfZtuff

Posted 2014-11-13T13:48:21.570

Reputation: 1 185

Asked: 2014-11-13T13:48:21.570

Viewed: 8 423 times

Active: 2016-10-15T18:11:55.463