Mandatory Integrity Control (What,how and why do we care?)

The theory

Mandatory Integrity Control (MIC) is an additional layer of security built into Vista and
Windows 2008. This particular layer helps Windows protect itself from harmful intentional and unintentional
changes to important objects. Among the objects protected we can find files, directories, registry
key, printers, and actually any object that has a security descriptor.

The beauty of MIC is that it has been there in the background all along protecting you, yet you never knew
it existed. You might have actually encountered it by trying to change a file that is protected by it, and even
though you had the permission you couldn’t…

The MIC layer is a barrier placed before your permissions are checked. Essentially this new road block checks
your privilege level against the object that you are trying to change. If your privilege level is equal or higher you are
allowed to make the change. On the other hand if your privilege is lower you cannot change the object even
though you may have the permission to.

Vista defines four integrity levels in order of precedence from low to high (the Untrusted and Trusted Installer are out
of scope here):

  1. Low – Used by Internet Explorer 7 to enforce Protected Mode:
  2. Medium – Used for standard users (assumed if no other level is set):
  3. High – Used for administrative actions (CMD with Run as administrator):
  4. System – Used by the system

Note that what happens is that each privilege level is represented by a different group SID.


Privilege levels are inherited, meaning that the privilege level of the creator is inherited by the object
that is created. If a user opens Notepad the users privilege level is attached to the process and the
file created by the process and so on…


A quick example

Ok, lets try something practical.
In the following example I will create a new file using an elevated CMD.exe ,view the integrity level by using ICACLS and then
I will try to delete the same file using a standard CMD.EXE…lets see what happens:


Note that CMD was started as an administrator and the file has been created with a privilege level of high (last line
of ICACLS output. The users privilege level is also high (see the WOAMI output and he belong to the Administrators



Note that the second instance of CMD is not run as and administrator. The file is still there, still with a high level of privilege,
the user has permissions (ICACLS and WHOAMI output) yet he can not delete the file.
The reason is that the current privilege of the user is medium (note the output of WHOAMI).


Now to top it off-something odd(or actually normal,depends on how you look at it…). If you attempt to delete the file
from an Explorer window you will receive the following message:


Once acknowledged (by pressing Continue) the file will be deleted-what happened here?

Well by choosing to continue you elevated the Explorer processes level to High- thus you can delete the file…



Based on the above example you can see that MIC is an additional layer of security implanted into Vista. Vista
assigns the level of integrity a specific object belongs too, it’s not configurable and the only way that a user
can elevate his own level of integrity is by interacting with the system an explicitly acknowledging an action(such as
the deletion of the file in our example). A very important point to understand about MIC is that it protects files
from being tampered with,not their privacy. In other words only ACLS will protect the file from being read.

Now I really love to contradict myself (at least I do it in different paragraphs…),there is a way to manipulate
files and even protect it’s contents by using MIC but it’s not a way I would recommend. On the other hand it’s
still good to know and as Mark Minasi mentions what happens if a malware actually creates a file with the privilege
level of System -no one will be able to delete it?!?

Mark has created a tool called CHML.EXE that is a bit more versatile then ICACLS and it allows you to set privilege
For additional information on CHML look at:

Leave a Reply

Your email address will not be published. Required fields are marked *