bug in Everything 1.5 Alpha when I Run indexing process as administrator

Found a bug in "Everything"? report it here
Post Reply
badrelmers
Posts: 2
Joined: Wed Apr 26, 2023 4:35 am

bug in Everything 1.5 Alpha when I Run indexing process as administrator

Post by badrelmers »

Hi,
First I want to thank you for this excellent application and for your wonderful work.

I have some problems with Everything 1.5 Alpha 1.5.0.1343a (x64) in win 7 64 enterprise.

I downloaded the portable version, and when I run it with administrator everything works fine like v1.4, but when I choose "Run indexing process as administrator" , Everything cannot access my partitions! when I attempt to click on any partition it gaves me this error:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

https://imgur.com/OB1baGH

and when I attempt to close Everything it closes but never kill itself, I have to force kill him from the task manager.

the folder from where I run Everything have no special permissions!,this is icacls output :
D:(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)S:AI(ML;OICIID;NW;;;LW)


I have no antivirus or antimalware installed, win7 have the latest updates, I only have the default windows firewall running, I have no special program that controls other applications, nothing at all.

I spent 3 days attempting to understand why this happens but could not find anything. why Everything works with administrator but not with "Run indexing process as administrator"? the Everything child process have admin rights when I see him in Sysinternals Process Explorer, and have the same privilege flags as v1.4, then why he cannot access the partitions?!

I formated windows (I did not format the partition where I put Everything, only the OS partition), but did not help too.

I attached the normal debug log and the verbose one.

if you need any more information please tell me. thank you.
Attachments
debug.zip
(15.91 KiB) Downloaded 200 times
Untitled picture.png
Untitled picture.png (59.01 KiB) Viewed 6488 times
void
Developer
Posts: 16745
Joined: Fri Oct 16, 2009 11:31 pm

Re: bug in Everything 1.5 Alpha when I Run indexing process as administrator

Post by void »

Thank you for the issue report badrelmers,

I haven't been able to produce the issue my end.
Looks like some strange permission issue with Everything.
Ignoring that Everything is not indexing anything on the E: drive, opening the E: should open Windows Explorer and select your E: drive.



Could you please send some debug output:
  • In Everything, from the Tools menu, under the Debug submenu, check Start Debug Logging.
  • From the Tools menu, click Options.
  • Click the Index tab on the left.
  • Click Force Rebuild.
  • Wait for Everything to finish reindexing. (it may take a few minutes)
  • In Everything, from the Tools menu, under the Debug submenu, check Stop Debug Logging.
    ---this will open your Everything Debug Log.txt in notepad---
    Could you please send this file to support@voidtools.com


Do you see the same issue if you use folder indexing instead of NTFS indexing?
  • From the Tools menu, click Options.
  • Click the NTFS tab on the left.
  • Select E:
  • Uncheck Include in database.
  • Click the Folders tab on the left.
  • Click Add....
  • Select E: and click OK.
  • Click OK.
Does Everything index anything on the E: drive?
Please try opening E: with the above indexing, if you see the same error, its most likely a permission issue.
badrelmers
Posts: 2
Joined: Wed Apr 26, 2023 4:35 am

Re: bug in Everything 1.5 Alpha when I Run indexing process as administrator

Post by badrelmers »

I sent the logs to your email.

step1:
Start Debug Logging does not work, it does not start, and in the console i see this message:
CreateFileW(): 5: Failed to open file D:\Users\badr\AppData\Local\Temp\Everything Debug Log-1.5a.txt


the log1.log contain more info if needed.
then i clicked on Force Rebuild but nothing happened, the log1.log also have that info.

I could not find a way to change the debug log location, I think if we had such option I would have been able to save the log near the Everything exe, because it seems that Everything can write to its own folder from where it was launched (I see that he is able to create the ini config file and plugins file and an empty database)

_______________________________
step2:
I unchecked all the drives from NTFS tab indexing, then added only E in folder indexing, it took too much time but at the end it was able to index it, but it seems a fake indexing because when I attempt to open a folder indexed from Everything I get the same error:
Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

see the attached picture.
maybe he got the files list from MFT or USN journal! but it s clearly not able to access those indexed files yet. Everything is not able to open even his own folder E:\testtt !. log2.log contain what the consol showed for the step2

_______________________________
step3:
i did the same steps of step2 but now for the OS partition D:, I added the D: partition in the folder tab indexing, Everything was able to index the files too like E: en step2. and the same problem happens, i m not able to open any folder indexed. and the indexing took a lot of time. log3.log contain what the consol showed for the step3
Attachments
Untitled picture2.png
Untitled picture2.png (147.81 KiB) Viewed 6455 times
Last edited by badrelmers on Wed Apr 26, 2023 3:05 pm, edited 1 time in total.
void
Developer
Posts: 16745
Joined: Fri Oct 16, 2009 11:31 pm

Re: bug in Everything 1.5 Alpha when I Run indexing process as administrator

Post by void »

Thank you for the logs badrelmers,

Everything will write the debug log to the temp folder.
You will likely run into issues if Everything does not have write permission to the temp folder.



The logs show Everything is unable to access the Everything Service pipe created by the indexing process.
A third party program or the OS is preventing access.


i did the same steps of step2 but now for the OS partition D:
shellexecute invoke InvokeCommand 80070005
Access is denied when invoking the item from Everything.
Again, a third party program or the OS is preventing access.

See if it is the process name "Everything.exe"...
Try renaming your Everything.exe to something else, like explorer.exe
badrelmers
Posts: 2
Joined: Wed Apr 26, 2023 4:35 am

Re: bug in Everything 1.5 Alpha when I Run indexing process as administrator

Post by badrelmers »

Everything have no bug, i was wrong:

In my first post I said:
the folder from where I run Everything have no special permissions!,this is icacls output :
D:(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)S:AI(ML;OICIID;NW;;;LW)
I was wrong! well in fact chatGPT was wrong!!! (see pic1)
I asked chatGPT:
if i add SACL permissions to a folder and I run an executable from that folder, does the executable after execution inherit the SACL permissions of the folder?
he answered:
No, the executable does not inherit the SACL permissions of the folder after execution.
SACL (System Access Control List) permissions are used to audit or log access attempts to a specific object, such as a file or folder, in the system. When you add SACL permissions to a folder, it means that any attempt to access the folder will be audited or logged, but it does not affect the permissions of the executable file within the folder.
pic1.png
pic1.png (109.36 KiB) Viewed 6364 times

after chatGPT answer and because I could not found another answer using google, I thought that things are fine relating to permissions...!

but after your last post I found this text from microsoft that says the inverse:
Process Creation
When a user attempts to launch an executable file, the new process is created with the minimum of the user integrity level and the file integrity level. This means that the new process will never execute with higher integrity than the executable file. If the administrator user executes a low integrity program, the token for the new process functions with the low integrity level. This helps protect a user who launches untrustworthy code from malicious acts performed by that code. The user data, which is at the typical user integrity level, is write-protected against this new process.
https://learn.microsoft.com/en-us/windo ... dfrom=MSDN
so folder permissions can affect the files permissions inside it, and the file permissions will affect the executable after running it.

here are the details:
I formatted a partition and icacls output for the new formatted partition was:

Code: Select all

D:(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)
but my E:\ partiton had this permissions:

Code: Select all

D:(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;;0x1301bf;;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;0x1200a9;;;BU)(A;OICIIO;GXGR;;;BU)S:AI(ML;OICIID;NW;;;LW)
they are the same except this part S:AI(ML;OICIID;NW;;;LW) which was added by some program after the first format I did years ago, but i never know about it! and I do not know which program did it! (maybe onedrive/skydrive.. years ago).

I had no experience with SACL DACL..etc, after some reading I found the following:
this S:AI(ML;OICIID;NW;;;LW) means a SACL permission, and it was applied to all the E:\ partition
  • ML = Mandatory label
  • OI = Give any files in this folder the same integrity level of the parent folder.
  • CI = Give any subfolders in this folder the same integrity level of the parent folder.
  • NW = Do not allow any process of a lower integrity level to modify this folder.
  • LW = force a law integrity level.

OI and LW are the culpable. they means that any executable started from this folder should run with a Low integrity level.
Sysinternals Process Explorer shows that Everyting parent exe have Low integrity level (see pic2)
pic2.png
pic2.png (7.41 KiB) Viewed 6364 times
your frase explain all:
"The logs show Everything is unable to access the Everything Service pipe created by the indexing process."
after more reading I found the following which explains why Everything parent exe could not talk to the child exe
Additionally, for privacy reasons process objects with higher IL are out-of-bounds for even read access from processes with lower IL.
https://en.wikipedia.org/wiki/Mandatory ... ty_Control
Furthermore, to prevent access to sensitive data in memory, processes can’t open processes with a higher IL for read access.[14]
https://en.wikipedia.org/wiki/Mandatory_access_control
However, in some cases a higher IL process do need to execute certain functions against the lower IL process, or a lower IL process need to access resources that only a higher IL process can access (for example, when viewing a webpage in protected mode, save a file downloaded from the internet to a folder specified by the user).[1] High IL and Low IL processes can still communicate with each other by using files, Named pipes, LPC or other shared objects. The shared object must have an integrity level as low as the Low IL process and should be shared by both the Low IL and High IL processes.
https://en.wikipedia.org/wiki/Mandatory ... ty_Control

solution:
it was as simple as running this:

Code: Select all

chml e:\ -rl
this command will remove the SACL part and leave the rest of the permissions intact, so i restored the hard disk permissions without format. icacls cannot do this. the command took some 2 or 3 minutes to finish.
chml is dead now but it can be downloaded from here:
https://web.archive.org/web/20120226183 ... i.com/apps

now Everything works as expected when I select "Run indexing process as administrator"


if you want to reproduce the problem I had, it is as simple as doing the following:
create a folder and run:

Code: Select all

chml e:\testtt -ws:S:(ML;OICI;NW;;;LW)
then run Everything from e:\testtt, you will see exactly what was happening to me.
the command is not dangerous, it will change only the e:\testtt folder and nothing else, it will add the SACL to that folder.


you may be interested by this article which is a possible way to solve this problem even when we run Everything from a folder where SACL is applied with a Low integrity level permission.
Designing Applications to Run at a Low Integrity Level
https://learn.microsoft.com/en-us/previ ... v=msdn.10)

thank you very much for you time and help. and sorry for the long post and the false report.
Post Reply