Hacktricks-skills windows-integrity-levels
Windows Integrity Levels analysis and manipulation for security research and privilege escalation assessment. Use this skill whenever the user asks about Windows integrity levels, Mandatory Integrity Control (MIC), process integrity, file integrity levels, or needs to understand how Windows restricts access based on integrity levels. Trigger for questions about checking integrity levels, modifying integrity levels, understanding integrity level restrictions, or analyzing Windows security boundaries.
git clone https://github.com/abelrguezr/hacktricks-skills
skills/windows-hardening/windows-local-privilege-escalation/integrity-levels/SKILL.MDWindows Integrity Levels
A skill for understanding and working with Windows Mandatory Integrity Control (MIC) system.
Overview
Windows Vista and later use integrity levels to tag protected items. This prevents processes with lower integrity from modifying objects with higher integrity, regardless of traditional DACL permissions.
Integrity Level Hierarchy
From lowest to highest:
- Untrusted - Anonymous logins (e.g., Chrome sandbox)
- Low - Internet interactions, Protected Mode, Temporary Internet Folder
- Medium - Default for standard users and most activities
- High - Administrators (when elevated)
- System - Windows kernel and core services
- Installer - Special level above all others for uninstallation
Key Rules
- Objects cannot be modified by processes with lower integrity levels
- High integrity can modify lower levels; lower cannot modify higher
- Even Administrators group members run at Medium by default
- System level is out of reach even for administrators
- File system objects may have minimum integrity requirements
- All processes run under an integrity level
Checking Integrity Levels
Current Process Integrity
whoami /groups
Look for the
Mandatory LevelProcess Explorer Method
- Open Process Explorer from Sysinternals
- Right-click a process → Properties
- View the Security tab
- Check the integrity level in the security descriptor
File Integrity Level
icacls <filepath>
Look for
Mandatory Label\<Level> Mandatory Level:(NW)Modifying Integrity Levels
Set File Integrity Level
Must be run from an elevated (High integrity) console:
icacls <filepath> /setintegritylevel(oi)(ci) <Level>
Where
<Level>LowMediumHighSystemImportant: A Medium integrity process cannot assign High integrity to objects.
Set Binary Integrity Level
icacls C:\Windows\System32\cmd.exe /setintegritylevel Low
Note: Setting a binary to High integrity does NOT make it run at High integrity automatically. The process inherits integrity from its parent.
Practical Implications
File System Access
When a file has a minimum integrity level:
- You must run at at least that integrity level to modify it
- Read access may still be possible from lower levels
- Traditional DACL permissions are secondary to integrity levels
Example:
# Create file as regular user (Medium integrity) echo test > test.txt # Set High integrity (requires admin) icacls test.txt /setintegritylevel High # Try to modify as regular user echo new > test.txt # Access is denied!
Process Access
- A process cannot write to another process with higher integrity
- Low integrity processes cannot open handles with full access to Medium integrity processes
- This is a key defense against privilege escalation
Binary Execution
- Setting a binary to Low integrity makes it run at Low integrity
- Setting a binary to High integrity does NOT make it run at High integrity
- Process integrity is inherited from the parent process
Security Best Practices
- Run processes at the lowest integrity level possible - minimizes attack surface
- Understand integrity boundaries - know what your process can and cannot access
- Check integrity levels - use
to verify your current levelwhoami /groups - Be aware of elevation - Administrator group ≠ High integrity by default
Common Use Cases
Privilege Escalation Assessment
When assessing for privilege escalation:
- Check your current integrity level
- Identify files/processes with lower integrity that you can modify
- Look for files with High integrity that you cannot modify
- Understand which processes you can inject into or manipulate
Security Hardening
To harden a system:
- Set critical files to High integrity
- Run untrusted applications at Low integrity
- Verify integrity levels are properly configured
- Monitor for integrity level violations
Tools
Included Scripts
- Check integrity levels of files and processescheck-integrity.ps1
- Set integrity levels on files (requires elevation)set-integrity.ps1
External Tools
- Process Explorer (Sysinternals) - View process integrity levels
- whoami - Built-in Windows tool for checking groups and integrity
- icacls - Built-in Windows tool for managing file permissions and integrity
References
Quick Reference
| Level | Typical Use | Can Modify |
|---|---|---|
| Untrusted | Anonymous, sandboxed | Nothing |
| Low | Internet, Protected Mode | Low only |
| Medium | Standard users | Low, Medium |
| High | Elevated admins | All except System |
| System | Kernel, services | All except Installer |
| Installer | Uninstaller | Everything |