starred/terminal
1
0
Fork 0
mirror of https://github.com/microsoft/terminal.git synced 2026-02-04 05:35:20 +00:00
Code Issues 19.0k Packages Projects Releases 20 Wiki Activity

When running as Administrator, Terminal should always start built-in Windows apps in C:\Windows\System32 #9827

New Issue
Open
opened 2026-01-31 02:04:54 +00:00 by claunia · 4 comments
claunia commented 2026-01-31 02:04:54 +00:00
Owner
Copy Link

Originally created by @metathinker on GitHub (Jul 24, 2020).

Originally assigned to: @zadjii-msft on GitHub.

Description of the new feature/enhancement

When you open Command Prompt or PowerShell from the Start Menu, Start --> Run (Windows-R), or the set of options you get by right-clicking the Start button (Windows-X), the starting current directory for the shell can vary:

  • When the shell is run as an ordinary user (or a administrator without elevation to admin privilege/token), the starting directory is C:\Users\me , or whatever the user's home location is.
  • When the shell is run as an administrator, the starting directory is always C:\Windows\System32 .

This is also true for non-shell command-line apps that are launched this way, like C:\Windows\System32\choice.exe - EDIT: as long as they come with Windows.

However, when command-line apps are launched from Terminal using a Terminal profile, the starting directory is always static:

  • If startingDirectory is set to non-null and non-empty (in settings.json or defaults.json): that directory
  • If startingDirectory is set to an empty string: C:\Users\me
  • Otherwise - if startingDirectory is set to null or not set: C:\Windows\System32

What I'd like is for Terminal to emulate part of the built-in behavior of the Windows system described above:
If Terminal is elevated, then the starting directory for any new Terminal tab or pane should always be the system directory C:\Windows\System32.
EDIT: If Terminal is elevated, then the starting directory for any new Terminal tab or pane opening a built-in Windows system file should always be the system directory C:\Windows\System32.
This reduces the chance of damage when you accidentally run (or are maliciously tricked into running) a program from your home location or other unprivileged folder that has the same name as a program in C:\Windows\System32.

Originally created by @metathinker on GitHub (Jul 24, 2020). Originally assigned to: @zadjii-msft on GitHub. ### Description of the new feature/enhancement When you open Command Prompt or PowerShell from the Start Menu, Start --> Run (Windows-R), or the set of options you get by right-clicking the Start button (Windows-X), the starting current directory for the shell can vary: - When the shell is run as an ordinary user (or a administrator without elevation to admin privilege/token), the starting directory is `C:\Users\me` , or whatever the user's home location is. - When the shell is run as an administrator, the starting directory is always `C:\Windows\System32` . This is also true for non-shell command-line apps that are launched this way, like `C:\Windows\System32\choice.exe` - EDIT: as long as they come with Windows. However, when command-line apps are launched from Terminal using a Terminal profile, the starting directory is always static: - If `startingDirectory` is set to non-null and non-empty (in settings.json or defaults.json): that directory - If `startingDirectory` is set to an empty string: `C:\Users\me` - Otherwise - if `startingDirectory` is set to null or not set: `C:\Windows\System32` What I'd like is for Terminal to emulate part of the built-in behavior of the Windows system described above: ~**If Terminal is elevated, then the starting directory for any new Terminal tab or pane should always be the system directory `C:\Windows\System32`.**~ EDIT: **If Terminal is elevated, then the starting directory for any new Terminal tab or pane _opening a built-in Windows system file_ should always be the system directory `C:\Windows\System32`.** This reduces the chance of damage when you accidentally run (or are maliciously tricked into running) a program from your home location or other unprivileged folder that has the same name as a program in `C:\Windows\System32`.
claunia commented 2026-01-31 02:04:56 +00:00
Author
Owner
Copy Link

@KalleOlaviNiemitalo commented on GitHub (Jul 25, 2020):

This reduces the chance of damage when you accidentally run (or are maliciously tricked into running) a program from your home location or other unprivileged folder that has the same name as a program in C:\Windows\System32.

You could set the NoDefaultCurrentDirectoryInExePath environment variable, documented at NeedCurrentDirectoryForExePathW function.

@KalleOlaviNiemitalo commented on GitHub (Jul 25, 2020): > This reduces the chance of damage when you accidentally run (or are maliciously tricked into running) a program from your home location or other unprivileged folder that has the same name as a program in `C:\Windows\System32`. You could set the `NoDefaultCurrentDirectoryInExePath` environment variable, documented at [NeedCurrentDirectoryForExePathW function](<https://docs.microsoft.com/windows/win32/api/processenv/nf-processenv-needcurrentdirectoryforexepathw> "NeedCurrentDirectoryForExePathW function (processenv.h) - Win32 apps | Microsoft Docs").
claunia commented 2026-01-31 02:04:56 +00:00
Author
Owner
Copy Link

@DHowett commented on GitHub (Jul 25, 2020):

You know, I think the behavior you're seeing is actually a side effect of how the shell spawns elevated applications. When you run an application as an administrator from its installation directory using the context menu, it runs in its installation directory. When you run it from a shortcut designated to run as an admin but with a specified startup directory, it actually does open in that startup directory.

This sounds like an implementation detail wearing a white coat with "Dr. Security" embroidered on it.

@DHowett commented on GitHub (Jul 25, 2020): You know, I think the behavior you're seeing is actually a side effect of how the shell spawns elevated applications. When you run an application as an administrator from its installation directory using the context menu, it runs in its installation directory. When you run it from a _shortcut designated to run as an admin but with a specified startup directory_, it actually does open in that startup directory. This sounds like an implementation detail wearing a white coat with "Dr. Security" embroidered on it.
claunia commented 2026-01-31 02:04:56 +00:00
Author
Owner
Copy Link

@metathinker commented on GitHub (Jul 28, 2020):

You know, I think the behavior you're seeing is actually a side effect of how the shell spawns elevated applications. When you run an application as an administrator from its installation directory using the context menu, it runs in its installation directory. When you run it from a shortcut designated to run as an admin but with a specified startup directory, it actually does open in that startup directory.

This sounds like an implementation detail wearing a white coat with "Dr. Security" embroidered on it.

It's a bit more complex than that... I studied the implementation of starting an application elevated. When Explorer or some other unelevated process running the shell API impl. needs to start an elevated process, it (actually the "Application Information"/AppInfo NT service, the trustworthy worker process that starts the elevated process for Explorer) special-cases applications in C:\Windows and most other directories in that tree, which for our purposes includes Command Prompt and Windows PowerShell. For those applications, the start-in folder specified by the shortcut is ignored in favor of C:\Windows\System32. The ignorance is deliberate - there's even a comment to call out that the specified start-in folder path is being thrown away to discourage attacks by using the program loader to load untrustworthy DLLs.

Windows Terminal doesn't follow the same path when launching an elevated cmd.exe or powershell.exe because it is already elevated - it doesn't need to use the special-case code described above in order to launch cmd.exe. So the feature request is that it should do the same thing, but perhaps that is not easy to implement as you have to mirror at least some of the logic to answer the question "is this program in a known, safe C:\Windows path?"

@metathinker commented on GitHub (Jul 28, 2020): > You know, I think the behavior you're seeing is actually a side effect of how the shell spawns elevated applications. When you run an application as an administrator from its installation directory using the context menu, it runs in its installation directory. When you run it from a _shortcut designated to run as an admin but with a specified startup directory_, it actually does open in that startup directory. > > This sounds like an implementation detail wearing a white coat with "Dr. Security" embroidered on it. It's a bit more complex than that... I studied the implementation of starting an application elevated. When Explorer or some other unelevated process running the shell API impl. needs to start an elevated process, it (actually the "Application Information"/AppInfo NT service, the trustworthy worker process that starts the elevated process for Explorer) special-cases applications in C:\Windows and most other directories in that tree, which for our purposes includes Command Prompt and Windows PowerShell. For those applications, the start-in folder specified by the shortcut is _ignored_ in favor of C:\Windows\System32. The ignorance is deliberate - there's even a comment to call out that the specified start-in folder path is being thrown away to discourage attacks by using the program loader to load untrustworthy DLLs. Windows Terminal doesn't follow the same path when launching an elevated cmd.exe or powershell.exe because it is _already_ elevated - it doesn't need to use the special-case code described above in order to launch cmd.exe. So the feature request is that it should do the same thing, but perhaps that is not easy to implement as you have to mirror at least some of the logic to answer the question "is this program in a known, safe C:\Windows path?"
claunia commented 2026-01-31 02:04:56 +00:00
Author
Owner
Copy Link

@miniksa commented on GitHub (Jul 19, 2021):

I've contacted one of our friends on the security research team. I gave him the rundown of what we discussed in our triage meeting about this particular issue today and he provided several counter points that we should consider. There wasn't a definitive conclusion beyond the fact that he will raise this with the rest of his team later this week to get more security minds thinking about it and advise us on a recommendation going forward.

@miniksa commented on GitHub (Jul 19, 2021): I've contacted one of our friends on the security research team. I gave him the rundown of what we discussed in our triage meeting about this particular issue today and he provided several counter points that we should consider. There wasn't a definitive conclusion beyond the fact that he will raise this with the rest of his team later this week to get more security minds thinking about it and advise us on a recommendation going forward.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Reserved
A11yCO
A11yMAS
A11ySev1
A11ySev2
A11ySev3
A11yTTValidated
A11yUsable
A11yVoiceAccess
A11yWCAG
Area-Accessibility
Area-AtlasEngine
Area-AzureShell
Area-Build
Area-Build
Area-Chat
Area-CmdPal
Area-CodeHealth
Area-Commandline
Area-CookedRead
Area-DefApp
Area-Extensibility
Area-Fonts
Area-GroupPolicy
Area-i18n
Area-Input
Area-Interaction
Area-Interop
Area-Localization
Area-Output
Area-Performance
Area-Portable
Area-Quality
Area-Remoting
Area-Rendering
Area-Schema
Area-Server
Area-Settings
Area-SettingsUI
Area-ShellExtension
Area-ShellExtension
Area-ShellExtension
Area-Suggestions
Area-Suggestions
Area-TerminalConnection
Area-TerminalControl
Area-Theming
Area-UserInterface
Area-VT
Area-Windowing
Area-WPFControl
AutoMerge
Blocking-Ingestion
Culprit-Centennial
Culprit-WinUI
Disability-All
Disability-Blind
Disability-LowVision
Disability-Mobility
External-Blocked-WinUI3
Fixed
Gathering-Data
good first issue
HCL-E+D
HCL-WindowsTerminal
Help Wanted
Impact-Compatibility
Impact-Compliance
Impact-Correctness
Impact-Visual
In-PR
InclusionBacklog
InclusionBacklog-Windows TerminalWin32
InclusionCommitted-202206
Issue-Bug
Issue-Docs
Issue-Feature
Issue-Feature
Issue-Question
Issue-Samples
Issue-Scenario
Issue-Task
Needs-Attention
Needs-Author-Feedback
Needs-Bisect
Needs-Discussion
Needs-Repro
Needs-Tag-Fix
Needs-Tag-Fix
Needs-Triage
No-Recent-Activity
Priority-0
Priority-1
Priority-2
Priority-3
Product-Cmd.exe
Product-Colortool
Product-Colortool
Product-Colortool
Product-Conhost
Product-Conpty
Product-Meta
Product-Powershell
Product-Terminal
Product-WSL
pull-request
Mirrored from GitHub Pull Request
 Resolution-Answered
Resolution-By-Design
Resolution-Duplicate
Resolution-External
Resolution-Fix-Available
Resolution-Fix-Committed
Resolution-No-Repro
Resolution-Won't-Fix
Severity-Blocking
Severity-Crash
Severity-DataLoss
spam
this-will-be-a-breaking-change
Tracking-External
WindowsTerminal_Win32
Work-Item
zAskModeBug
zInbox-Bug
No Label Issue-Task Needs-Tag-Fix Product-Terminal this-will-be-a-breaking-change
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/terminal#9827
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?