Windows 10: Cannot execute file when FILE_READ permission is removed on Windows 7 or newer

Short VersionTo execute a file all you do not need `FILE_READ_DATA` permission. All you need is the `FILE_EXECUTE` permission. Windows NT 3.1, Windows NT 3.5, Windows NT 4, Windows 2000, Windows XP, Windows Vista.But starting with Windows 7 and continuing to today, neither CreateProcess, ShellExecute, or Windows Explorer can execute an executable unless the user also `FILE_READ_DATA` permission.Long VersionWindows is a secure operating system, and has a rich infrastructure of access checks.Two of those file access rights of interest right now are:`FILE_READ_DATA` 1: "For a file object, t

:)

 

Cannot execute file when FILE_READ permission is removed on Windows 7 or newer

Short Version

To execute a file all you do not need `FILE_READ_DATA` permission. All you need is the `FILE_EXECUTE` permission. (Windows NT 3.1, Windows NT 3.5, Windows NT 4, Windows 2000, Windows XP, Windows Vista).

But starting with Windows 7, neither CreateProcess, ShellExecute, or Windows Explorer can execute an executable unless the user also `FILE_READ_DATA` permission.

Long Version

Windows is a secure operating system, and has a rich infrastructure of access checks.

Two of those file access rights of interest right now are:

• `FILE_READ_DATA` (1): "For a file object, the right to read the corresponding file data."
  
• `FILE_EXECUTE` (32): "For a native code file, the right to execute the file."
  

The virtue of a separate `FILE_EXECUTE` right is:

• it lets the user execute the file
  
• without being able to see what's in the file
  

It lets you keep the application binary contents secret. It prevents the file from being copied.

It worked pre-Windows 7

This is how it worked on Windows NT, Windows 2000, Windows XP, and Windows Vista:

- You could grant all access rights (including `FILE_EXECUTE`)

- but exclude `FILE_READ_DATA`:





And the user can "execute" a file they cannot "read".

In Windows 2000 they can execute a file they cannot read:





In Windows XP: they can execute a file they cannot read:





In Windows Vista: they can execute a file they cannot read:





Until Windows 7

That all worked great until Windows 7; where the file can no longer be executed:





Looking at the stack trace of the function that gets the `ACCESS_DENIED` result, it's CreateProcess itself that is attempting to "read" the file:

I assume this is related to either:

- the heuristics of CreateProcess with the invention of UAC (but i don't see why it worked on Windows Vista (where UAC was first invented)

- virus scanning, attempting to synchronously read an executable

Bonus video

- Channel 9 - Going Deep - UAC - What. How. Why.

- Direct link (due to The Great Purge of all videos from Channel 9 in December 2021)

How to make it work?

So the question is:

- how do i let users execute an application

- while also not granting `FILE_READ_DATA`

Bonus Research

Only fails with embedded assembly manifest

It only fails when the executable has an embedded assembly manifest. It doesn't matter if the manifest is empty (e.g. no dependency on any dll, no dpi awareness, no app compat - empty).

Note: every correctly written application must have an assembly manifest; it's part of the application contract with Windows and is a requirement.

ShellExecute and CreateProcess fail alike

Calling `CreateProcess` myself directly (as opposed to the higher level `ShellExecute` abstraction) still has the error:

I have no 3rd party anti-virus installed. The only anti-virus running is what Windows 7 or Windows 10 might come with. I've done my best to completely disable all anti-virus software, but Windows 10 is very good at preventing administrators from disabling Windows Defender. Nor is disabling Windows Defender a valid answer, and not every desktop or server will have Windows Defender disabled.

Guidelines for answering

If you attempt to answer:

Hello. I'm sorry you're having a problem with Windows. I understand that you are unable to execute a file when you remove "read" permission while keeping "execute" permission. In order to best help you, let me ask you some preliminary questions:



- "Have you tried running a virus scan?"

- "Try running sfc /scannow"

- "Have you tried reinstalling Windows?

You will be required to post the screenshots of you attempting to reproduce the issue. You will also need to note which version of Windows you attempted to reproduce the issue on, and you must indicate whether the .exe you tested with had an embedded (i.e. not a side-by-side assembly manifest) assembly manifest.

Operating Systems involved

- Windows NT 3.1

- Windows NT 3.5

- Windows NT 4

- Windows 2000

- Windows XP

- Windows Vista

- Windows 7

- Windows 10.0.19044.1415

 

cannot access file/or permissions

also here is a guide
http://www.blogsdna.com/2159/how-to...sions-to-access-files-folder-in-windows-7.htm

 

cannot access file/or permissions

I have a file i need to run on Windows 7 Home Premium. I get the error message saying "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."

So I right click and choose Properties to access the permissions but I cannot. In the Security tab I get a message saying, " You do not have permission to view or edit this objects permission settings.".

Next I boot into the Windows 7 Hidden Administrator Mode - and even with this I get all the same error messages.

Please help me as I really need to run This file.