Windows Trust Boundaries

Understanding Windows trust boundaries is important as a penetration tester as security vulnerabilities are usually found at these boundaries. As an application developer, understanding these boundaries will help you develop more secure applications. I have never found this information consolidated anywhere, hence this blogpost.

High Integrity (Admin) Medium Integrity (User) Low Integrity (Sandboxed)
File System Program Files Directory
C:\Windows Directory
ProgramData Directory AppData\Low Directory
Temp Internet Files Directory
Registry HKLM hive HKCU hive
Processes Services/Scheduled Tasks Scheduled Tasks

This table is generally accurate, there are exceptions to the rule. Some services run under Network Service account, additionally specific applications may lock down their ProgramData folder and allow only High Integrity processes to access. Understanding this makes the hunt for vulnerabilities easier. If you see a process running in High Integrity accessing the ProgramData folder or the HKCU hive, there is an opportunity for vulnerabilities to exist. Likewise, if you can write to certain application's Program Files or subkeys in the HKLM hive as a Medium Integrity user, there is a similar opportunity.

The HKCR hive is a virtual hive that returns values from either HKLM or HKCU depending on the integrity level that the process is running under. This article provides more information. It is important to trace the registry key down to the actual HKLM/HKCU key to determine if there is an opportunity for vulnerabilities to exist.

Most people would only look for privilege escalation vulnerabilities, however an application denial of service vulnerability is also possible. If you are able to delete the file, lock the file or change permissions of the file as a Medium Integrity user, the High Integrity application might terminate or crash.

Certain classes of software are more susceptible to these vulnerabilities. Antivirus software has to run in High Integrity to terminate malicious processes. They also have to access files in Medium Integrity folders when scanning them for malicious contents. Printer software is another area of concern. The print Spooler runs as System Integrity while users are able to install printers and print stuff while in Medium Integrity.