Manage Windows Vista's Integrity Levels with chml utility

Windows Vista includes a new notion of what were originally called "Mandatory Integrity Controls" but eventually became "Windows Integrity Levels." Under WIL, every object that have permission can also have a label that identifies its "integrity level." Files and folders have integrity levels, as do users and processes.  It is, thus, a sort of set of […]

Windows Vista includes a new notion of what were originally called "Mandatory Integrity Controls" but eventually became "Windows Integrity Levels." Under WIL, every object that have permission can also have a label that identifies its "integrity level." Files and folders have integrity levels, as do users and processes.  It is, thus, a sort of set of uber-permissions, albeit a simple one.

You can use chml "right out of the box" to view a file or folder's integrity level just by typing chml fileorfolder, as in

C:\>chml \windows\notepad.exe

But if you want to modify an object's integrity level, then you'll need to give your user account a new-to-Vista permission, "Modify an object label."  You can find that in the "User Rights" part of Group Policy on a Vista machine.  Or, in a few more words:

  1. Open gpedit.msc
  2. Navigate to Computer Configuration / Windows Settings / Local Policies / User Rights Assignment
  3. In the right-hand pane, you'll see an entry "Modify an object label;" open it
  4. By default, there are no user accounts listing with this privilege.  Add your user account.
  5. Close the Group Policy Editor
  6. Log off, then back on to finish getting the new privilege on your logon token.

Downloadchml | Full Article