Windows Vista includes a new notion of what were originally called “Mandatory Integrity Controls” but eventually became “Windows Integrity Levels.” Under WIL, every object that have permission can also have a label that identifies its “integrity level.” Files and folders have integrity levels, as do users and processes. It is, thus, a sort of set of uber-permissions, albeit a simple one.
You can use chml “right out of the box” to view a file or folder’s integrity level just by typing chml fileorfolder, as in
But if you want to modify an object’s integrity level, then you’ll need to give your user account a new-to-Vista permission, “Modify an object label.” You can find that in the “User Rights” part of Group Policy on a Vista machine. Or, in a few more words:
- Open gpedit.msc
- Navigate to Computer Configuration / Windows Settings / Local Policies / User Rights Assignment
- In the right-hand pane, you’ll see an entry “Modify an object label;” open it
- By default, there are no user accounts listing with this privilege. Add your user account.
- Close the Group Policy Editor
- Log off, then back on to finish getting the new privilege on your logon token.