Solved Another cure for "Open File - Security Warning" Prompt Blues : ICACLS

Another cure for "Open File - Security Warning" Prompt Blues : ICACLS

I've been plagued with shortcuts that seem hellbent on making me want to turn off security settings in Windows 7 that are better left on.

Does this sound woefully familiar?

Well - here is THE CORRECT WAY (especially if the elusive "Unlock" option never presents itself - I certainly have never seen it on any property pages!)

Open an elevated command prompt window.

cd to your shortcut folder.

run the command:

C:\Users\YourName\Desktop\AFolder> icacls MyLink.lnk /L /SetIntegrityLevel med

You can use wildcards, but take care WHERE you do this. Also REMEMBER THE /L OPTION, because that ensures you are processing the shortcut, not the "addressed" program or file pointed to by the shortcut.

Note that the trick is in the (slightly counter-intutive) MEDIUM setting (med) rather than setting it LOW (which is what it often defaults to, thus causing the problem).

Personally, I like to create folders full of "themed" shortcuts on my desktop. Unfortunately, the default behaviour is that any shortcut moved to or created in such subfolders of the desktop(on my system at least) default to low integrity. You have to RAISE the integrity of the shortcuts to stop the endless tedious prompting.

If you cd to a folder full of shortcuts and further subfolders to that folder are also full of shortcuts, then using an asterisk (whilst potentially dangerous anywhere else) will update the ACLS for ALL the shortcuts - and apparently those in subfolders too (because such things are inherited via the folders by default). If that doesn't work for you, then cd down to the subfolder concerned and use the asterisk again.

Happy shortcutting!

AWESOME!


It works!

Finally! Thank you.

After installing Windows Server 2012 Essentials at home and joining a Windows 7 laptop to the domain with Folder Redirection and Offline Files enabled, I have spent days trying to find out why desktop shortcuts pointing to files on the server gave me the Open File warning. I could launch files from the Start Menu (which has been redirected to the server that contains the executables) but I could not launch them from the desktop (i.e., C:\Users\Public\Desktop\*.lnk pointing to a UNC). I've changed security settings on the local machine. I have changed group policies for local machine zone, intranet zone, and trusted site zone to no avail. I enabled launching unsafe executables. Nada. Ahhh, but one magic command line later...

So much frustration; such a simple fix. I suppose I need to go back and remove the Zone customizations to make sure it wasn't a combo solution rather than one magic bullet, but at least I now have an existence proof that it's possible.

I felt obliged to register at the site in order to say Thank You. So, "Thank you for posting this solution!"

Thank you Papoon for joining our great Forum.
Happy you got the answer you were looking for.
Hang around and do some looking because their are bunches of great information can be gathered here.
I must warn you this Forum can be addictive.
Happy computing
Layback Bear

The problem I have found with this solution is that I often use the Desktop as a workspace, clearing it away later. So any new files don't get updated in this way. What I'd really like is to turn on this "feature".

Untested observations follow: My subsequent reading on file integrity in Windows implicates Internet Explorer running in Protected Mode. I haven't experienced the problems you describe but I tend to use Chrome instead of IE so I don't think files saved to my Desktop would get marked with low integrity. If you're not using protected mode IE to create those desktop files I have even less to suggest. Maybe you could use icacls to explicitly set file integrity on the Desktop folder(s) to medium and make that inheritable. It seems possible, but I've not thought through the security consequences of doing so.

Like Papoon, I registered just to say THANK YOU.

Another way to deal with Integrity Levels (chml)

Old thread but another thanks to BigAlUK for his post! The option to set Integrity Levels (IL) to medium is so much better than the many other various recommendations to disable the security prompts. Changing IL levels actually fixes the issue instead of just masking it. (well, for the most part that is ... don't know what exactly causes this bit to get set in the first place other than as Papoon stated, think it is related to Internet Explorer running in protected mode)

With that said... there is another way to get the exact same result that I haven't read about in any forum or posts relating to these security prompts. It works when dealing with folders or files that are not themselves within another folder that has an IL set to low (an explicit IL set). The icalcs option above sets an IL to low, but how about we just remove the IL all together and return the folder back to its original state! This might be considered a "cleaner" way of doing it, though I haven't found how without a 3rd party program. Good news is that there is a free, simple, small, and from a trustworthy source way to remove an IL.

Grab chml.exe from minasi.com/apps and from command prompt run:

Code:

chml PathToFolderOrFile -rl

<Side Note>It's written by the "famous" Mark Minasi (at least from my day, learned a lot from him) of the "Mastering Windows xxx" series of books.</Side Note> You do need to be an an administrator to run this command if I understand correctly. (the "rl" stands for "remove label" and chml stands for "change mandatory label" using Vista-era naming)


I've ran across several machines in the past at my school district that started displaying the warning boxes when dealing with files on the Desktop folder (including shortcuts). Sure enough, showed the folder had a Mandatory Integrity Label of Low set. A quick took care of the problem, no more security prompts! It had been awhile since I had figured out this solution when I ran into it again today. I had actually forgotten how I had fixed it and had to so some digging again. So, this post is partially for my own benefit but also hoping it might be useful for someone else as well.

Thanks people for all the positive feedback - kinda makes my day, no matter how old the original post And thanks for the further enlightenments on the subject, too!

All work fine on the Start Menu, but not on the Taskbar

Reading this forum gives me hope that I can solve this ongoing problem, but I'm not there yet.
If I choose the programs from the Start Menu, i'm fine.
But for some of the six or seven pinned programs on the Taskbar at the bottom, I get that rotten Security Alert. But i cannot figure out where on my computer those options are stored to do the
"icacls *.lnk /L /SetIntegrityLevel med"
thing. I've tried it on a number of folders where i find shortcuts to the explorer.exe and firefox.exe,
but no improvement. And I can't find anything in searching called explorer.lnk, if that's a thing.
~
Extra odd: It only does it for a few of the icons there. I can open Outlook, Word and Excel on the pinned icons, no problem. But Exploring, Snipping Tool, and Firefox all give me that warning.

Advice would be so appreciated.
Win 7 64 bit here.

miloshapiro said:

If I choose the programs from the Start Menu, i'm fine.
But for some of the six or seven pinned programs on the Taskbar at the bottom, I get that rotten Security Alert. But i cannot figure out where on my computer those options are stored to do the
"icacls *.lnk /L /SetIntegrityLevel med" thing.
~
Extra odd: It only does it for a few of the icons there. I can open Outlook, Word and Excel on the pinned icons, no problem. But Exploring, Snipping Tool, and Firefox all give me that warning.

Click to expand...

Since I don't have this particular problem (and I'm a little surprised that you do) I cannot really give a definite answer. But here's a few clues:

• The taksbar folder is located at %AppData%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar. So you could try using the trick upon the content of that folder directly. Don't change the folder's security (unless it is suspicious), just the files in it. I don't know what side effects may occur if you reduce or increase the security of the folder itself, and it is probably best not to find out.
• If what you are pinning has been marked in some way as "from the internet and unsigned" it gives Windows an excuse to worry about security. Try removing the pinning, shutting down the program, and then putting a shortcut in a desktop folder, use the trick upon it, and only then use it to start a program that you then pin on the taskbar.
• If there's anything peculiar attached to the actual executable file via NTFS ADS (Google it, tho' it should not usually in itself cause a problem) then you can clear all that out by MOVING the file to a FAT drive and then moving it back to the NTFS drive. That's the easiest and quickest way to kill off all streams under ADS.
• Finally, where does the EXE reside (not the shortcut) that you are effectively pinning to the taskbar? Is it where most programs are - the protected area under Program Files or Program Files (x86)? Or is it on an external source such as a NAS or a networked PC elsewhere. This might also be prompting Windows to be a pain about security. Put the program somewhere local and possibly hand-place it into an appropriate place under the programs folders.
• Last of all (and really this should have been first!) check that the shortcut is not configured for "Run As Administrator" under either the advance settings or the compatibility settings. Also check that Windows hasn't slapped compatibility settings of ANY kind upon the EXE itself - if it has, you may be onto a loser. In the same vein, consider whether the developer has implanted a Manifest with the EXE that causes it to demand to be elevated whenever it is run. This incidentally might in some circumstances cause additional issues if the developer has not also provided some kind of application security certificate. All of these last cases come under the hat of "legitimate" UAC causes. Windows is, after all, trying its level best to protect you.

I am intrigued, so if you do manage to work it out or have any further info, then please post again

The resolution to this YEARS old problem was in your first bullet, though I appreciate all the work you put in!
When I searched for these shortcuts and looked at every occurrence of them (yielding no improvement), I was stuck.
But the one you suggested:
C:\Users\[my user account]\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar
does not show any results even though it's there. AppData is grayed out in Microsoft Exploring for some reason, keeping my search from showing what's in it. I don't know why AppData is treated differently but, as you know, what I needed was in there!


So I set the prompt to the right place:

>cd C:\Users\[my user account]\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar


I ran the command
>icacls "*.lnk" /L /SetIntegrityLevel med


and without even having to unpin and repin, the icons all stopped giving me the error. What a relief to be done with that!
Thanks! I just pray that whatever did that to my icons doesn't come back or happen in the future if i ever create icons again, but at least i know what I can do (double pray that it lasts so that I don't get it back at the next reboot!)