Bug in detection of "User Writeable" FilePaths in WDAC

Copper Contributor

When using WDAC FilePath fules, WDAC detects whether the filepath is user writable or not, as documented here: Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows) - Windo... under "More information about filepath rules".


I seem to have found a bug where WDAC incorrectly detects a path as user writeable when it is not.


If a filepath uses SID S-1-3-4 "OWNER RIGHTS", and where OWNER RIGHTS has "Write", WDAC detects it as user writable. This can be incorrect (depending on who the owner is?). In my case it is the built-in Administrators group S-1-5-32-544, which is listed by WDAC as being "admin". Therefore, a folder/file with "write" OWNER RIGHTS where owner is an admin is NOT user writable ... but WDAC appears to think it is.


Not to mention that as a general rule the owner always has write permissions on its own files anyways ... at worst OWNER RIGHTS removes permissions from the owner, where event he owner could not write, which is even more secure! ... So the simple solution might be to add S-1-3-4 to the list of SIDs detected as admin by WDAC?


There is the option of working around this in a supplementary rule, since option 18 can be applied to a supplementary rule only, but fixing the underlying design would still be preferable IMO.



0 Replies