Why can't I drag/drop a file for editing in notepad in Windows Server 2008?


Solution 1

The inability to "drag and drop" from Explorer to an elevated Notepad window is a manfestation of the user interface privilege isolation (UIPI) feature. It's in the OS to prevent an less-privileged application from sending arbitrary "messages" (in the sense of operating system / application inter-process communication) to another, higher-privileged application. If the higher privileged application handled a message improperly it might be possible to for the less-privileged application to cause the higher-privileged application to execute arbitrary code on its behalf (these types of attacks are referred to as shatter attacks, so named in a 2002 paper describing the method of attack in then-current versions of Windows).

You can think of it a little bit like a "firewall" between applications running with a lower "integrity level" (unprivileged) and those with a higher integrity level (elevated).

If you REALLY want an elevated Windows Explorer, do the following:

  • Start a command-prompt elevated and leave it open.
  • Start Task Manager and elevate it by going to the "Process" tab and clicking "Show processes from all users".
  • Highlight and kill all instances of Explorer.Exe using Task Manager.
  • From the still-open elevated command-prompt window, enter "Explorer" and press <ENTER>.

Explorer will re-open elevated.

Solution 2

If you don't want to disable UAC, you could try just disabling UIPI (User Interface Privilege Isolation).

Open regedit and go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Add a new DWORD (32-bit) Value called EnableUIPI and set it to 0.

Restart the machine and see if it behaves as you want it to.

Solution 3

This was a problem on Vista, and I guess its made its way to server 2008 as well. Basically you can't run explorer elevated. You get the security option to do it, and it seems to have worked when you do so, but actually you still end up with a standard (non elevated) explorer window, hence the problem your having.

The workarounds I have had to use in the past have involved either using the save as explorer windows in your elevated notepad session, as this is also elevated, or using an elevated command prompt to create files, but none of these will fix your drag and drop issue obviously. Its a pretty crappy bug, that's been about for some time, I don't know why they don't fix it so you can run an elevated instance of explorer.

Solution 4

I think the problem is that when you run programs as administrator they are still running in the same window station as all your other programs. Explorer will only allow itself to be run once in any window station, i.e. one instance of explorer.exe, so you cannot run an elevated copy of Explorer.

There's a tendancy to complain about the intrusive aspects of user access control, but security always comes at a price. I must admit that I turn UAC off on servers that are rarely logged into, because I trust myself not to do anything stupid. I do leave UAC on for terminal servers, and I'm more than happy to put up with the minor hassles this entails.



Related videos on Youtube

Author by


Updated on September 17, 2022


  • Triynko
    Triynko almost 2 years

    When notepad is run, I can drag/drop a file to open it, but then it can't save the file. When I run notepad elevated to save the file, I can no longer drag/drop to open the file.

    I understand its a security risk to drag a file from a non-elevated program to an elevated program; however, when I run explorer elevated as well, I still cannot drag/drop to elevated notepad.

    Why doesn't the OS allow two elevated programs to exchange information via drag/drop? I'm seriously considering going back to using Windows Server 2003 over this.

    Edit: Seems that two elevated programs can exchange info; explorer was just failing to elevate. Once explorer is elevated, files can be dragged from explorer to an elevated notepad.

    • user1124702
      user1124702 almost 15 years
      I just tried this on a Windows 2008 server without issue. I created a new text file on the desktop, ran notepad, dropped the file over, edited it and saved it. Is there something I'm missing?
    • Triynko
      Triynko almost 15 years
      Yeah, you don't need permission to edit files on your desktop. We're talking about files that require elevated privileges to edit, such as a web.config file in a wwwroot directory. Un-elevated notepad can read the file, but cannot write changes to it.
    • Sam Cogan
      Sam Cogan almost 15 years
      If you are running as an administrator or privileged user then this will work, its when you are running as restricted user, and want to elevate your permissions that problems occur.
    • Triynko
      Triynko almost 15 years
      My user account is a member of the administrators group, and I am experiencing this problem. Face it, UAC is broken. The only way this will work is to turn off UAC, which I think is what you're suggesting I have to do in order to be running "as an administrator".
  • Triynko
    Triynko almost 15 years
    No, that's a cop-out. A "hassle" would be if I had to click a security confirmation to have the drag/drop work. The behavior I'm seeing is just senseless. I can read a restricted file elevated, but can't save it, but then I can save it, but not read it with a drag/drop. I run explorer elevated, and it appears to complete, but then apparently it is not elevated. Turning off UAC for administrative accounts defeats its purpose, which is to prevent applications launched (knowingly or unknowingly) by administrative accounts from performing administrative operations without user confirmation.
  • Triynko
    Triynko almost 15 years
    I REALLY wanted an elevated explorer, when I right-clicked explorer.exe and chose "Run As Administrator". The OS just ignored me and didn't bother to explain why it wouldn't work, let alone provide any indication that it didn't. Thanks for the tip. Now, the problem is that with an elevated explorer, every program I run is elevated by default. For example, I ran notepad as administrator, but never received a security prompt, and it's clearly elevated, as it can save files requiring administrative privileges. This is no different than turning UAC off.
  • Triynko
    Triynko almost 15 years
    The real problem is with the OS security design. Executing code modules, not user accounts, should be assigned access permissions. User's don't access anything... executing code accesses things. Instead of a simple "are you sure" prompt for administrative priviledges, what should be there is a tool for assigning access permissions to executables. This has been the problem from the beginning. With a proper design, there's no reason why deterministic digital hardware can't be 100% secure, even when networked. Maybe Chrome OS will get it right.
  • Triynko
    Triynko almost 15 years
    I don't even need to start an elevated command prompt to run elevated explorer. I just open task manager (unelevated by default), kill explorer, then click show processes for all users, which re-opens task manager elevated, then run explorer from the elevated task manager, which starts explorer elevated.
  • Triynko
    Triynko almost 15 years
    I'm not editing system files. I'm editing files in my web site's root folder (wwwroot). The default permissions give write access only to Administrators, System, and TrustedInstaller. I don't want non-administrators to have write access, so the permissions are fine, but thanks to UAC and UIPI's poor design, doing something simple like dragging a config file into notepad becomes impossible or results in confusing behavior or uninformative error messages.
  • Triynko
    Triynko almost 15 years
    UAC, as I see it, is meant for one type of user... administrators. It allows administrators to do most things as standard users (which makes running programs like internet explorer less risky), and notifies them with a big irritating box when something is about to happen that requires their administrative privilages. Of course applications can circumvent it, because the OS still assigns security privileges to users, rather than applications, and I already made a comment about that.
  • Triynko
    Triynko almost 15 years
    Thanks, but my whole point is that I shouldn't have to compromise the system's security just to drag/drop a file into notepad for editing as an administrator. It's as though this has never been tested, and it's certainly never been fixed.
  • Triynko
    Triynko almost 15 years
    Then again, I may as well disable it, since it's useless, because apparently medium-level processes (run by standard users) can just call ChangeWindowMessageFilter to allow messages through to elevated processes, allowing them to be hijacked. It would be real easy to write something to hijack visual studio or anything that is probably running elevated, and send a bunch of WM_KEYDOWN commands to open a file dialog and delete all the files on the hard-drive when the user locks their computer, lol.
  • Triynko
    Triynko almost 15 years
    Yeah, that's pretty much exactly what happened. Although you can run explorer elevated, as Evan mentioned, after killing off all the processes first and restarting it with an elevated task manager or command prompt.
  • John Rennie
    John Rennie almost 15 years
    I certainly agree that the drag-drop problem seems odd. If I get time today I'll try it on our terminal server. Given that the elevated apps are sharing the same window station you ought to be able to drag drop between elevated and non-elevated.
  • Jon Tackabury
    Jon Tackabury almost 15 years
    @Triynko: You have it backwards. The high priority process has to call ChangeWindowMessageFilter to allow certain messages through from lower priority processes. The medium level process can't call it and magically gain access to the high level process.