Windows file permissions: High Mandatory Level

I encountered a problem when following the guide: WinPE: Create a Boot CD, DVD, ISO, or VHD

 

I chose to create a new .vhdx file directly under C:\ for testing in Hyper-V

Later I moved the .vhdx file to C:\Hyper-V

I actually got this dialog when moving the file, but just went ahead with Continue without considering the implications.

00_Administrator_permission_to_move_this_file

 

When I tried to attach the .vhdx to a virtual machine I got this error message:

01_User_Account_does_not_have_permissions

Failed to modify device ‘Virtual Hard Disk’.

User Account does not have permission to open attachment.

 

I checked the file permissions and noticed:

02_High_Mandatory_Level

Integrity level: High Mandatory Level

 

I also checked the permissions with:

C:\>icacls c:\Hyper-V\WinPE_amd64_PS.vhdx
c:\Hyper-V\WinPE_amd64_PS.vhdx BUILTIN\Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Users:(I)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
Mandatory Label\High Mandatory Level:(I)(NW)

Successfully processed 1 files; Failed processing 0 files

 

The high integrity level was causing the problem, but how to remove it?

The easiest solution was to lower the integrity level with:

icacls c:\Hyper-V\WinPE_amd64_PS.vhdx /setintegritylevel medium

After that the file could be attached and used.

 

Conclusion

If high integrity level on a file causes problems, it can be lowered with icacls.

Generally avoid creating files directly under C:\, because it can lead to problems like this.