When working with Windows 7 as an administrator, you'll notice network shares mapped under your standard user context become inaccessible when running elevated processes. This occurs because User Account Control (UAC) creates two completely separate security contexts:
// Standard user context (non-elevated)
Token: Restricted (Filtered) Token
Network drives: Visible
Security context: Medium Integrity Level
// Elevated context
Token: Full Administrator Token
Network drives: Not visible
Security context: High Integrity Level
The registry setting HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections (DWORD=1) modifies this behavior by:
- Creating a symbolic link between the two security contexts
- Sharing network connection information across integrity levels
- Maintaining drive letter mappings in elevated processes
Here's how to programmatically check and set this value:
using Microsoft.Win32;
public bool CheckLinkedConnectionsEnabled()
{
using (RegistryKey key = Registry.LocalMachine.OpenSubKey(
@"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"))
{
return (int?)key?.GetValue("EnableLinkedConnections") == 1;
}
}
public void EnableLinkedConnections()
{
using (RegistryKey key = Registry.LocalMachine.CreateSubKey(
@"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"))
{
key.SetValue("EnableLinkedConnections", 1, RegistryValueKind.DWord);
}
// Requires reboot to take effect
}
While convenient, this setting does weaken UAC protections:
| Risk Factor | Impact |
|---|---|
| Elevation of Privilege | Potentially allows malicious code to access network resources |
| Information Disclosure | Shares credential information across contexts |
| Attack Surface | Expands possible exploitation vectors |
For more secure approaches consider:
// Method 1: Explicit credential usage
NetworkCredential creds = new NetworkCredential(username, password, domain);
using (new NetworkConnection(@"\\server\share", creds))
{
// Elevated operations here
}
// Method 2: Group Policy mapping
// Configure "Computer Configuration > Policies > Windows Settings >
// Security Settings > Network List Manager Policies"
- The setting requires a reboot to take effect
- Only affects network drives - local folder junctions remain separate
- Doesn't work with IP-based UNC paths (must use DNS names)
- Windows 8+ handles this differently through UAC virtualization
When working with Windows 7 in a local (non-domain) environment, administrators frequently encounter a frustrating limitation: network shares mapped under a standard user context become inaccessible to elevated processes. This occurs because User Account Control (UAC) creates separate security contexts:
// Demonstration of the context separation
HANDLE hToken;
if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) {
// Error handling
}
TOKEN_ELEVATION_TYPE elevationType;
DWORD dwSize;
if (!GetTokenInformation(hToken, TokenElevationType, &elevationType,
sizeof(TOKEN_ELEVATION_TYPE), &dwSize)) {
// Error handling
}
// Elevated processes get TokenElevationTypeFull
// Non-elevated get TokenElevationTypeLimited
The EnableLinkedConnections registry setting (located at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System) modifies this behavior by:
- Creating a symbolic link between the non-elevated and elevated network namespaces
- Allowing token sharing for network resource access
- Maintaining the security boundary for local resources
Implementation example to check the setting programmatically:
#include <windows.h>
#include <stdio.h>
BOOL IsLinkedConnectionsEnabled() {
HKEY hKey;
DWORD dwData, dwSize = sizeof(DWORD);
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
L"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System",
0, KEY_READ, &hKey) != ERROR_SUCCESS) {
return FALSE;
}
if (RegQueryValueEx(hKey, L"EnableLinkedConnections", NULL, NULL,
(LPBYTE)&dwData, &dwSize) != ERROR_SUCCESS) {
RegCloseKey(hKey);
return FALSE;
}
RegCloseKey(hKey);
return (dwData == 1);
}
While convenient, this setting does have security considerations:
| Benefit | Risk |
|---|---|
| Seamless network share access | Potential credential exposure between contexts |
| Simplified admin workflows | Reduced UAC isolation for network resources |
| Persistent drive mappings | Possible elevation path for malicious code |
To safely implement this solution:
- Create a PowerShell script to toggle the setting:
# EnableLinkedConnections.ps1
param (
[Parameter(Mandatory=$true)]
[ValidateSet("Enable", "Disable")]
[string]$Action
)
$regPath = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System"
$valueName = "EnableLinkedConnections"
if ($Action -eq "Enable") {
New-ItemProperty -Path $regPath -Name $valueName -Value 1 -PropertyType DWORD -Force
Write-Host "Enabled network share linking between elevated and standard contexts"
} else {
Remove-ItemProperty -Path $regPath -Name $valueName -ErrorAction SilentlyContinue
Write-Host "Disabled network share context linking"
}
Remember that changes require a reboot to take effect. The setting specifically affects:
- Mapped network drives (both drive letters and UNC paths)
- WebDAV connections
- VPN-connected network resources
For environments where modifying this registry setting isn't desirable:
// Programmatic solution using explicit credentials
NETRESOURCE nr;
ZeroMemory(&nr, sizeof(NETRESOURCE));
nr.dwType = RESOURCETYPE_DISK;
nr.lpRemoteName = L"\\\\server\\share";
DWORD result = WNetAddConnection2(&nr, L"password", L"username", 0);
if (result != NO_ERROR) {
// Handle error
}
This approach maintains security isolation while providing access to needed resources.