{"id":24223,"date":"2007-12-11T10:00:00","date_gmt":"2007-12-11T10:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2007\/12\/11\/why-is-my-starting-directory-ignored-when-i-elevate-a-command-prompt\/"},"modified":"2007-12-11T10:00:00","modified_gmt":"2007-12-11T10:00:00","slug":"why-is-my-starting-directory-ignored-when-i-elevate-a-command-prompt","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20071211-00\/?p=24223","title":{"rendered":"Why is my starting directory ignored when I elevate a command prompt?"},"content":{"rendered":"<p>Take a shortcut to the command prompt or some other Windows component, right-click it, and select &#8220;Run as Administrator.&#8221; The &#8220;Start in&#8221; directory from the shortcut is ignored and you are always dropped into the system directory. Why is the starting directory ignored?\n To avoid a category of attacks (current directory attacks).\n According to <a href=\"http:\/\/msdn.microsoft.com\/library\/en-us\/dllproc\/base\/dynamic-link_library_search_order.asp\"> the dynamic link library search order documentation<\/a>, the current directory is searched in step&nbsp;five, after the executable directory, and a variety of system-defined directories. If a program calls <code>LoadLibrary<\/code> and does not pass a fully-qualified path, and the DLL cannot be found in one of the first four locations, the current directory will be searched. An attacker can drop a DLL into a directory and trick you into running a program with that directory as its current directory. When that program tries to load a library that normally doesn&#8217;t exist, the one the attacker created will be found and loaded. This is bad.<\/p>\n<p> Note that this behavior applies only to Windows binaries and only if they are launched through an elevation prompt. (Programs that are not a part of Windows do not receive this behavior because compatibility testing showed that third-party application rely heavily on the current directory being preserved across an elevation boundary. For example, installers will unpack their contents into a temporary directory, change to that temporary directory, and then run the main setup program.) <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Take a shortcut to the command prompt or some other Windows component, right-click it, and select &#8220;Run as Administrator.&#8221; The &#8220;Start in&#8221; directory from the shortcut is ignored and you are always dropped into the system directory. Why is the starting directory ignored? To avoid a category of attacks (current directory attacks). According to the [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-24223","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>Take a shortcut to the command prompt or some other Windows component, right-click it, and select &#8220;Run as Administrator.&#8221; The &#8220;Start in&#8221; directory from the shortcut is ignored and you are always dropped into the system directory. Why is the starting directory ignored? To avoid a category of attacks (current directory attacks). According to the [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/24223","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=24223"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/24223\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=24223"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=24223"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=24223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}