Andy Ful
From Hard_Configurator Tools
Thread author
Verified
Honorary Member
Top Poster
Developer
Well-known
- Dec 23, 2014
- 8,598
Post updated.
Advanced users can configure Windows to open PDF documents only in AppContainer, and only from selected folders on NTFS disk (Windows and Program Files folders are hardcoded by default). This can be done by using Wsudo tool (from Privexec) and Sumatra PDF.
https://github.com/M2Team/Privexec/releases/tag/4.4.1
Of course, it is possible to use right-click "Open with" option and choose another PDF viewer to open any PDF file from any location.
Edit1.
It seems that Wsudo AppContainer has built-in access to "Windows" and "Program Files" folders. I can open documents from there without applying Icacls.
Edit2.
The SID of AppContainer can be found by opening CMD or PowerShell console and executing any file via Wsudo, for example:
Advanced users can configure Windows to open PDF documents only in AppContainer, and only from selected folders on NTFS disk (Windows and Program Files folders are hardcoded by default). This can be done by using Wsudo tool (from Privexec) and Sumatra PDF.
https://github.com/M2Team/Privexec/releases/tag/4.4.1
- Download Sumatra PDF installer and install it in "Program Files" folder (use Options button to change the default installation path). Choose Sumatra PDF as a default application to open PDF files.
- Copy the wsudo.exe (part of Privexec tool) to the Sumtra installation folder (C:\Program Files\SumatraPDF).
- Edit the registry Default value under the key:
HKEY_CLASSES_ROOT\Applications\SumatraPDF.exe\Shell\Open\Command
and replace its data with a path to Wsudo which executes SumatraPDF.
Code:"C:\Program Files\SumatraPDF\wsudo.exe" -u appcontainer "C:\Program Files\SumatraPDF\SumatraPDF.exe" "%1" %*
- Create the folder where you want to keep unsafe PDF files - I have chosen "D:\MyUnsafeDocuments". Use Icacls to give the "Modify" access of the AppContainer SID to this folder:
Code:icacls "D:\MyUnsafeDocuments" /grant *S-1-15-2-3622619446-392274758-2533929289-2204876399-3375125215-4247762128-2478433618:(OI)(CI)(M) /T
- Right mouse click on any PDF file choose Open with >> Choose another application >> select Windows sudo utility and tick "Always open files ....". This will make Wsudo+Sumatra the default application to open PDF files.
Of course, it is possible to use right-click "Open with" option and choose another PDF viewer to open any PDF file from any location.
Edit1.
It seems that Wsudo AppContainer has built-in access to "Windows" and "Program Files" folders. I can open documents from there without applying Icacls.
Edit2.
The SID of AppContainer can be found by opening CMD or PowerShell console and executing any file via Wsudo, for example:
Code:
Path2Wsudo\wsudo.exe -u appcontainer notepad
Last edited: