Thursday, July 19, 2007

Unable to create bookmarks in IE7 - "Unspecified Error"

I just had a somewhat interesting security problem in Vista that I thought I’d share.

The problem was in Internet Explorer when creating a bookmark, I’d receive a message “Unable to create [URL]. Unspecified error”. The problem only occurred in protected mode websites which led me to believe it might have been a permissions issue. Indeed, trying to propagate my local account with full access generated an Access is Denied error, so I replaced ownership on the folder successfully, however the problem was still occurring. A bit of research later and here is what I discovered in a nutshell


- Windows Vista introduces a new concept called “Integrity Level”. Basically, along with every ACL, there is also a “class” – this defines what types of applications can modify a particular file.

- By default, all files allow “Medium” or higher applications to modified them, however Internet Explorer running Protected Mode runs at a “Low” integrity level (basically, IE can only directly write to files with a Low integrity level associated with them, otherwise, the write has to go through the protected mode broker process which runs as a medium level application)

- The icacls command line utility (introduced in W2K2 SP2 and Vista) includes a new switch that allows you to set the integrity level

To resolve the issue, navigate to c:\users\USERNAME and run the following command against the favorites folder:

icacls Favorites /setintegritylevel (OI)(CI)low

The (OI) and (CI) stand for “object inherit” and “container inherit” respectively (propagate permissions basically), and the low is pretty obviously assigning a low integrity level requirement to the file.

[Updated: June 19, 2008 - Step-by-step instructions due to popular demaind]

Step-by-step Instructions

 

  1. Choose Start -> Run
  2. Type "cmd" (without the quotes) and press OK
  3. Navigate to your user folder.  By default, this is c:\users\Username.  In my case:

    cd /d c:\users\steven
  4. Run icacls:

    icacls Favorites /setintegritylevel (OI)(CI)low

 

The sequence should look like this:

icacls

24 comments:

Anonymous said...

thnx man u saved my day, had the same problem, succesfully resolved thnx to u.
cheers

Anonymous said...

Thank you really useful. Also worked for me. I've been struggling with the issue for a while. Regards

Anonymous said...

that solution is for window 2000 and vista. what about XP? is it same way or hav different solution for XP?

Anonymous said...

how do i run the command?

Steven Berkovitz said...

"that solution is for window 2000 and vista. what about XP? is it same way or hav different solution for XP?"

No, this solution is for Windows 2008 and Vista. It does not apply to Windows XP/2003/2000 - in these cases, just check your ACL's

"How do I run the command"

Start -> Run

Anonymous said...

Thanks!!! This worked great for me as well!

s. said...

It took me a while to recall the Dos commands to "navigate" to my favorites folder but when I finally did, this fix worked like a charm.

Thanks Steven, it's people like you that make the internet such a great resource!
scott.

Anonymous said...

Holy crap...this worked very well! Thanks

Anonymous said...

How do you "run against the favorties file" ??? Help

Alex said...

i've got my user account on a different drive rather than C. when I run that command there i get a message saying it failed to process Favorites :O(

any idea what I need to do?

Steven Berkovitz said...

I've updated the post to include step by step instructions

Alex said...

Thanks for that - that's exactly what I did. the thing is - I transferred my user directory to a different drive (E:) and I guess something went wrong with the permissions there - would u know?

E:\>cd Alex

E:\Alex>icacls Favorites /setintegritylevel (OI)(CI)low
Favorites: Access is denied.
Successfully processed 0 files; Failed processing 1 files

E:\Alex>

Steven Berkovitz said...

This is an indication that the ACL's (permissions) on your directory are incorrect.

Assuming you are an administrator, try:

icacls Favorites /grant Alex:F

Alex said...

cheers!

Kat said...

Thanks so much! You REALLY helped me with this! You rock!

jasond said...

Such a simple and perfect fix! Steven, thanks for posting this!

Anonymous said...

Awesome!!!!! Thanks a ton!!!

Anonymous said...

Worked great, thanks!

Anonymous said...

the first few times I attempted, it didn't work. the solution came in typing it exactly like this "icacls Favorites /setintegritylevel (OI)(CI)low" my failures were due to adding a spaces where I shouldn't

Louisa said...

Thanks so much! this fixed the problem once I put the spaces in the right places (or didn't put spaces where they shouldn't be)

Ed said...

Thank you that has been driving me crazy for days.

Nam said...

Hello everybody, i've had a problem with my computer: IE7 didn't add anything to Favorites although i've done any thing: C:\>cd Le Quoc Nam

C:\users\Le Quoc Nam
C:\icacls Favorites /setintegritylevel (OI)(CI)low
Could you help me? As soon as posible. Thanks a lot

Nam said...

here is my desktop about this: http://img23.imageshack.us/img23/3733/25356082rc9.jpg

Anonymous said...

Been struggling withthis problem for some time and your solution has been the only one that has worked...everything fine now...thanks again and greatly appreciated..