Windows, symlinks, and pain

2011-11-30

Yay, Windows supports symbolic links!

First problem: The only damn interface for this is a cmd.exe builtin. That’s right, mklink isn’t an executable, and there ain’t no other way to make a link without third-party tools. If you want to do it from, say, PowerShell, you have to do something stupid like add this to your PowerShell Profile:

function mklink {
    echo "(Running mklink from cmd.exe...)"
    cmd /c mklink $args
}

(It’s also been pointed out to me that there are third-party extensions which add the ability to deal with links, such as PowerShell Community Extensions, but come on. This should be first party stuff right here.)

Second problem: If you’re an administrator, you absolutely cannot do this without elevated privileges. “But no”, you say, “it says so right on that page you linked. All you have to do is edit security policy in secpol.msc.”

Yeah, well, I tried that. Here’s what Microsoft has to say about it:

After giving “Everyone” the privilege “Create symbolic link”, please reboot (or log off) and log in as a standard user, a user who is NOT a member of group “Administrators”. You should be able to create a symbolic link using mklink command in a directory where user has write permissions.

The reason a member of “Administrators” cannot create symbolic link is because “Create symbolic link” privilege is removed from the filtered token since user is a member of “Administrators” group. Section “Access Token Changes” of article at link http://msdn.microsoft.com/en-us/library/bb530410.aspx describes in more details on how filtered token is created.

So you’re telling me that you can change it so that a restricted user can create links (without elevation, obviously), but it’s just not possible at all to change it so an administrator can create links without elevating? And this is by design?

Are you fucking kidding me?