Test Environment:
- Windows 10 professional edition x64, True
- Windows Server 2003 R2 x86, False
- Windows Server 2008 R2 Enterprise x64, False
- Windows Server 2008 R2 DataCenter x64, True
There are 2(or 3 depends on x86 or x64) notepad.exe in Windows\, respectively Windows\notepad.exe; Windows\System32\notepad.exe; Windows\SysWOW64\notepad.exe. In the mentioned environments marked as True, all these three show this behavior below.
Behavior:
when I copy notepad.exe (to any location), the copied executable will not launch when executed, no matter where I put it. there is no warning, there is no process being created. For this I checked serveral settings:
- file permission.
- file permission looks OK, i.e. has the execution permission set.
- file ownership.
- actually this should be irrelevant, but just in case, I checked that ownership of original notepad is "TrustedInstaller", the copied executable's owner is Administrator Group, grant ownership back to TrustedInstaller didn't help, either.
- Software Restriction Policy & AppLocker Policy
- there are no such policies on my system when I use gpedit.msc to check them. ( I thought of hidden defaults, but that theory won't hold as it does not seem to be the case for other executables in System32, such as calc.exe/cmd.exe etc.)
Other Behaviors:
I have tried launching the copied executable using cmd/powershell/start, but no avail.
I tried copy cmd.exe/calc.exe/other executables in System32/other random executables I have/ to system32/, only notepad.exe seems to showing this behavior.
I tried to takeown of the original notepad.exe, and rename it to notepad2.exe, then it won't launch, if you change the name back to notepad.exe, it will launch again.
The Question:
I wonder what's the mechanism that does this?
start
command? Please do not respond in comments; edit your question to make it clearer and more complete.