Langalist: Unraveling Win10’s file ‘permissions’ issues

Topic

New Reply

Can’t get at your own data? There’s a reason why. Several possible reasons, actually, and Fred Langa steps you through their solutions. Think you had
[See the full post at: Langalist: Unraveling Win10’s file ‘permissions’ issues]

1 user thanked author for this post.

abbodi86

Reply | Quote

Replies

I made a disk image using Windows’ built in recovery tools and then tried to zip up a copy to keep the image safe and it fought tooth and nail to stop me from accessing the files. I get so aggravated with file permissions sometimes that I’ll just reboot into Linux, copy everything and delete the originals. Much easier and quicker that way.

Reply | Quote

Why not use a third-party backup tool which presents fewer of these issues? I’ve used Macrium Reflect Free for years now and never had a File Permissions issue.

I would also think that using Windows File History would present fewer Permissions issues if you’re only concerned with data files and folders.  Taken together, Macrium Reflect and File History might be the best solution I have yet seen.

In Linux I do have Permissions issues, but I’ve learned how to deal with them. In Windows, it’s a much murkier story. And it isn’t just files and folders which can have Windows Permissions issues.

In my computer an October, 2018 MS Update made a Registry change. This new entry was so locked-down with security Permissions I couldn’t find anywhere online any way to unlock the entry for editing. This entry controls which applications are available for File Type Associations. This issue was resolved only in January, 2019, and it required MS to reissue the October 2018 update. End users were powerless to change the damage Microsoft had done. I have never seen anything like this in Linux.

So while this article was very instructional, we have not seen the end of Windows Permissions issues yet. Not by a long shot!

-- rc primak

Reply | Quote

 

Next, ensure that all the changes you’re making to the folder’s permissions will be inherited by everything within or below the folder — i.e., all files and subfolders. If there’s an Enable inheritance button in the lower-left corner of the Advanced Security Settings, click it. (Don’t click the button if it says Disable inheritance.)

Disable/Enable inheritance controls whether permissions are inherited from above the current folder. It’s sometimes necessary to block inheritance in order to set the required permissions for the current folder and below:

How to Set File and Folder Permissions in Windows

3 users thanked author for this post.

rc primak, samak, Elly

Reply | Quote

Thanks for that link, I learnt a lot from it.

Windows 10 Home 22H2, Acer Aspire TC-1660 desktop + LibreOffice, non-techie

2 users thanked author for this post.

rc primak, b

Reply | Quote

Macrium is what I went with after reading somewhere that support for Windows’ own imaging tool is expected to be yanked at any moment. I just wanted to make sure I had a proper rescue image before I started updating this thing. It hadn’t been updated in nearly 3 years when I got to maintaining it.

Reply | Quote

Of the other issues in there…

Fred Langa’s

I can’t imagine any file-permission problem that would survive all the above. Surely one of these fixes will do the trick and let you regain full access to the files — or at least be able to recover their contents!

… well I’ve seen one, and more than once too – the spurious mandatory lock that isn’t held by anything. Yes, last time I had one of these, it survived reboots and disk checks too, and Linux NTFS support didn’t like it much either.

You may be able to work around it by renaming the directory the “locked” file is in from Linux and restoring from backup, but since this is actually an on-disk an error in NTFS that just wasn’t fixable by normal tools last time I checked, it might be better to just wipe and reformat. (Hope it wasn’t on your boot partition…)

Reply | Quote

The best solution in such a scenario is to use the Take Ownership REG file in order to regain ownership of all files in the folder and within all sub-folders.

1 user thanked author for this post.

rc primak

Reply | Quote

… except that file ownership could be checked and hadn’t changed. It’s just that the file had an operation lock stuck on it, as if it’d have been in mid-write.

1 user thanked author for this post.

rc primak

Reply | Quote

Been there, seen that! It’s applications like Office or LibreOffice which create the “Lock” condition. And yes, it happens if the program is closed before all changes are properly saved.

-- rc primak

Reply | Quote

Take Ownership is very powerful, but not a cure-all. When it works, it’s like magic. But when it doesn’t work, it’s like the Plague.

-- rc primak

Reply | Quote

Hi everyone,

I enjoyed reading Fred’s article about files, folders and permissions. Fred covered all of the basic solutions to use if you find yourself suddenly unable to access your files.

Another solution is a REG file which allows you to take ownership of files, or of a folder and of everything in and under that folder (literally everything as in all files and all sub-folders), or even of an entire hard drive. You would never run this Take Ownership REG file on the OS drive (except perhaps on specific non-OS folders), yet you could run it on non-OS data partitions (a lot of people store their data on a drive D: partition), and on other hard drives such as other internal and external hard drives, in order to regain access to your files.

If your backup software allows you to mount a backup image as a read-only image which is accessed under one or more new drive letters, then there is another solution for restoring files, even if the file permissions within the backup were messed up.

Later and outside of this topic, I will discuss both of the above solutions since the following is on-topic.

Everyone should take the time to learn the very basics about how to set up your home network. And everyone should take the time to learn the basics about security in terms of file and folder permissions.

Learning about file and folder permissions might seem to be a bit intimidating at first, since there are several different types of file and folder permissions. And there are several different types of groups and users who can be assigned different permissions. The most powerful user is SYSTEM. SYSTEM is your computer’s operating system. SYSTEM should, no matter what, always have access to every folder and file on your computer. If SYSTEM doesn’t have access to every file on your computer, then your antivirus program most likely can never see such files. In Unix terms, think of SYSTEM as ROOT.

Here is a visual analogy about folder and file permissions…

Imagine being in a building and you have a key to enter a locked room in the building. Now and just because you gained access to the room, this doesn’t mean that you will have the ability to see all file cabinets, let alone to open the file cabinets and see the files in those file cabinets. Even if you can see those file cabinets and open the files in those file cabinets, you might not have permission to either edit or delete those files. And you might not have permission to add any files to the file cabinets, or to add any new file cabinets (folders). Then again, you might have permissions to do anything. Others might have permissions to do anything as well, or to only do some things. For example, USERS who are not Administrators generally can only do very limited things. SYSTEM should have permission to do anything. It all depends on the set permissions, and it depends on whether or not those permissions are inherited from the previous room which you were in, just before you entered this room. It is like being a thief, yet the thief might not have all of the keys, and the thief might not have all of the special flashlights which allow the thief to see everything in the room. This is the simplest visual analogy which I can come up with. Keep this visual analogy in mind as you learn about folder and file permissions, about whether or not these permissions are inherited from previous rooms, and about the different types of users and groups which can be assigned permissions. If you think along the lines of my visual analogy, then you will be thinking both in terms of security and like a hacker. Hackers go after SYSTEM and Admistrator level access to your computer. Hackers like to mess with permissions. Hackers might do so, simply to prevent you from accessing your own files. The upshot is that if you learn the basics about permissions, then you can regain access to your files.

Probably everyone here has seen The Matrix movies. This is where I got the idea of using a room for my visual analogy, above. Hopefully one of our AskWoody experts (we have a bunch of them here) can take my visual analogy and turn it into simple drawings to visually display the concepts of folder and file permissions in terms of rooms (hard drives and top folders), sub-folders (potentially locked file cabinets in a given room), and files which reside in file cabinets (folders and sub-folders). As mentioned, there are different types of “people” who have different types of access. Think of SYSTEM as God. Think of all Administrators as Angels who have nearly all of the permissions of God. Think of all USERS as either whoever walks up to your computer and logs into your computer under a Guest account, or whoever can log into your computer with non-Angel permissions.

I hope that the above visual analogies will be helpful to everyone when they try to learn about the basic concepts of file and folder permissions, and about the power which is assigned to various types of computer accounts.

Best regards,

–GTP

 

1 user thanked author for this post.

rc primak

Reply | Quote

GoneToPlaid wrote:

Another solution is a REG file which allows you to take ownership of files, or of a folder and of everything in and under that folder (literally everything as in all files and all sub-folders), or even of an entire hard drive.

There is no REG file solution to take ownership. File permissions are disk based, not registry.

cheers, Paul

Reply | Quote

I believe they’re discussing that .reg file that goes and adds “Take Ownership” to your file explorer context menus.

Me? In these cases I feel the “right” way would be to get a shell as NT-AUTHORITY\SYSTEM and then use icacls … it’s just that this tends to be a bit difficult “out of the box” even if you know how to use icacls, which isn’t one of the more intuitive commands anyway…

1 user thanked author for this post.

rc primak

Reply | Quote

The idea that this is a Registry change comes from this article in How-To Geek:

https://www.howtogeek.com/howto/windows-vista/add-take-ownership-to-explorer-right-click-menu-in-vista/

The author does not explain what this Registry change actually does. It only changes the Windows Context Menu and makes the whole process of changing the ownership status to the current user more automatic. Under the hood the same steps are occurring, but Windows can run each of them with single commands which the new Registry Key invokes. At least, that’s what I gather from this and several other articles about Take Ownership.

-- rc primak

Reply | Quote

I am just wondering if anyone has used the Winaero Take Ownership registry file to add a Context Menu (Right Click) item? Maybe this is the .reg file that others talk about?

https://winaero.com/blog/add-take-ownership-context-menu-windows-10/

 

Reply | Quote

The tenforums website has Take Ownership REG files for Windows 10. One REG file installs it as an Explorer context menu. The other REG file removes it. They even added protection from trying to accidentally take ownership of the OS folders. Check it out:

https://www.tenforums.com/tutorials/3841-add-take-ownership-context-menu-windows-10-a.html

I have been using their Windows 7 versions of these REG files for several years.

2 users thanked author for this post.

Lars220, rc primak

Reply | Quote

I also use this Registry tweak a lot. But for others in this thread, it is important to understand what this Registry Key is actually doing. It’s a lot more than a simple Registry change.

This article gives a more in-depth explanation of just what is being added to the Registry:

6 Tools To Take Ownership and Get Full Control Of Files and Folders

https://www.raymond.cc/blog/easily-take-ownership-and-grant-full-control-permission-with-winownership/

What is added is a series of commands which invoke little programs within Windows. Fascinating reading.

-- rc primak

1 user thanked author for this post.

Lars220

Reply | Quote

It is possible to run Windows commands and executables, including regedit, as TrustedInstaller which usually has full access to keys and values that are otherwise unavailable for correction.  Probably best if I don’t post details here, but I’m sure you can find them on line for yourself if interested.

Asus ROG Maximus XI Code board; Intel i9-9900K CPU; 32 GB DDR4-3600 RAM; Nvidia GTX1080 GPU; 2x512 GB Samsung 970 Pro M.2 NVMe; 2x2 TB Samsung 860 Pro SSDs; Windows 10.1809; Linux Mint 19.1; Terabyte Backup & Recovery

1 user thanked author for this post.

rc primak

Reply | Quote

anonymous wrote:

Macrium is what I went with after reading somewhere that support for Windows’ own imaging tool is expected to be yanked at any moment. I just wanted to make sure I had a proper rescue image before I started updating this thing. It hadn’t been updated in nearly 3 years when I got to maintaining it.

Wow. I wasn’t aware that MS might be considering yanking support for the backup utility which comes with Windows. I shouldn’t be shocked since nothing from MS really shocks me anymore. MS’s plethora of decisions ever since the release of Windows 8.0 have done shocked me numb. MS is my new Hewlett-Packard in the sense that all trust is gone, and will be very hard to recover. I’ll skip the rest of a potential rant.

Macrium is my personally preferred backup solution. I won’t elaborate as to why since doing so would get into plugging a particular product. Doing so is not permitted on the forum except in specific sections of the forum. Yet I will give a couple of pointers in terms of using Macrium…

You can configure Macrium to install a Recovery Boot Menu option. You should. Yet when you do install the boot menu recovery environment, it is important to choose the correct Windows PE which you want to install. Why? Because if you install a later version PE which is for a later version of your installed OS, then the PE will be expecting that your computer’s BIOS is configured for a later version Windows OS. This is a really important caveat to understand! Thus…

OS is Windows 7 — choose to install the Windows PE 3.1 menu.
OS is Windows 8.x — choose to install the Windows PE 4.0 menu.
OS is Windows 10 — choose to install the Windows PE 5.0 menu.

The upshot is that it is really important to choose the correct Windows PE, as shown above, to install! This will save you from many headaches when trying to restore a Reflect image — either from the Recovery Boot Menu or from a created USB recovery thumb drive.

If you somehow messed up and installed a later PE version than what you should have, and if you can’t get Macrium to restore your backup, then create another USB recovery thumb drive on another computer using the PE which you should have originally used.

Heck, you might not even have to use another computer! If you can still boot into Windows, which you want to restore from a Macrium backup, then run Macrium and create a new USB recovery thumb drive, yet using the correct PE version for your version of Windows. ONLY PERFORM THIS SOLUTION IF YOU KNOW THAT YOUR COMPUTER IS NOT INFECTED WITH MALWARE!

Either way, the odds are that this new USB recovery thumb drive will work to allow you to restore your Macrium backup. Why does this work? Because in most cases, Macrium uses older generic drivers for nearly all detected hardware. Later versions of all detected hardware should be compatible with all older version drivers, yet with possible performance penalties. The only real issue then becomes using the correct PE for your OS version.

At the end of the day, you shouldn’t care that older generic drivers are being used. All you should care about is that the older drivers do actually work with whatever newer versions of hardware are present in your computer. And at the end of the day (or the first thing you see in the morning if you started a restore the night before), all you really care about seeing is that the Macrium restore operation did actually successfully complete.

1 user thanked author for this post.

rc primak

Reply | Quote

One update on the WinPE version used by Macrium Reflect Free. As of Windows 10 Version 1803, the WinPE environment has been superseded by the WinRE environment. And the last WinPE version was WinPE 10. You can now choose between WnPE 10 or WinRE for the Boot Option and the Recovery Media. I have recently tested the WinRE versions in Windows 10 Version 1803 Pro and found it to work just fine. WinRE seems to pick up networking drivers better than WinPE, which may be of interest to users who have network attached storage (NAS ) devices where system images can be stored and recovered.

Again, just minor points, but updated information.

My backups of an 80 GB Windows partition and its necessary UEFI Boot partitions takes about fifteen minutes over USB 3.0 Super-Speed. Recovery (restore) takes a bit longer. Double these times if you verify the image after creation and before use. Which you should do!

-- rc primak

Reply | Quote

GoneToPlaid wrote:

… Macrium uses older generic drivers for nearly all detected hardware.

Actually, the drivers used in Macrium’s WinPE builds are entirely dependent on the user’s choice of PE base version and on the Windows version under which the build process runs. There can be mismatches if the two don’t correspond. As rc_primac mentions, they’ve recently added the capability for WinRE builds for that among other reasons. A lot of users are quite confused about the WinPE build process.

Personally, I prefer the Terabyte approach of a pre-built ISO with other user options if wanted.

Asus ROG Maximus XI Code board; Intel i9-9900K CPU; 32 GB DDR4-3600 RAM; Nvidia GTX1080 GPU; 2x512 GB Samsung 970 Pro M.2 NVMe; 2x2 TB Samsung 860 Pro SSDs; Windows 10.1809; Linux Mint 19.1; Terabyte Backup & Recovery

Reply | Quote