I am trying to figure out how to read file system journal without admin privileges. To read the journal I need to call DeviceIoControl() Win32 function with FSCTL_READ_USN_JOURNAL code, which requires admin privileges.
However, I have discovered that OneDrive is able to read files that were deleted and moved even when OneDrive was not running. Here is what I did:
Kill the OneDrive process, to make sure OneDrive is not running.
Move or delete file(s) in the OneDrive folder.
Start OneDrive. Moved and deleted files are properly moved and deleted on the server.
When I start OneDrive it does not request admin privileges and no UAC dialogs appear.
How OneDrive is capable to read the file system journal without admin privileges and any elevated right?
Or is it possible to find moved and deleted files by any other means, without a file system journal?
Related
I noticed today that on windows 10
some apps in the folder C:\ProgramFiles\WindowsApps... are protected in some way other than just the access permissions.
When installing Microsoft.MicrosoftEmulator_1.1.39.0_x64__8wekyb3d8bbwe.msix or Microsoft.253890156C685_1.0.0.0_x64__8wekyb3d8bbwe.Msix
as well as it seams other apps from the store
the Folders for those created in under C:\ProgramFiles\WindowsApps\ have some additional write protection.
While a cmd prompt started as TrustedInstaller can create and delete folders in the apps that come pre-installed in the folders fo these apps this fails with an access denied error.
Taking Ownership of those folders and files as well as adding full access permission does not solve the issue.
With a cmd prompt started as system it is at least possible to create or delete folders but for the existing folders created by the package installer its still not able to create a file within those.
This protection remains in place even when the system partition in question is mounted by an other windows 10 system.
The only way I found to gain full access to these files is to mount the partition in a windows 7 installation.
So it seams to me that MSFT has added som additional layer or patronizing the administrators which needs to be understood and broken.
Any ideas how to get around this issue?
Well however the restrictions are implemented with this driver: https://github.com/DavidXanatos/IgnoreACLs you can gain access to everything everywhere.
With minor limitations, renaming of files in protected locations does not work and creating of directories.
Other than that, modifying, creating and deleting files and folders works fine.
Power back to the owners of the devices.
I have 2 machines, one is Windows 10 and the other is Windows 7, recently whenever I download a file on Windows 10 machine directly on my External Hard Disk and detach it from that machine and try to attach it to windows 7 machine, I have no access to any of the downloaded files it gives me access denied. I can access folders and see the files are present but cannot open them.
To solve this issue I have to manually assign permission to each files by first taking ownership of that file for "Everyone" account and then assigning "Everyone" full control.
I have tried to take the ownership of the folder but receives the error of access denied for each files when selecting the option of "Permission Inheritance for files and Sub Folder"
I have even tried to write a PowerShell to assign permission but the situation does not change it returns with an access denied error. FYI, PowerShell window is opened as Administrator by selecting Run as administrator.
Even if I run the intended application as Administrator it will still not work it will still give me Access Denied.
The only workaround I found was to perform the above actions of individual file ownership and permission assignment.
It would of great help is someone can provide a permanent solution to this issue.
BTW, The external hard drive which I use is WD drive and its with me for than 5 year now and never encounter this issue in the past.
And the files in questions are Photos, videos, documents and mp3.
This is neither a PowerShell nor a programming issue, so the question would be more suitable for SuperUser.
Creating a file on removeable media on one system and then trying to access that same file on a different system will normally fail unless you took precautions to make the data accessible from other systems. That is because even though users and groups may have the same name on both systems they still have different SIDs (which is what the system actually uses to decide whether access is or isn't allowed).
To grant a user on a different system access to the file you have to take ownership and grant the user(s) on that system access.
takeown /f x:\ /a /r /d y
icacls x:\ /reset /t /c
icacls x:\ /grant administrators:(oi)(ci)f username:(oi)(ci)rx
Note that adjusting ownership and permissions of a single file usually does not suffice. The user must be able to at least traverse the entire path to that file. Similarly taking ownership and adjusting permissions on a folder may not suffice unless the files in that folder inherit their permissions from the folder. If they don't you need to take ownership of the files and adjust their permissions as well.
The above 3 commands recursively take ownership of everything on drive X:, reset permissions to enable inheritance, and grant access to the Administrators group (full control) and the user "username" (read and execute).
With that said, you can prepare permissions so that files are accessible on different systems without the need to take ownership and adjusting permissions on the target system. There are a number of principals and groups that have the same well-known SID on all Windows systems, e.g.
Everyone (S-1-1-0)
Administrators (S-1-5-32-544)
Users (S-1-5-32-545)
Authenticated Users (S-1-5-11)
Granting access for instance to the group "Users" should make your data accessible across different systems.
Install a separate hard drive or prepare a separate partition for each operating system.
Install the operating systems. For example, if your PC has Windows 8.1, install Windows 10 onto the other hard drive or partition.
Reboot the PC. The boot menus should appear with both operating systems listed.
If both operating systems aren't listed:
Open a command line, either as an administrator from inside Windows, or by booting to a command line using the Windows installation disk and presssing Shift+F10, or by booting to Windows PE (WinPE: Create USB Bootable drive).
Add boot options for a Windows operating system.
Bcdboot D:\Windows
Reboot the PC. Now, the boot menu will show both menu options.
Let’s give permission to the file and check if that helps. Follow these steps to give permission to the drive.
Right-click on the file which you’re unable to access and select Properties.
Click on the ‘Security’ tab and under ‘Group or user names’ click on ‘Edit’.
Click on ‘Add’ and type ‘everyone’.
Click on ‘Check names’ and then click ‘OK’.
Select ‘everyone’ and under ‘Allow’ select ‘Full control’ and click
on ‘Apply’ and Click ‘Ok’.
Hope this helps.
On Window 7, 8 and 10 I want my app to store data in shared location so all users who run the app on the PC will access the same data. The data are readable/writable. What location should I use?
Windows has funny rules regarding program' shared data.
Program Files ("C:\Program Files" and "C:\Program Files (x86)") is intended for immutable (read-only) program data and executable files - consequently files here require administrative permissions to edit. Thus it makes it useful for important files that should not be compromised (e.g. your main executable). This is why installers run with elevated permissions. There is a downside in that if your program has an auto-update mechanism then that too needs to run elevated.
Program Data (C:\ProgramData on Windows Vista and later, or C:\Documents and Settings\All Users\Application Data) is intended for mutable program data - you don't need administrative permissions to create files in this folder, except that once a file has been created only the user that originally created that file can subsequently edit it (though everyone can read it). This is the special CREATOR OWNER permission.
This is described here: Privileges/owner issue when writing in C:\ProgramData\
AppData (C:\Users\(you)\AppData\Local and C:\Users\(you)\AppData\Roaming) is user-specific and is intended for user-specific settings, configuration and data. The Local version should be used for machine-specific settings that shouldn't roam if the user is using Roaming Profiles, such as data caches (e.g. a browser cache).
So in your case ProgramData looks ideal, but you need to be careful about the default CREATOR OWNER rules - but there's a workaround: your program's installer (which would run as admin) has the ability to change the ACL permissions on its ProgramData subdirectory to allow other users to edit files. I suggest granting the Users group permission instead of Everyone to prevent possible remote attacks and modifications by unauthenticated users.
I've tracked down an error in my logs, and am trying to reproduce it. My theory is that a file sometimes gets locked in a specific folder, and when the application (ASP.NET) tries to delete that folder it hangs.
I don't have the application running on my own machine so I'm debugging this on a remote server. But for the life of me, I can't seem to figure out a way to lock a file that prevents it from being deleted by the process.
My first thought was to map the network path to a local drive and just leave a command prompt open to that folder. Locally that always fouls up my folder deletes, but apparently SMB is a bit more robust and doesn't grant me a lock.
After that I created an infinte loop vbscript in the folder and executed it remotely. The file was deleted out from underneath the executing code. Man!
I then tried creating a file on the server in that folder and removing all permissions. That didn't do the trick. I don't have access to the IIS settings so perhaps it's running under a privileged system account.
So: what's a program that you know is free and I can quickly use to create an exclusive lock on a file so I can test my delete theory? Like a really, really bad Notepad clone or something.
:-)
Can't you just create a text file from a network folder and open it with MS Word/VS or a similar program which locks it during editing?
I have a setup project that installs my app to the typical program files directly.
My app periodically saves some temporary images to the apps installation folder. It seems on Vista, the permissions are not setup for write permissions. I can change it manually in windows explorer and it works, but I would rather have the setup project do that automatically.
How can I do this?
Is there a better/more normal place to put temp images that won't have permissions issues?
It is not Vista specific, this will happen with any kind of user account that doesn't have admin privileges. Your program just can't write to folders like c:\program files\blah. That UAC disables admin privileges has been publicized for a long time now. Use Environment.GetFolderPath() to get the path to an ApplicationData folder that you can write to.
See http://msdn.microsoft.com/en-us/library/bb756940.aspx for details on UAC issues for vista. These problems can also occur in other versions of windows when running applications from non-admin accounts. You should only write data to app data or temp directories and not program files.