Permission Issues in Windows 10 - windows

I have 2 machines, one is Windows 10 and the other is Windows 7, recently whenever I download a file on Windows 10 machine directly on my External Hard Disk and detach it from that machine and try to attach it to windows 7 machine, I have no access to any of the downloaded files it gives me access denied. I can access folders and see the files are present but cannot open them.
To solve this issue I have to manually assign permission to each files by first taking ownership of that file for "Everyone" account and then assigning "Everyone" full control.
I have tried to take the ownership of the folder but receives the error of access denied for each files when selecting the option of "Permission Inheritance for files and Sub Folder"
I have even tried to write a PowerShell to assign permission but the situation does not change it returns with an access denied error. FYI, PowerShell window is opened as Administrator by selecting Run as administrator.
Even if I run the intended application as Administrator it will still not work it will still give me Access Denied.
The only workaround I found was to perform the above actions of individual file ownership and permission assignment.
It would of great help is someone can provide a permanent solution to this issue.
BTW, The external hard drive which I use is WD drive and its with me for than 5 year now and never encounter this issue in the past.
And the files in questions are Photos, videos, documents and mp3.

This is neither a PowerShell nor a programming issue, so the question would be more suitable for SuperUser.
Creating a file on removeable media on one system and then trying to access that same file on a different system will normally fail unless you took precautions to make the data accessible from other systems. That is because even though users and groups may have the same name on both systems they still have different SIDs (which is what the system actually uses to decide whether access is or isn't allowed).
To grant a user on a different system access to the file you have to take ownership and grant the user(s) on that system access.
takeown /f x:\ /a /r /d y
icacls x:\ /reset /t /c
icacls x:\ /grant administrators:(oi)(ci)f username:(oi)(ci)rx
Note that adjusting ownership and permissions of a single file usually does not suffice. The user must be able to at least traverse the entire path to that file. Similarly taking ownership and adjusting permissions on a folder may not suffice unless the files in that folder inherit their permissions from the folder. If they don't you need to take ownership of the files and adjust their permissions as well.
The above 3 commands recursively take ownership of everything on drive X:, reset permissions to enable inheritance, and grant access to the Administrators group (full control) and the user "username" (read and execute).
With that said, you can prepare permissions so that files are accessible on different systems without the need to take ownership and adjusting permissions on the target system. There are a number of principals and groups that have the same well-known SID on all Windows systems, e.g.
Everyone (S-1-1-0)
Administrators (S-1-5-32-544)
Users (S-1-5-32-545)
Authenticated Users (S-1-5-11)
Granting access for instance to the group "Users" should make your data accessible across different systems.

Install a separate hard drive or prepare a separate partition for each operating system.
Install the operating systems. For example, if your PC has Windows 8.1, install Windows 10 onto the other hard drive or partition.
Reboot the PC. The boot menus should appear with both operating systems listed.
If both operating systems aren't listed:
Open a command line, either as an administrator from inside Windows, or by booting to a command line using the Windows installation disk and presssing Shift+F10, or by booting to Windows PE (WinPE: Create USB Bootable drive).
Add boot options for a Windows operating system.
Bcdboot D:\Windows
Reboot the PC. Now, the boot menu will show both menu options.

Let’s give permission to the file and check if that helps. Follow these steps to give permission to the drive.
Right-click on the file which you’re unable to access and select Properties.
Click on the ‘Security’ tab and under ‘Group or user names’ click on ‘Edit’.
Click on ‘Add’ and type ‘everyone’.
Click on ‘Check names’ and then click ‘OK’.
Select ‘everyone’ and under ‘Allow’ select ‘Full control’ and click
on ‘Apply’ and Click ‘Ok’.
Hope this helps.

Related

Bypassing WindowsApps folder protection other than ACLs

I noticed today that on windows 10
some apps in the folder C:\ProgramFiles\WindowsApps... are protected in some way other than just the access permissions.
When installing Microsoft.MicrosoftEmulator_1.1.39.0_x64__8wekyb3d8bbwe.msix or Microsoft.253890156C685_1.0.0.0_x64__8wekyb3d8bbwe.Msix
as well as it seams other apps from the store
the Folders for those created in under C:\ProgramFiles\WindowsApps\ have some additional write protection.
While a cmd prompt started as TrustedInstaller can create and delete folders in the apps that come pre-installed in the folders fo these apps this fails with an access denied error.
Taking Ownership of those folders and files as well as adding full access permission does not solve the issue.
With a cmd prompt started as system it is at least possible to create or delete folders but for the existing folders created by the package installer its still not able to create a file within those.
This protection remains in place even when the system partition in question is mounted by an other windows 10 system.
The only way I found to gain full access to these files is to mount the partition in a windows 7 installation.
So it seams to me that MSFT has added som additional layer or patronizing the administrators which needs to be understood and broken.
Any ideas how to get around this issue?
Well however the restrictions are implemented with this driver: https://github.com/DavidXanatos/IgnoreACLs you can gain access to everything everywhere.
With minor limitations, renaming of files in protected locations does not work and creating of directories.
Other than that, modifying, creating and deleting files and folders works fine.
Power back to the owners of the devices.

Windows data storage for all users

On Window 7, 8 and 10 I want my app to store data in shared location so all users who run the app on the PC will access the same data. The data are readable/writable. What location should I use?
Windows has funny rules regarding program' shared data.
Program Files ("C:\Program Files" and "C:\Program Files (x86)") is intended for immutable (read-only) program data and executable files - consequently files here require administrative permissions to edit. Thus it makes it useful for important files that should not be compromised (e.g. your main executable). This is why installers run with elevated permissions. There is a downside in that if your program has an auto-update mechanism then that too needs to run elevated.
Program Data (C:\ProgramData on Windows Vista and later, or C:\Documents and Settings\All Users\Application Data) is intended for mutable program data - you don't need administrative permissions to create files in this folder, except that once a file has been created only the user that originally created that file can subsequently edit it (though everyone can read it). This is the special CREATOR OWNER permission.
This is described here: Privileges/owner issue when writing in C:\ProgramData\
AppData (C:\Users\(you)\AppData\Local and C:\Users\(you)\AppData\Roaming) is user-specific and is intended for user-specific settings, configuration and data. The Local version should be used for machine-specific settings that shouldn't roam if the user is using Roaming Profiles, such as data caches (e.g. a browser cache).
So in your case ProgramData looks ideal, but you need to be careful about the default CREATOR OWNER rules - but there's a workaround: your program's installer (which would run as admin) has the ability to change the ACL permissions on its ProgramData subdirectory to allow other users to edit files. I suggest granting the Users group permission instead of Everyone to prevent possible remote attacks and modifications by unauthenticated users.

win7: setting user group to have elevated privileges to access files fails to allow application to access

I'm a programmer not an admin. I significantly modified an old program written in 1997 to run under Windows XP ~7 years ago. At that time, I rewrote in VC++ 2005. The local production network has been updated to Win7. Program updated to VC++ 2010.
Problem: Program runs in new environment but only if user has admin privileges. Without, needed files cannot be accessed. Attempted Fix has been to give user group access to the needed files. Users can access the files "by hand" but program still fails.
Is there a way to give the application admin privileges so that it can access the files?
Not acceptable is allowing users to run as admin. We have to operate under DoD constraints. Is there something I as the guy working on the application can do? If not, what is the solution?
Recap: problem was a large number of scratch files which, in the original application, were being written to the C:\ root directory. The solution was to use "getenv_s" to obtain the user's directory via an environment variable. The pathname was modified such that the string returned from "getenv_s" was concatenated with the scratch file name. Laborious but problem solved.
The huge difference between XP and Windows 7 is the access system (user access control entered with Vista and was further refined in 7). In theory you could run the application as an admin user, or provide a service that would access the necessary system components and files as an admin user. But there isn't a way of giving an application itself extra permissions.
Your other option is to find out what specifically is causing the problem and correct that in your application. Chances are this is a system file or the like.

Cygwin rSnapshot on windows Permission denied, while permissions are retained

I know there are a lot of cases close to this, but I have not found any that matches my circumstances.
Quite a few of our clients backup large quantities of data using cygwin.
The general environment is:
A windows based virtual domain controller (host is esxi, but that is irrelevant)
The backup is going to an external encrypted raid device. which the system sees as a normal usb attached hard disk.
OS tends to mainly be sbs2011 / 08, in some rare cases sbs03.
Cygwin, usually the latest version as it is kept up to date. and its snapshot package.
The rsnapshot conf file is not really changed from its origianl state with the exception of target and destination, and some exclusions.
The backup is triggered by a batch, which starts cygwins rsnapshot rsync process creating a backup from the windows server to the attached storage in (hourly x2 daily x5 weekly x4 monthlyx6 backups.)
The source files are rsynced to the destination. the original order of the permissions is not preserved but the necessary permissions are kept, ie source has the group and a user admin with full access, the target has both but with special permissions, and within special, full access is granted.
When rsnapshot moves hourly0 to hourly1 it completes. all the files are linked properly. but it takes a long time due to every file getting a "could not link (cygdrive/x/x/hourly.0/path to file/file /cygdrive/x/x/hourly.1/path to file/file Permission denied)
args is commented out because anything put into args ie -av etc does not work and nore does it need to as the destination in another way does have administratoren and admin with full permissions.
cygwin is installed using admin on the admin account, task scheduler is set to admin, and the tasks are run by the admin account with full access.
The backing up process works. I believe the issue lies in the destination, I can understand that it could be related to issues between posix and acl but do not believe it is the cause as again, the permissions are granted.
So I am asking the most experienced out there, if you have any ideas, things to try, change. Please could you let me know clearly.
Kindest regards and appreciation.
Dan

What set of access permissions on content in USB HDDs will ensure portability in Windows?

I have content on a portable HDD that is to be shared between 2 or more computers, but none of the computers are connected to a domain (none exists). I want to give permissions to the content in such a way that the permissions remain the same across all my computers, irrespective of which computer I connect the HDD to and irrespective of which user account was used to set the permissions.
For example, I want the built-in Administrators group (SID: S-1-5-32-544) to have Full Control of a file on the portable HDD, irrespective of the computer it is connected to (I am aware this constitutes a big security hole, but so long as the drive doesn't get stolen, I am ok with it. Anyway, once an attacker has physical access to a drive, all bets are off.).
Problem I am trying to solve is this: I connect the HDD to computer1, set all permissions, disconnect. Then I connect the HDD to computer2, and suddenly the permissions aren't right for the user on this computer since the SIDs are different (both in terms of permissions and ownership of content).
If you want the Administrators group to have full control, just set it that way. In Windows XP Pro or some other system that gives you a Security tab in Properties, use it. In the drive's security properties, add Administrators (if it's not already there), and in the privileges for Administrators give full control and enable all inheritance. You just have to set that on one machine and then other NT-based Windows PCs will obey the settings.
If you can't find one Pro system to use for that setting, then you'll have to learn the cacls command line. Fortunately you still just have to do it once. Oops. You'll have to do it n times where the first (n-1) times are various mistakes, but you just have to get it right once.
The permission scheme you choose for your HDD depends on the filesystem you've formatted the drive with. Different filesystems specify permissions differently and have to be treated separately.
Why are you using permissions at all? If someone gets the drive then they have access. Instead, just use something like truecrypt to protect everything, and give everyone permissions to everything in the truecrypt volume.

Resources