Acces My Folders

Struggling on a Win 7 PRO new laptop.

I need to get into all of my folders but the permissions is not letting
me.
I tried to change permissions but even though they are "Allow" they are
grayed out and I cannot figure out how to fix this mess.

I googled several procedures to change permissions but none of them
worked.

Is there some tool (free) that will allow me to automatically set all
folders as I want.

I am Admin and I am even Super Admin but that has not helped.

Admin wrote:
Struggling on a Win 7 PRO new laptop.

I need to get into all of my folders but the permissions is not letting me.
I tried to change permissions but even though they are "Allow" they are
grayed out and I cannot figure out how to fix this mess.

I googled several procedures to change permissions but none of them worked.

Is there some tool (free) that will allow me to automatically set all
folders as I want.

I am Admin and I am even Super Admin but that has not helped.

From a previous post...

******* All about Takeown *******

You can solve some problems with Takeown.

This shows Takeown usage in a script. To show the commands used.

http://blogs.msdn.com/b/tims/archive...deletable.aspx

Takeown added to right-click context menu. These are .reg
files that you right-click and select "merge". The first
installs Takeown, the second removes it if you don't want it.

http://www.eightforums.com/tutorials...ndows-8-a.html

http://www.eightforums.com/attachmen...ntext_menu.reg

http://www.eightforums.com/attachmen...ntext_menu.reg

******* End - All about Takeown *******

*Do not* apply that to the entire C: drive.
Using Takeown is mainly for user data drives
you bring over from another computer.

The "icacls" program can be used to record
all the permissions on a partition. But
using the information later isn't all that
convenient.

icacls c:\ /save "C:\Users\username\Downloads\ntfsCdrive.txt" /t /c K:\icacls_errors.txt

That records all the permissions of the C: drive
to the file "ntfsCdrive.txt". Since the icacls
command may find folders with "Access Denied", you
can record all the error output into
a separate K:\icacls_errors.txt file.

HTH,
Paul

| Is there some tool (free) that will allow me to automatically set all
| folders as I want.

http://www.jsware.net/jsware/nt6fix.php5#restfix

It's a very simple, basic program. You drop a folder
or file onto the window, choose whether to remove
restrictions recursively, and click a button. Once freed
for admins, folders/files can also be freed for non-admins.

The code used in that utility, as well as an explanation
of how it all works, is he

http://www.jsware.net/jsware/vbcode.php5#perms2

If you're wary of 3rd-party software you can
follow Paul's instructions.

The basic situation is that MS makes it awkward
deliberately, so that only sys-admins are likely to ever
figure it out. Security through obscurity. You don't have
permission as admin (which is no longer admin in the
first place but is rather what used to be called "power
user") to access your own files, but you do have the
bizarre option of "taking ownership" of those files. Once
you have ownership you can remove restrictions,
including for yourself. (I can only imagine the laughter
there must have been in the meetings where they
cooked that one up.

Sys-admins don't mind that they have to use convoluted,
command-line nonsense like cacls and takeown. The
abstruseness and tedium of such tools is what provides
them with a job.

Tried you app NT Restriction Fix on

C:\Users\Administrator\SendTo

User name is Administrator. Logged on as administrator, super user
too.
Inlcude subfolders checked.
tried as Administrator and tried as All Users.

Says Folders Processed 1

Clicking on that folder gives: Access Denied.

Now, the folder seems to be a shortcut based on the icon with arrow.
I guess that matters?? Got to find the real folder? Where?

What did I do wrong?

BTW, you and Paul and only one or two others I fully trust.

Admin wrote:
Tried you app NT Restriction Fix on

C:\Users\Administrator\SendTo

User name is Administrator. Logged on as administrator, super user too.
Inlcude subfolders checked.
tried as Administrator and tried as All Users.

Says Folders Processed 1

Clicking on that folder gives: Access Denied.

Now, the folder seems to be a shortcut based on the icon with arrow.
I guess that matters?? Got to find the real folder? Where?

What did I do wrong?

BTW, you and Paul and only one or two others I fully trust.

I happen to have run off a filelist on my Win8 machine a
few minutes ago. And have it over here on the typing machine.
This will have to do for "guessing" purposes.

\Users\username\SendTo
\Users\username\AppData\Roaming\Microsoft\Windows\ SendTo
\Users\username\AppData\Roaming\Microsoft\Windows\ SendTo\Fax Recipient.lnk
\Users\username\AppData\Roaming\Microsoft\Windows\ SendTo\Mail Recipient.MAPIMail
\Users\username\AppData\Roaming\Microsoft\Windows\ SendTo\Compressed (zipped) Folder.ZFSendToTarget
\Users\username\AppData\Roaming\Microsoft\Windows\ SendTo\Desktop (create shortcut).DeskLink
\Users\username\AppData\Roaming\Microsoft\Windows\ SendTo\Desktop.ini

My guess would be, the first one is a junction point.

The other six references are the "real" item.

\Users\username\SendTo -- \Users\username\AppData\Roaming\Microsoft\Windows\ SendTo

https://en.wikipedia.org/wiki/Junction_point

"An NTFS junction point is a symbolic link to a directory
that acts as an alias of that directory."

I don't have a real good handle on what a junction point
is, so can't say more than that. Does it support file
properties ? Or do the file properties actually belong
to the *target* of the junction point.

In a previous experiment, I got 62 "access denied" errors,
and it's possible those were all junction points on C: .
These junction points seem pretty pesky. If you use
a naive tool on them, the tool goes into a CD loop,
and keeps adding the name to the path like this.

\Users\username\SendTo\SendTo\SendTo\... until path too long

When you enable the super-administrator account, while
I haven't checked that out in detail, it's my suspicion
all that does is create (instantiate) C:\Users\Administrator.
I don't really think it turns you into superman or anything.
You can use these commands, in a command prompt window,
to "learn about your superpowers". The whoami command
is not available on every OS version, so YMMV. You
can test this as ordinary user, elevated command prompt window,
or while logged in as superman. And compare the "privs".

whoami /priv /user
whoami /all

To deal with every possible "permission" on the machine,
requires impersonation. Why they put us through this,
I'll never know. I'm not convinced it is all that
significant a feature from a security point of view.
I bet machines still get infected.

HTH,
Paul

| tried as Administrator and tried as All Users.
|
| Says Folders Processed 1
|
| Clicking on that folder gives: Access Denied.

A couple of things: As Paul noted, those
aren't real folders. I've never been entirely
clear about it. My assumption was that they're
links for file virtualization, to prevent problems
with older software that may be seeking hard-
coded paths. The whole thing doesn't seem to
make much sense. And despite being links the
property page doesn't show a target. Also, if
they're links then why doesn't clicking them
lead to the real folder? If they're only for badly
designed software then why are they visible.
I don't get it. It all makes my head hurt.

Second, you can free items for all users if you
want to, but generally you have to do it for all
admins first, then go through the process again,
separately, for all users. It seems to be similar
to the ownership thing: You can't give yourself
permission, but you can take ownership and then
give yourself permission as the owner. That permission
seems to be required in order to give all users
permission. It makes no sense, but there it is.

I'm not sure I've ever run as Administrator. I
guess maybe I'd set that account up as my normal
login if I were using Win7 fulltime. But it creates
a hassle: Once there's more than one user one
can't just boot it and walk away. In any case, my
impression is that Administrator is the single,
real administrator. It should have free rein. But
I've never tested it.

I haven't found anything I can't free for all admins.
I've even freed winsxs to test the possibility of
getting rid of it. (Not much luck. All the drives
disappeared from Explorer. And everything *seems*
to be freeable for all users in the 2-step method
described, but I haven't fully tested that. I wouldn't
log on as non-admin, anyway, so there aren't many
scenarios where all users would need freedom. Maybe
something like software used by a child that won't
work properly without having rights to the program
folder? I can't think of many other possible cases.

|
| Now, the folder seems to be a shortcut based on the icon with arrow.
| I guess that matters?? Got to find the real folder? Where?
|
I *think*, as noted above, that those are shortcuts
for compatibility. XP has Application Data. I'm not sure
offhand how it works in Win7. Something like Users/
AppData/Roaming, maybe? You should be able to test
it out by just dropping a shortcut to, say, a folder into
one of the SendTo folders in that mess. When one of
them shows up in right-click you've found it.

| BTW, you and Paul and only one or two others I fully trust.

Thank you. That's good to know. There are people here
who won't talk to me because I don't format my posts
the way they like. There are others who seem to think
there's supposed to be a pecking order. (I suspect the
two groups overlap somewhat.) On top of that I tend to
be a bit verbose. So I sometimes wonder if anyone is
reading. Then I just figure that either way, it goes to
the public record and might be helpful to someone at
some point. But it's nice to know someone finds something
useful.

I know what you mean about Paul. Anyone with such
passion for understanding is very unlikely to have ulterior
motives or make many mistakes. Such people are self-policing.

| When you enable the super-administrator account, while
| I haven't checked that out in detail, it's my suspicion
| all that does is create (instantiate) C:\Users\Administrator.
| I don't really think it turns you into superman or anything.

It's *supposed* to be the one and only *real*
admin account. All other admins are what used to
be called "power users". Administrator is hidden
and can't be renamed, but if one unhides it, it
should be just like running on earlier Windows.

On the other hand, what does that mean? On
Win9x one has full freedom. On XP one has to
gut System File Protection by uninstalling PC
Health in order to get full freedom. (Among the
first things I always do.) Win7 has something similar
-- Windows File Protection. So I'm not sure. I've
never tested how much of a real admin the real
admin is. I generally don't even run on NTFS when
I don't need to. It's just too much hassle.

Paul's suggestion just worked on everything I tried it on.
There might be some info there for you to help your app with removing
permission.
If I knew how to capture the cmd window that pops up briefly during the
"Takedown" I would post that.

The .reg file looks like this, but Paul's post shows where to get it:

Windows Registry Editor Version 5.00

; Created by: Shawn Brink
; http://www.eightforums.com
; Tutorial:
http://www.eightforums.com/tutorials...ndows-8-a.html


[-HKEY_CLASSES_ROOT\*\shell\runas]

[HKEY_CLASSES_ROOT\*\shell\runas]
@="Take Ownership"
"HasLUAShield"=""
"NoWorkingDirectory"=""
Position="middle"

[HKEY_CLASSES_ROOT\*\shell\runas\command]
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant
administrators:F /c /l"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant
administrators:F /c /l"


[-HKEY_CLASSES_ROOT\Directory\shell\runas]

[HKEY_CLASSES_ROOT\Directory\shell\runas]
@="Take Ownership"
"HasLUAShield"=""
"NoWorkingDirectory"=""
Position="middle"

[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant
administrators:F /t /c /l /q"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls
\"%1\" /grant administrators:F /t /c /l /q"


[-HKEY_CLASSES_ROOT\dllfile\shell\runas]

[HKEY_CLASSES_ROOT\dllfile\shell\runas]
@="Take Ownership"
"HasLUAShield"=""
"NoWorkingDirectory"=""
Position="middle"

[HKEY_CLASSES_ROOT\dllfile\shell\runas\command]
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant
administrators:F /c /l"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant
administrators:F /c /l"


[-HKEY_CLASSES_ROOT\Drive\shell\runas]

[HKEY_CLASSES_ROOT\Drive\shell\runas]
@="Take Ownership"
"HasLUAShield"=""
"NoWorkingDirectory"=""
Position="middle"

[HKEY_CLASSES_ROOT\Drive\shell\runas\command]
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant
administrators:F /t /c /l /q"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls
\"%1\" /grant administrators:F /t /c /l /q"

[-HKEY_CLASSES_ROOT\exefile\shell\runas]

[HKEY_CLASSES_ROOT\exefile\shell\runas]
"HasLUAShield"=""

[HKEY_CLASSES_ROOT\exefile\shell\runas\command]
@="\"%1\" %*"
"IsolatedCommand"="\"%1\" %*"

| Paul's suggestion just worked on everything I tried it on.
| There might be some info there for you to help your app with removing
| permission.
| If I knew how to capture the cmd window that pops up briefly during the
| "Takedown" I would post that.
|

That's fine if it works for you. I wrote my
utility to avoid all of that. I can just drop
a folder and clean it all up. Drop Program
Files and de-restrict the whole lot if I want
to. Either way, both methods are essentially
the same: Take ownership and then use that
to give oneself access permission.

I suppose it might be possible to
programmatically change permissions on those
fake shortcut folders, but it doesn't seem to
serve a purpose. They're not relevant:

http://www.svrops.com/svrops/articles/jpoints.htm

It might be a good idea to make Restriction Fix
show an error on those folders, in order to avoid
confusion. I guess I hadn't really thought about it.
They have clear shortcut icons to indicate that
they're not real folders.

Also, the case of freeing the
Administrator's personal folders is theoretical.
They're already unrestricted. That's the whole
point of user folders. They're the one place
where software can depend on being able to
write files. I don't know whether you've succeeded
in making Admin's personal files available to all
other users, but I wonder why you would want
to do that.

That's fine if it works for you. I wrote my
utility to avoid all of that. I can just drop
a folder and clean it all up. Drop Program
Files and de-restrict the whole lot if I want
to. Either way, both methods are essentially
the same: Take ownership and then use that
to give oneself access permission.

I see that advantage.


I suppose it might be possible to
programmatically change permissions on those
fake shortcut folders, but it doesn't seem to
serve a purpose. They're not relevant:

http://www.svrops.com/svrops/articles/jpoints.htm

It might be a good idea to make Restriction Fix
show an error on those folders, in order to avoid
confusion. I guess I hadn't really thought about it.
They have clear shortcut icons to indicate that
they're not real folders.

Yes, less confusing. Or maybe give path to real folder.


Also, the case of freeing the
Administrator's personal folders is theoretical.
They're already unrestricted. That's the whole
point of user folders. They're the one place
where software can depend on being able to
write files. I don't know whether you've succeeded
in making Admin's personal files available to all
other users, but I wonder why you would want
to do that.

I am ALL users. A personal PC I like to fiddle with.
Have not blue screened it yet.

--

--
No signature

--- news://freenews.netfront.net/ - complaints: ---

| I am ALL users. A personal PC I like to fiddle with.
| Have not blue screened it yet.
|

That's impressive with Win7. If I might
make a suggestion, give yourself control over
winsxs and then delete it. But make sure you
have time to reinstall.