How to Understand Those Confusing Windows 7 File/Share Permissions

Have you ever tried to figure out all of the permissions in Windows? There’s share permissions, NTFS permissions, access control lists, and more. Here’s how they all work together.

The Security Identifier

The Windows Operating systems use SIDs to represent all security principles. SIDs are just variable length strings of alphanumeric characters that represent machines, users and groups. SIDs are added to ACLs(Access Control Lists) every time you grant a user or group permission to a file or folder. Behind the scene SIDs are stored the same way all other data object are, in binary. However when you see a SID in Windows it will be displayed using a more readable syntax. It is not often that you will see any form of SID in Windows, the most common scenario is when you grant someone permission to a resource, then their user account is deleted, it will then show up as a SID in the ACL. So lets take a look at the typical format in which you will see SIDs in Windows.

The notation that you will see takes a certain syntax, below are the different parts of a SID in this notation.

1. An ‘S’ prefix
2. Structure revision number
3. A 48-bit identifier authority value
4. A variable number of 32-bit sub-authority or relative identifier (RID) values

Using my SID in the image below we will break up the different sections to get a better understanding.

The SID Structure:

‘S’ – The first component of a SID is always an ‘S’. This is prefixed to all SIDs and is there to inform Windows that what follows is a SID.
’1′ – The second component of a SID is the revision number of the SID specification, if the SID specification was to change it would provide backwards compatibility. As of Windows 7 and Server 2008 R2 the SID specification is still in the first revision.
’5′ – The third section of a SID is called the Identifier Authority. This defines in what scope the SID was generated. Possible values for this sections of the SID can be:

1. 0 – Null Authority
2. 1 – World Authority
3. 2 – Local Authority
4. 3 – Creator Authority
5. 4 – Non-unique Authority
6. 5 – NT Authority

’21′ – The forth component is sub-authority 1, the value ’21′ is used in the forth field to specify that the sub-authorities that follow identify the Local Machine or the Domain.
’1206375286-251249764-2214032401′ – These are called sub-authority 2,3 and 4 respectively. In our example this is used to identify the local machine, but could also be the the identifier for a Domain.
’1000′ – Sub-authority 5 is the last component in our SID and is called the RID (Relative Identifier), the RID is relative to each security principle, please note that any user defined objects, the ones that are not shipped by Microsoft will have a RID of 1000 or greater.

Security Principles

A security principle is anything that has a SID attached to it, these can be users, computers and even groups. Security principles can be local or be in the domain context. You manage local security principles through the Local Users and Groups snap-in, under computer management. To get there right click on the computer shortcut in the start menu and choose manage.

To add a new user security principle you can go to the users folder and right click and choose new user.

If you double click on a user you can add them to a Security Group on the Member Of tab.

To create a new security group, navigate to the Groups folder on the right hand side. Right click on the white space and select new group.

Share Permissions and NTFS Permission

In Windows there are two types of file and folder permissions, firstly there are the Share Permissions and secondly there are NTFS Permissions also called Security Permissions. Take note that when you share a folder by default the “Everyone” group is given the read permission. Security on folders is usually done with a combination of Share an NTFS Permission if this is the case it is essential to remember that the most restrictive always applies, for example if the share permission is set to Everyone = Read(which is the default), but the NTFS Permission allow users to make a change to the file, the Share Permission will take preference and the users will not be allowed to make changes. When you set the permissions the LSASS(Local Security Authority) controls access to the resource. When you logon you are given an access token with your SID on it, when you go to access the resource the LSASS compares the SID that you added to the ACL (Access Control List) and if the SID is on the ACL it determines whether to allow or deny access. No matter what permissions you use there are differences so lets take a look to get a better understanding on when we should use what.

Share Permissions:

1. Only apply to users who access the resource over the network. They don’t apply if you log on locally, for example through terminal services.
2. It applies to all files and folders in the shared resource. If you want to provide a more granular sort of restriction scheme you should use NTFS Permission in addition to shared permissions
3. If you have any FAT or FAT32 formatted volumes, this will be the only form of restriction available to you, as NTFS Permissions are not available on those file systems.

NTFS Permissions:

1. The only restriction on NTFS Permissions is that they can only be set on a volume that is formatted to the NTFS file system
2. Remember that NTFS are cumulative that means that a users effective permissions are the result of combining the user’s assigned permissions and the permissions of any groups the user belongs to.

The New Share Permissions

Windows 7 bought along a new “easy” share technique. The options changed from Read, Change and Full Control to. Read and Read/Write. The idea was part of the whole Home group mentality and makes it easy share a folder for non computer literate people. This is done via the context menu and shares with your home group easily.

If you wanted to share with someone who is not in the home group you could always choose the “Specific people…” option. Which would bring up a more “elaborate” dialog. Where you could specify a specific user or group.

There is only two permission as previously mentioned, together they offer an all or nothing protection scheme for your folders and files.

1. Read permission is the “look, don’t touch” option. Recipients can open, but not modify or delete a file.
2. Read/Write is the “do anything” option. Recipients can open, modify, or delete a file.

The Old School Way

The old share dialog had more options and gave us the option to share the folder under a different alias, it allowed us to limit the number of simultaneous connections as well as configure caching. None of this functionality is lost in Windows 7 but rather is hidden under an option called “Advanced Sharing”. If you right click on a folder and go to its properties you can find these “Advanced Sharing” settings under the sharing tab.

If you click on the “Advanced Sharing” button, which requires local administrator credentials, you can configure all the settings that you were familiar with in previous versions of Windows.

If you click on the permissions button you’ll be presented with the 3 settings that we are all familiar with.

1. Read permission allows you to view and open files and subdirectories as well as execute applications. However it doesn’t allow any changes to be made.
2. Modify permission allows you to do anything that Read permission allows, it also add the ability to add files and subdirectories, delete subfolders and change data in the files.
3. Full Control is the “do anything” of the classic permissions, as it allows for you to do any and all of the previous permissions. In addition it gives you the advanced changing NTFS Permission, this only applies on NTFS Folders

NTFS Permissions

NTFS Permission allow for very granular control over your files and folders. With that said the amount of granularity can be daunting to a newcomer. You can also set NTFS permission on a per file basis as well as a per folder basis. To set NTFS Permission on a file you should right click and go to the files properties where you’ll need to go to the security tab.

To edit the NTFS Permissions for a User or Group click on the edit button.

As you may see there are quite a lot of NTFS Permissions so lets break them down. First we will have a look at the NTFS Permissions that you can set on a file.

1. Full Control allows you to read, write, modify, execute, change attributes, permissions, and take ownership of the file.
2. Modify allows you to read, write, modify, execute, and change the file’s attributes.
3. Read & Execute will allow you to display the file’s data, attributes, owner, and permissions, and run the file if its a program.
4. Read will allow you to open the file, view its attributes, owner, and permissions.
5. Write will allow you to write data to the file, append to the file, and read or change its attributes.

NTFS Permissions for folders have slightly different options so lets take a look at them.

1. Full Control allows you to read, write, modify, and execute files in the folder, change attributes, permissions, and take ownership of the folder or files within.
2. Modify allows you to read, write, modify, and execute files in the folder, and change attributes of the folder or files within.
3. Read & Execute will allow you to display the folder’s contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder.
4. List Folder Contents will allow you to display the folder’s contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder
5. Read will allow you to display the file’s data, attributes, owner, and permissions.
6. Write will allow you to write data to the file, append to the file, and read or change its attributes.

Summary

In summary, user names and groups are representations of an alphanumeric string called a SID(Security Identifier), Share and NTFS Permissions are tied to these SIDs. Share Permissions are checked by the LSSAS only when being accessed over the network, while NTFS Permissions are only valid on the local machines. I hope that you all have a sound understanding of how file and folder security in Windows 7 is implemented. If you have any questions feel free to sound off in the comments.

How to Disable Startup Programs in Windows

The more software you install on your computer, the longer it may seem to take to start up Windows. Many programs add themselves to the list of programs started when you boot your computer, and that list can get long.

Editor’s Note: Obviously our more geeky readers already know how to do this, but this article is meant for everybody else. Feel free to share it with your non-techie friends!

Disabling Startup Programs in Windows

For some programs, it’s smart to have them start with Windows, such as anti-virus and firewall software. However, for most programs, starting them at boot-up just wastes resources and extends startup time. There is a tool installed with Windows, called MSConfig, that allows you to quickly and easily see what’s running at startup and disable the programs you prefer to run on our own after startup as needed. This tool is available and can be used to disable startup programs in Windows 7, Vista, and XP.

NOTE: MSConfig can be used to configure several things other than just startup programs, so be careful what you do with it. If you’re not sure about using it, just follow the steps in this article and you should be fine.

To run MSConfig, open the Start menu and type “msconfig.exe” (without the quotes) in the Search box. As you type, results display. When you see “msconfig.exe,” click on it or press Enter, if it is highlighted.

NOTE: If you are using Windows XP, open the Run dialog box from the Start menu, type “msconfig.exe” in the Open edit box, and click OK.

Click the Startup tab on the System Configuration main window. A list of all the startup programs displays with a check box next to each one. To prevent a program from starting up with Windows, select the check box next to the desired program so there is NO check mark in the box. Click OK once you have made your choices.

A dialog box displays telling you that you may need to restart your computer for the changes to take affect. Click Restart to restart your computer immediately. If are not ready to restart your computer, click Exit without restart.

The free PC-cleaning utility CCleaner also has a tool that allows you to disable startup programs. In CCleaner, click the Tools button on the left side of the dialog box and click Startup to see the list of startup programs. The Enabled column indicates whether each program is set to start with Windows. To disable a program that is enabled, select the program in the list and click Disable. You can also enable programs that have been disabled.

NOTE: CCleaner does not seem to prompt you to restart your computer, so be sure to do so yourself.

There is a version of CCleaner that costs $24.95 and comes with priority technical support. However, there is a free version available on their builds page as an installable version and a portable version.

Note that some applications need to be configured to stop launching themselves when the computer boots, or they will just add themselves to the list of startup programs again. In this case, there is usually a setting in a program’s options to prevent it from starting with Windows.

We have also written about a tool called Soluto, which allows you to pause or delay startup programs to speed up the boot process.

How to Backup Profiles, Repair, and Tweak Windows Settings Using D7

D7 is a very useful, free tool for maintaining, repairing, and tweaking Windows, assisting in the removal of malware, and backing up all the user profiles on your computer. It can aid PC technicians in performing many tasks.

NOTE: D7 is intended for use by experienced PC technicians only, not for “end users.” It can be dangerous if not used very carefully. We recommend you also make a backup of all your data before using D7. You can use the DataGrab tool in D7 to make a backup.

D7 runs on Windows 7, Vista, and XP, and server operating systems and does not need to be installed. Simply extract the files from the .zip file you can download using the link at the end of this article.

Set Up D7

Many of the functions in D7 do not require third party tools to use. However, if you want to take advantage of all of D7’s capabilities, we recommend you install the extra tools. They are not distributed with D7, but the procedure is straightforward to install them.

Ketarin is the first tool we’ll install. This small application maintains a compilation of all important setup packages on your computer, which can be burned to a CD or put on a USB flash drive. Note that Ketarin is not meant to keep your system up-to-date.

To install Ketarin, download it from http://ketarin.org/. Extract the .zip file and copy the files to the 3rd Party Tools\Ketarin directory in the directory into which you extracted D7. If the directory does not exist, create it.

Next, download the command line version of 7-Zip from http://www.7-zip.org/download.html. Extract the 7za.exe file into the same directory into which you copied the Ketarin files.

Go to the directory into which you extracted D7 and double-click on the D7.exe file to run the program.

If the User Account Control dialog box displays, click Yes to continue.

NOTE: You may not see this dialog box, depending on your User Account Control settings.

The License Agreement dialog box displays. Select the I have read the EULA check box and click I DO Agree. A confirmation dialog box displays saying that you  accepted the license agreement. Click OK to close the dialog.

The first time you run D7, the following dialog box displays. If you want to look at the many options available in D7, click OK.

Change any options you want to change, if desired. If you made changes, click Save & Close. If you don’t want to make any changes to the options right now, click Cancel & Close. You can always change the options later.

Also, the first time you run D7, the Shell Extension Config dialog box also displays. You can choose to change these options now or wait until later. Click Save & Close to close the dialog box.

Once the D7 main window displays, click the blue question mark icon in the upper, right corner of the window. Select Update 3rd Party Tools from the popup menu.

When the Update 3rd Party Tools via Ketarin dialog box displays, click Update Default Profile.

You should see the following dialog box if the update was successful.

D7_DefaultApps should display in the edit box below the Update Default Profile button. Click Start Ketarin.

To update all the third party tools listed in Ketarin, click Update all.

The update progress for each tool displays. When the updates are all finished, select Exit from the FIle menu to close Ketarin.

Information About Your Computer

The Info tab in D7 displays information about your computer.

D7’s Menu Options

The icons in the upper, right corner of the D7 window represent the menus that would be available on a menu bar. Simply click the icons to access the menu options. Moving the mouse over an icon displays the name of the menu.

If you would rather use a menu bar, you can display one easily. click the blue question mark icon and select Show Menu Bar from the popup menu.

The menu bar displays at the top of the D7 window.

D7’s Tabs

The Maint tab allows you to perform maintenance on your system, including tasks such as clearing event logs, deleting all temp files, emptying the recycle bin, syncing the time with internet time, and checking the Desktop and Start menu shortcuts. D7 also uses some Piriform software tools (CCleaner, Defraggler, and Recuva) to perform some tasks. Select the check boxes next to the tasks you want to run and click Start.

When you click Start on the Maint tab, D7 starts D7 Auto Mode and runs each item that is checked in the order listed. Some items run fully automated, not requiring user interaction to perform their tasks. Other items require you to select options when they run. Some items are not included at all in the Auto Mode run. These items have no check boxes next to them. See the Online Manual for more information about what is fully automated and what is not.

If you regularly run certain items, you can save the what you have checked as the default settings in a configuration file that you can load easily. Click the blue Save Config link to save your selections.

When you click the Save Config link, the following dialog box displays to make sure you want to save the current configuration as the default configuration. Click Yes to save your configuration as the default.

The Repair tab provides tools for easily repairing parts of your system on your PC. You can perform tasks such as examining your hosts file, releasing and renewing your IP address, repairing and resetting the Windows Firewall, repairing Internet Explorer, and repairing system restore. Click the right arrows next to each item to repair that item.

D7 allows you to tweak many Windows settings. You can easily show and hide hidden files and file extensions, set the User Account Control level, and you can enable and disable the Taskbar balloon tips, the Indexing Service in Windows XP, and the Windows Search Service in 7 and Vista. You can also put the Internet Explorer icon on the desktop, create and delete the Windows 7 God Mode, disable Windows Defender, and set automatic logon options for the current user. Click the Show or Hide button to toggle the tweak, or click the right arrow button next to the item to change the setting.

The Malware tab allows you to scan your computer for malware and remove it when found. You can select Pre-Removal programs to run, select tasks to perform, select scanners and manual inspections to run, set up custom apps and D7 Originals to run, and select Post-Removal tasks to perform. Select the check boxes next to the items you want to run and click Start.

Again, just like on the Maint tab, when you click Start on the Malware tab, D7 starts the D7 Auto Mode and runs each item that is checked in the order listed. See the online manual for more information about the D7 Auto Mode on the Malware tab. One different feature about the D7 Auto Mode on the Malware tab, as opposed to the Maint tab, is if D7 crashes or the system restarts for some reason, D7 automatically picks up where it left off when the system is started again (as best it can) and D7 is run again.

As mentioned earlier, if you regularly run certain items on the Malware tab, you can save the what you have checked as the default settings in a configuration file that you can load easily. Click the blue Save Config link to save your selections.

Use the Offline tab to work with offline Windows installations. The tools on this tab operate on Windows installations that do not boot by themselves, or can’t be repair from within their own environments. Select a Target Partition from the drop-down list and select the check boxes for the items you want to run.

Again, you can save the items checked on this tab as a default configuration to easily run using the Start button on the tab.

End-users like having an application they can use to fix their registry, check computer health, tweak Windows, etc. You, as a PC technician, can provide your clients with a specially branded tool that satisfies their desire for a maintenance application and also provides a “business card” in the tool. The dSupport tab creates a custom maintenance tool for each of your clients with your logo and contact information so each client is reminded of you when they need further assistance with their computer. The makers of D7 describe dSupport as a “business card with a purpose.”

Generating a dSupport tool for your clients is not free, but does not cost much. For a one-time fee of $50, you can register dSupport and fully brand it with your company name. You have unlimited use of dSupport and can distribute it to as many clients as you want for the one-time fee.

The DataGrab tab provides a way to backup all your system and profile data, and other miscellaneous data on your computer. This is a handy feature if you are setting up another computer, or you need to redo your current computer. As a PC technician, you can backup your clients’ data before tweaking or repairing their computer as a safety measure. It uses Roadkil.net’s Unstoppable Copier tool that was installed using Ketarin. From the Roadkil.net site:

[Unstoppable Copier] Recovers files from disks with physical damage. Allows you to copy files from disks with problems such as bad sectors, scratches or that just give errors when reading data. The program will attempt to recover every readable piece of a file and put the pieces together. Using this method most types of files can be made useable even if some parts of the file were not recoverable in the end.

We recommend installing the third party tools using Ketarin as described at the beginning of this article so you can take advantage of the features of Unstoppable Copier when backing up your clients’ or your own data.

Closing D7

To properly exit D7, use the Close button. D7 uses various files and settings in various locations when executing its functions and the Close button is the only way to shut down D7 safely and remove these files and settings.

If you are working on a client’s computer, use the Close & Delete D7 Directory button to safely close D7 and have it clean up all the tools it uses and delete itself.

NOTE: Although it isn’t displayed on the titlebar of the program, D7 should be considered a BETA product, until further notice, according to their own website.  Some features of D7 are not fully tested on all platforms.

Download D7 from https://sites.google.com/a/obxcompguy.com/foolish-it/d7.

There is a manual available on the above website that provides more information about each of the tabs in D7.

Keep Your PC’s Data Safe Using Create Synchronicity

Keeping your data safe by performing regular backups is important. However, how many of us actually remember to stop what we’re doing and back up our data manually? An easy-to-use, automatic backup solution would solve that problem.

Create Synchronicity is a free backup and synchronization tool that allows you to manually or automatically keep your data backed up. You can use it to copy almost any type of file, including documents, pictures, videos, and music, to any USB flash drive, external drive, or even a connected network drive.

See the link at the bottom of the article to download Create Synchronicity. You can download an installer or a .zip file containing the program in a portable format that needs no installation.

We downloaded the portable .zip file. To run this, simply extract the files from the .zip file and double-click the .exe file. If you would rather install the program, download the installer and follow the instructions in the setup wizard.

Select the language for the program from the drop-down list and click Ok.

The first time you run Create Synchronicity, you are asked if you want to check for updates when the program starts. Answer Yes or No to continue.

Before performing a backup in Create Synchronicity, you must create at least one profile. You can have multiple profiles for backing up different sets of files at different times.

Click New profile.

The text “New profile” is selected. Type a name for your profile and press Enter.

The profile settings dialog box displays. Specify the main directory to be backed up and the directory to which the files will be copied using the … buttons in the Directories box. Select subdirectories as desired and the Synchronization method.

You can also select to include or exclude certain files and some Advanced options.

Your new profile displays in the Profiles section of the main Create Synchronicity window. You can manually back up the files in your profile at any time by clicking on the profile and selecting Synchronize from the popup menu.

A dialog box displays showing the progress of each step in the backup process.

If you want to back up your files automatically, you can schedule a specific time to run the backup process in the background. To do this, click the profile you want to schedule and select Scheduling from the popup menu.

The Scheduling dialog box displays. There is a warning at the top of the dialog box telling you that Create Synchronicity has to register itself as a startup program to enable scheduling. This is done automatically, once you turn on scheduling.

Select the Enable scheduling for this profile check box and choose other options to specify how often you want the backup performed.

NOTE: When entering a time in the At edit box, use a 24-hour clock. For example, 3:00 pm would be entered as 15:00.

If your computer is off periodically when the backup process is supposed to run, you might want to turn on the Catch up missed backups option. This option tells Create Synchronicity to run any backup profile that was scheduled to run, but was postponed by more than two days. For example, say a backup was supposed to run on September 27 at 5:00 pm, and the computer was not on at that time. As of September 29, Create Synchronicity will periodically try to start the backup until it has been successfully started.

When a profile has been scheduled, a clock is added to the profile’s icon.

You can see what profile is supposed to run next and when by moving your mouse over the Create Synchronicity icon in the system tray.

When a scheduled backup runs, Create Synchronicity displays a message on the system tray icon saying the backup is running. Another message displays when the backup job is done.

If you close Create Synchronicity using the X in the upper, right corner of the window, it still runs in the background so scheduled backups can run. However, to open the program again, you need to start it using any shortcuts you created or the .exe file.

Create Synchronicity has many more handy features. For example, when backing up to a network drive, you can use the UNC path for that drive, such as \\192.169.0.25\MyBackupFolder\MySubFolder.

Create Synchronicity is fully portable. The settings for the program are stored in individual configuration files in a config directory located in the same directory as the program.

There are some advanced features such as a command line interface and the ability to change some hidden settings using the configuration files. For more information about these features and about using Create Synchronicity, see their manual athttp://synchronicity.sourceforge.net/help.html.

Download Create Synchronicity from http://synchronicity.sourceforge.net/.