Hiding system folders on a shared computer

Page 1 of 2 12 LastLast

  1. Posts : 10
    Windows 7 Ultimate x64
       #1

    Hiding system folders on a shared computer


    Hello, I am sharing a computer with my son and I want to hide some programs from him, mainly Steam games, but not only. I have managed to hide them from his start menu. He has a standard account, so I think on that front we are OK.

    I have also managed to prevent him from accessing the control panel, and thus seeing the list of installed programs.

    But I have a problem:

    Windows explorer. I tried navigating from his account, and he can go into program files without any problem, he can even go into windows folder. He can not delete files, but he can run them. So, you know how kids are. He will see all the installed programs and try to run directly their .exe file. And even though he won't be able to launch Steam games, he will see a list of all installed games, and I want to prevent that from happening.

    He can even go to "Start", type "witch" and a few seconds later he'll be able to see that we have The Witcher 2 installed on the computer. He won't be able to launch it if I activate Parental Controls, but the damage is done.

    So, can anybody help me hiding certain folders (windows and program files) from a standard user explorer?

    Thanks!
      My Computer


  2. Posts : 4,161
    Windows 7 Pro-x64
       #2

    Yes. Use folder permissions. Log on as the Administrator. Open Windows Explorer then right click on a folder and select Properties. Click on the Security Tab then click on the Edit button. On the Permissions window, select the user you want to change and check the Deny boxes that apply.

    Here's a sample:
    Attached Thumbnails Attached Thumbnails Hiding system folders on a shared computer-folder-permissions.jpg  
      My Computer


  3. Posts : 10
    Windows 7 Ultimate x64
    Thread Starter
       #3

    Thanks! When I try to do that, I get two errors:

    1. Error Applying Security: An error occurred while applying security information to

    c:\Program Files (x86)

    Access is denied

    2. Windows Security: Unable to save permission changes on Program Files (x86)

    Access is denied

    --------------------------------------

    I got this when I tried to change permissions for my son's account on the program files folder (both of them) and on the windows folder.

    But I was successful when I tried with the NVIDIA folder.

    Are Program Files, Program Files (x86) and Windows folders special in that it is not possible to change permissions even as administrator?
      My Computer


  4. Posts : 4,161
    Windows 7 Pro-x64
       #4

    I was afraid of that. I didn't try it on Windows' reserved folders. I hesitate to recommend trying the Advanced options by taking ownership of the folder. (From Trusted Installer to Administrator) It may cause Windows to stop running. If it will even let you change it. Some experimenting with the location of installed programs might work. Most all installers let you choose the location of installed programs. I wonder if the "location" was created by you (Admin) that it would then let you set the folder permissions.

    I see that you have Ultimate. There's a feature in Ultimate and Enterprise versions called AppLocker that can restrict users from running executables (exe, com, dll, etc) but as I understand, it takes a heavy toll on performance. I don't have any experience with it so I can't help there. And I don't think it restricts viewing of folders.
    What Is AppLocker?

    I'll post a help needed request for someone more informed of to the security options. I've always been a One PC-One User person and never needed it in my environment so I'm behind.
      My Computer


  5. Posts : 10
    Windows 7 Ultimate x64
    Thread Starter
       #5

    Well, in the end I managed to achieve most of what I wanted. The whole story is here: Hiding system folders on a shared computer - User+Accounts - Windows 7

    Thanks for your help, carwiz.
      My Computer


  6. Posts : 10,485
    W7 Pro SP1 64bit
       #6

    apertotes said:
    Well, in the end I managed to achieve most of what I wanted. The whole story is here: Hiding system folders on a shared computer - User+Accounts - Windows 7

    Thanks for your help, carwiz.
    It sounds like you set the NTFS file permissions to Deny for specific folders/files in the Program Files folder(s) for your son's account. Is your account now listed as the owner of those folders/files? If so, it would be safer to return ownership to the Trusted Installer.
      My Computer


  7. Posts : 10
    Windows 7 Ultimate x64
    Thread Starter
       #7

    Can I return ownership to the Trusted Installer while still having my son denied permissions on some folders inside? And also, when I go to ownership I see only Me and Administrator accounts to select as owner's. If I click on "Other users and groups", and then "Advanced", I get a list with all the users and groups, but Trusted Installer is not there. I know that the user still exists, because it still has permissions granted on these folders, and because it is still the owner of the Windows folder. But I can not select it from the complete list of users and groups. So, how can I give him back the ownership of the folders?
      My Computer


  8. Posts : 10,485
    W7 Pro SP1 64bit
       #8

    The NTFS access and deny permissions should be unaffected by returning ownership to the TrustedInstaller. You can test it on one folder before fixing the other ones. Here is a tutorial on how to do that: TrustedInstaller - Restore as Owner (The steps are the same in Vista and W7.)

    The reason for returning ownership is: "ownership" is part of the Windows security model. This helps to prevent changes to these protected folders by not allowing user accounts (even admins ones) to change/infect files.
      My Computer


  9. Posts : 4,161
    Windows 7 Pro-x64
       #9

    I'm not sure about that. I drilled deep into Advanced user permissions and it wasn't listed. "TrustedInstaller" is a special group Windows uses. You'll see it appear in update and scan logs. It's not a real user per say.

    Enter this command from an elevated (Run as Administrator) command prompt (CMD). SFC /scannow
    If there's a problem with TI, it should show a message in the command window. This is a system file checker that verifies system file integrity and repairs it. It doesn't check permissions but if there's a permission problem it will error out.
    Attached Thumbnails Attached Thumbnails Hiding system folders on a shared computer-file-permissions-advanced.jpg  
      My Computer


  10. Posts : 10,485
    W7 Pro SP1 64bit
       #10

    carwiz,
    I think that we posted at almost the same time. I'm guessing that your statement, "I'm not sure about that" was meant to be a response to apertotes asking, "Can I return ownership to the Trusted Installer while still having my son denied permissions on some folders inside".

    I went ahead and tested my understanding of the relationship between item ownership and NTFS access/deny permissions. While I was at it, I threw SFC into the mix


    SFC does not show any "integrity violations" - even though there is a security problem. This shows the results of an SFC scan while the user account named username has ownership of what should be a protected folder.
    Hiding system folders on a shared computer-deny1.png


    As I expected, returning ownership to TrustedInstaller did not cause any integrity violations and the Deny permissions held.
    Hiding system folders on a shared computer-deny2.png


    This is what the standard user account named son sees after ownership of the IE folder (and its contents) has been restored to that special account named TrustedInstaller:
    Hiding system folders on a shared computer-deny3.png


    apertotes,I realize that the IE folder (and its contents) was not the target of your Deny permissions settings; it was just an easy example for my testing and screenshots.
    Hiding system folders on a shared computer-deny4.png
      My Computer


 
Page 1 of 2 12 LastLast

  Related Discussions
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 07:05.
Find Us