Need help understanding Windows NTFS permissions

[Kefren]

I'm not sure if this is the correct forum, but none of the others looked specific to this. And I apologise that I may not be asking the right questions - it is difficult for me to even understand what is niggling at me, because I don't understand what my OS is doing sometimes. I'll try and highlight questions in bold as they occur to me, the kind of things that will help me to understand how my PC (OS) works.

Okay, that said, here's my setup. I have always been the only user on my PC. Just one PC, one person.

My understanding, going back to my first 486, is that a Windows PC is made up of a formatted hard drive (Fat32 or - later - NTFS format, which affect how big a file can be, and compatibility with other operating systems), and a load of files, which generally have an extension which determines what it does. Files can be programs (.exe, .bat) or collections of non-executable data that need a program to understand (.txt, .docx, .mp3). Because they're just all files, there should be no problem backing them up, transferring them to another PC and so on.

I think my problems began when I moved from Windows XP to Windows 7 in 2012, but it is hard to remember back for sure. Let's assume I'm right. I was generally happy with Windows 7, it was definitely more stable, though Windows Explorer seemed more packed with options I didn't want to use and couldn't hide (Libraries, Homegroup, a computer name, Control Panel etc - I just wanted C:, D: etc, and maybe the "Favorites" which is quite handy).

The problem I ran in to was when restoring or backing up files to an external drive. My synchronisation software was failing on some files. There seemed to be a lot of files where I got a red 'Access is Denied' message. They weren't encrypted or read-only, and used to transfer okay on Windows XP (they were just things like MP3 files).

I looked into it and it was all sorts of complicated stuff to do with a Security tab on each file, which displayed a list of "Group or user names" (none of which I recognised or had ever consciously chosen) each of which had different permission levels (again, which I had never set or changed). I had to fiddle about with that before the files could be moved or backed up. I spent ages trying to unravel it - again, it is hard to know what questions to ask, and who to ask them of. To my mind they should just be backed up or restored with no problems. I hadn't changed anything. I tracked it down to some silly Win7 permissions on the external hard drive, not letting files be written over or deleted in some cases. I changed the Users permissions to all the main categories, applied it to subfolders, and it then worked. It was annoyingly complicated though, and I hadn't known switching to Windows 7 would involve all these sorts of headaches.

I had another problem with some software. One bit of MP3 tagging software gave this error every time I ran it: "Error opening undo file" (then a path). When I clicked on ok it worked, but I had no idea what the error was. Eventually I fixed it by changing the permissions for the folder, giving full permissions to everyone.

I didn't understand the permissions/rights/groups things, and couldn't work out how to disable them - I just wanted them to be files, that anyone could use and access, as before. Maybe those features are useful to some people, such as power users (I'm just guessing), but for me, I just want a file. Maybe the option to make it read-only to prevent accidental deletion (which I sometimes did on Windows 3.1) could be handy, but I could even live without that.

I've never fully understood where all that stuff comes from; what the implications are (though it seems to affect backing up the files sometimes); whether I can delete it all or reset it. So first question: can I turn off whatever feature this is which is putting restrictions on what I can do with my files?
[I will summarise all the questions again at the end and number them]

I also wanted to know where the problems with permissions are coming from. One possibility is with files from different places/people? Are they coming with "owners" that aren't me, and causing problems?

Or could it be related to the PC name? For example, I reinstall Windows from time to time. I have to enter a name or something (I can't remember if it is meant to be me or for the PC) - there are no guidance notes at the time to indicate it is important. Since I don't know what it is used for I don't use my real name in case that somehow affects security/privacy/online anonymity, so I just type any old thing in such as "NA" or "NONE". But does that then somehow mean files belong to "NA", and when I next reinstall the OS and call my PC "NONE" Windows somehow thinks they are no longer my files on the backup drive?

Removing the stuff about security/ownership/permissions/rights/groups (I don't know if those are the same thing or not). Is there any way to disable this feature totally? For users in my position it just seems to cause problems.

Also, where is the information about security/ownership/permissions/rights/groups actually held? i.e. is it held in the registry, which has an index of all files and stores this information? [Implication: reinstalling Windows wipes it and lest you start afresh; the original files such as music, documents etc are untouched and pristine]. Or is the information added to the file itself (.mp3, .doc etc) as extra data/metadata even though I don't want that? [Implications: files bloat with unwanted data; files secretly accrue more and more weird "ownership/security" data over the years; possibly cause problems in the future if I move to another OS and try to use the files, or email one to someone?]

If the data is added to files themselves, is there any way to strip it all back out and reset them? Some software or command I can run that strips out all that extra Windows permission and makes the files just basic files again?


One place online seemed to suggest that the security/ownership/permissions/rights/groups data only exists due to NTFS, and that is as much of a factor as Windows 7. Is that true? If my drives were FAT32 rather than NTFS would that strip all the security metadata out of the files? Or would it leave the metadata there, but just ignore it (so right-click>properties on a file would no longer show Sharing/Security tabs, but the info would still be in the file somewhere, bloating it, but just invisibly?)

Do all versions of Windows 7 have this security/ownership/permissions/rights/groups stuff, or just Windows 7 Ultimate? Would life be easier if I bought a more basic version of Windows 7?

If I wanted an OS which doesn't use the security/ownership/permissions/rights/groups stuff, what are my options? Any other versions of Windows I could use? Linux? And will the security on my files cause problems if I move to another Windows OS, or Linux?


Sorry: to techie people this might all be clear, but as someone who just wants to create, copy and back up files (whether they are Word docs, photos, games or music) all the permissions stuff seems horrendously complicated. I'm doing my best to think back and try to clarify what I understand so you can see what a simple computer user thinks, though even my terminology might be incorrect. Basically there is all this security/ownership/permissions/rights/groups stuff - whenever I mention one of these things I mean them all - in my mind they're basically all related to an extra layer of restrictions applied to files. An unwanted layer, in my case, and one which I was never warned was part of upgrading from Windows XP (I wish the Windows 7 installer had explained some of this).

Lastly, I have read a lot on these topics. And I don't really understand them any better, because they all begin with assumptions which I can't fathom. If I can't get simple answers to my questions above, is there anything really simple I can read to understand what is going on, what the implications are, and how to manage it?


Sorry for the long message. One thing Windows doesn't do well is explain actually how it works, and what it is doing in the background in areas like this. It annoys me that it is so complicated, and I'm saddled a feature I can't seem to turn off or understand the implications of. I am not even sure what questions to ask. When I Google things to do with file ownership and security and Windows it is way too advanced to me, and misses out on the fundamental explanation of what is going on - it just raises more questions.

I'll summarise my questions without all of the explanation, and number them in case that helps if anyone want to tackle one but not the others.

1. can I turn off whatever feature this is which is putting restrictions on what I can do with my files?

2. I also wanted to know where the problems with permissions are coming from. One possibility is with files from different places/people? Are they coming with "owners" that aren't me, and causing problems?
Or could it be related to the PC name? For example, I reinstall Windows from time to time. I have to enter a name or something (I can't remember if it is meant to be me or for the PC) - there are no guidance notes at the time to indicate it is important. Since I don't know what it is used for I don't use my real name in case that somehow affects security/privacy/online anonymity, so I just type any old thing in such as "NA" or "NONE". But does that then somehow mean files belong to "NA", and when I next reinstall the OS and call my PC "NONE" Windows somehow thinks they are no longer my files on the backup drive?

3. Removing the stuff about security/ownership/permissions/rights/groups (I don't know if those are the same thing or not). Is there any way to disable this feature totally?

4. Also, where is the information about security/ownership/permissions/rights/groups actually held? i.e. is it held in the registry, which has an index of all files and stores this information? [Implication: reinstalling Windows wipes it and lest you start afresh; the original files such as music, documents etc are untouched and pristine].

5. Or is the information added to the file itself (.mp3, .doc etc) as extra data/metadata even though I don't want that? [Implications: files bloat with unwanted data; files secretly accrue more and more weird "ownership/security" data over the years; possibly cause problems in the future if I move to another OS and try to use the files, or email one to someone?]

6. If the data is added to files themselves, is there any way to strip it all back out and reset them? Some software or command I can run that strips out all that extra Windows permission and makes the files just basic files again?


7. One place online seemed to suggest that the security/ownership/permissions/rights/groups data only exists due to NTFS, and that is as much of a factor as Windows 7. Is that true? If my drives were FAT32 rather than NTFS would that strip all the security metadata out of the files? Or would it leave the metadata there, but just ignore it (so right-click>properties on a file would no longer show Sharing/Security tabs, but the info would still be in the file somewhere, bloating it, but just invisibly?)

8. Do all versions of Windows 7 have this security/ownership/permissions/rights/groups stuff, or just Windows 7 Ultimate? Would life be easier if I bought a more basic version of Windows 7?

9. If I wanted an OS which doesn't use the security/ownership/permissions/rights/groups stuff, what are my options? Any other versions of Windows I could use? Linux? And will the security on my files cause problems if I move to another Windows OS, or Linux?


10. Lastly, I have read a lot on these topics. And I don't really understand them any better, because they all begin with assumptions which I can't fathom. If I can't get simple answers to my questions above, is there anything really simple I can read to understand what is going on, what the implications are, and how to manage it?

 

[ignatzatsonic]

I can't help you much, but I'll just give you my experience.

I'm like you: one PC; one human, sole proprietor and operator; close to 100,000 data files from various sources--Word, Excel, music, video, jpg, etc, as well as standard Windows files; no home network; no use for libraries, homegroup, etc. I like as much simplification as possible.

I copy and move my data files around constantly---to internal drives mounted internally, to internal drives mounted externally in a dock, and to USB flash drives connected to a standard USB port on the back of my PC. Never had a significant problem beyond failing drives.

I build my own PCs and have used nearly all Windows operating systems released in the last 20 years. I always carry over hundreds of gigabytes of data from PC to PC.

Having said that as background:

I frankly cannot recall any permission issues and have only a vague understanding of permissions, much like yourself. If I did start to have permission issues, I would be pretty much at a loss, just as you are.

Most of my data files were not originally made by me on any of my PCs. They were obtained. Most have been modified or edited in some way after they were obtained.

Regarding naming: every time I install Windows, I use a new "computer name" derived from my initials and the current date---something like JG-04-11-14. This has never posed a problem.

I've never used passwords to log onto my own PC.

I've never had any issues that I could trace to the file system, whether the current NTFS or previous variations of FAT.

I don't use any heroic security measures, just Windows firewall, Microsoft Security Essentials, Malwarebytes, and a couple of security-related extensions in my Palemoon browser.

None of the above helps you much, but it lets you know that a user (me) with setup very similar to yours has no issues similar to yours.

So, I'm wondering about a few things:

Do you build your own machines?

How often do you reinstall Windows from scratch?

Do you know for a fact that files you personally made from scratch, such as "My favorite spaghetti sauce recipe.doc" eventually develop permission related problems? Rarely? Frequently? Some such files? Most such files? Do obtained files develop these issues more than home-made files?

Do you have any insight at all into WHICH files develop issues and WHEN they do?

Do you have a certain number of files that NEVER have had permissions issues?

 

[Kefren]

So, I'm wondering about a few things:

Do you build your own machines?

How often do you reinstall Windows from scratch?

Do you know for a fact that files you personally made from scratch, such as "My favorite spaghetti sauce recipe.doc" eventually develop permission related problems? Rarely? Frequently? Some such files? Most such files? Do obtained files develop these issues more than home-made files?

Do you have any insight at all into WHICH files develop issues and WHEN they do?

Do you have a certain number of files that NEVER have had permissions issues?

Thanks, it is useful to see a scenario that is very similar to mine!

Do you build your own machines?
No, I buy them from PCSpecialist, then update bits and pieces over the years (RAM and hard drives, mostly; PSU once).

How often do you reinstall Windows from scratch?
Mmm, it used to be about once a year or so with Windows XP. Since I got Windows 7 I think I have only done one reinstall of the OS, so that yearly reinstall is down to c.3 years per reinstall.

Do you know for a fact that files you personally made from scratch, such as "My favorite spaghetti sauce recipe.doc" eventually develop permission related problems? Rarely? Frequently? Some such files? Most such files? Do obtained files develop these issues more than home-made files?
Do you have any insight at all into WHICH files develop issues and WHEN they do?
Do you have a certain number of files that NEVER have had permissions issues?

Sorry, I can't say with any certainty. As with any Windows problem I remember having problems, getting angry, swearing, searching online fora, and eventually resolving it (or giving up) - and unless it is something likely to recur (in which case I'll save notes) I then try and forget about it and move on. So I remember having the issue, but not what file caused it. I just know they were ones that used to cause no problems on XP.

 

[ignatzatsonic]

I probably should add:

I do not use Windows built-in "user" directory structure (C:\users\......). Applications sometimes put stuff in there, but I NEVER do.

I don't know if that is significant for the security issues you are facing.

I save directly to my D drive, which is a physically separate drive, entirely distinct from C.

 

[ignatzatsonic]

I assume only SOME files have the issues and others don't.

You need to find out why only some, rather than all.

Are they in a particular directory or sub-directory?

Were they obtained from a particular source?

Are they of the same file type--doc, exe, jpg, whatever?

Were they originally made on some particular PC or OS?

Were they all modified in some way?

Does the problem show up only in certain circumstances?

That type of thing.

It would be more understandable if ALL data files were affected.

Unless you say so, I'll assume it's not ALL.

 

[Kefren]

I probably should add:

I do not use Windows built-in "user" directory structure (C:\users\......). Applications sometimes put stuff in there, but I NEVER do.

I don't know if that is significant for the security issues you are facing.

I save directly to my D drive, which is a physically separate drive, entirely distinct from C.

Actually, I do the same. I have the OS on C: (a partition). I never store files here, only use it for installing programs.
D: is where I store all my "files" (I never install programs to it). There are subfolders for mp3s, photos, and whatever else I decided to add.
When I do a backup I back up all of the d: (and anything temporarily on the desktop, which is like an easy workspace for me, because I can always see the left side of it, and it's the first option in save dialogues).
It's one of the reasons reinstalling Windows was so easy - although I would always back up the d: just to be safe, all I needed to do was reformat c:, install Windows to c:, and I was good to go - my data on d: was untouched (unless Windows was doing stuff behind my back).

 

[Kefren]

I assume only SOME files have the issues and others don't.

You need to find out why only some, rather than all.

Are they in a particular directory or sub-directory?

Were they obtained from a particular source?

Are they of the same file type--doc, exe, jpg, whatever?

Were they originally made on some particular PC or OS?

Were they all modified in some way?

Does the problem show up only in certain circumstances?

That type of thing.

It would be more understandable if ALL data files were affected.

Unless you say so, I'll assume it's not ALL.

Well, there are no visible problems with all of my files. Only some threw up errors. Of course, that doesn't mean that Windows isn't storing up problems for later if it is altering files without my knowledge (adding metadata etc) - that's one of the reasons why I want to understand what Windows does, regardless of the problems I had. Just how all this works. And I haven't compared the Security tabs on different File Properties. In fact, they themselves confuse me as soon as I look at them. It has headings for:

Authenticated Users [which should only be one, me]
SYSTEM [whatever that is - the OS? Does it get treated like a person?]
Administrators (NA-PC\Administrators) [which should only be one, me]
Users (NA-PC\Users) [which should only be one, me]

You can see why that is confusing, for PCs that are single user, and that user is also the administrator! There's no need for so many headings, each with their own subset of "Full control", "Modify", "Read & Execute", "Read", "Write", "Special permissions" [whatever that means]. I assume all but the last are meant to be ticked for each category? It seems clunky, for example, if there is a tick in full control, then the other headings become irrelevant. And this is the kind of thing where I wondered if the data is being stored in the file itself, or in Windows registry...

 

[Kefren]

It's not the same issue, but is related: I just installed a game, went to rename the shortcut in my Start menu, and Windows 7 popped up:

"You'll need to provide administrator permission to rename this file"
Continue / Skip / Cancel

It is an example of how pointless all of this seems to any user who is the only user on their PC. "I am the administrator. I installed you, gave birth to you, set you up!" Yet Windows insists on popups forcing you to click "Continue" to do what you wanted it to do in the first place.

I wish I could just choose a setting on install that let me disable all this, and just have one user, administrator, and let me do whatever I want. It gets to the point where you don't even read all the prompts, you just press enter anyway, because you're so used to it popping up prompts every time you try and do something with your PC such as renaming a file. (Yes, I realise it must be something to do with where the game installed itself on the C:, but I still don't want all this stuff to do with permissions and so on. Let me delete or rename a file if I want. Let me take it back out of the recycle bin if I make a mistake. If I stuff it up then it is at least my fault then.)

 

[LMiller7]

1. Security has been a core concept of the NT platform from the very beginning. I know how to disable it only as a theoretical concept. I have never done it, never even contemplated it.

2. I will leave this to others.

3. Doing so would be highly insecure.

4. Security information is stored in the MFT (Master File Table) of the drive. There is an entry in the table for each file and folder on the drive.

7. In Windows 7 only NTFS volumes have security. FAT 32 does not. Modern versions of Windows must be installed on NTFS but FAT32 can be used for storage. FAT32 has one big problem in that it does not support files over 4 GB.

8. All editions of Windows 7 have security and it works the same way.

9. All versions of Windows released in the last 20 years with the exception of Windows 95, 98, ME are members of the NT platform and security is a basic concept. These systems will not install on modern hardware and will not run modern software. You can install Windows 2000 and XP on FAT 32 but installing such an OS on modern hardware is highly problematic and in many cases impossible. They are currently unsupported and have known security issues that will never be fixed. Running on FAT32 makes the security situation much worse.

All modern operating systems have security. Some very basic, command line only, versions of Linux may not. They will not run modern software and you can forget about them.

 

[Kefren]

3. Doing so would be highly insecure.

4. Security information is stored in the MFT (Master File Table) of the drive. There is an entry in the table for each file and folder on the drive.

Many thanks, that is useful.

Re: 3, above: this is a genuine question, can you give me a real world scenario for a single user PC like mine where the security (in terms of rights/permissions etc) benefits me? I'm curious as to where it is coming from, and I know in work environments we had to protect files from users, but on my own PC I can't see any real examples where it would benefit me.

Re: 4, thanks, that's useful to know - it's not adding anything to the file itself if permissions get changed. Presumably then, if I give a file to someone else, it will have no information about permissions/owners etc, and will be a blank slate? (Since friend X's PC won't have any access to my MFT, so will just see the file "as is").

 

[UsernameIssues]

Wow. There is a huge amount of info being discussed in this topic. Good questions.

3. Removing the stuff about security/ownership/permissions/rights/groups (I don't know if those are the same thing or not). Is there any way to disable this feature totally?

You are not the only user of your computer. Every time you allow the Windows operating system to update itself, a "user" named TrustedInstaller goes to work. For your protection, TrustedInstaller is not allowed access to your user generated files. System is another "user". I'll leave it at that for simplicity.


Do you have the User Account Control set to the default value?

 

[Kefren]

You are not the only user of your computer. Every time you allow the Windows operating system to update itself, a "user" named TrustedInstaller goes to work. For your protection, TrustedInstaller is not allowed access to your user generated files. System is another "user". I'll leave it at that for simplicity.

I see. Okay, I'll rephrase as I'm the only human user!

Presumably "TrustedInstaller" isn't separate, but counts as something under the user "System"? Files have security settings for

Authenticated Users
SYSTEM
Administrators (NA-PC\Administrators)
Users (NA-PC\Users)

[Just to confuse things, folders seem to be different:
SYSTEM
NA (NA-PC\NA)
Administrators (NA-PC\Administrators)]

So the only one of those who isn't "me" is SYSTEM, which I can understand is my Windows 7 OS. The others
just complicate things for me. Suppose there were different settings/permissions for

Authenticated Users
Administrators (NA-PC\Administrators)
Users (NA-PC\Users)

- since I am all three, which one would apply when I clicked "delete"? I'm back to not understanding what is actually going on and how the OS works and treats my files... Sorry if I seem dense. In my case surely there is only a need for "Administrator", not the others. And I don't need complicated granular control of files.

Do you have the User Account Control set to the default value?

Just checked - yes, it is at default, which is defined as "Don't notify me when I make changes to Windows settings."
(Though it often still does, e.g. renaming a file in some HD locations.)

 

[UsernameIssues]

Human user
That was the reaction that I was hoping for
But hopefully, the analogy was useful.

TrustedInstaller is separate. It is not the same as SYSTEM nor is it a subset of SYSTEM. Check most any sub-folder in the Windows folder and you should see that SYSTEM is granted different security rights than TrustedInstaller.


My knowledge about the TrustedInstaller as a "user" was gained thru observation. It was a somewhat simplistic example and the analogy that the TrustedInstaller is a user might be flawed. I have read a few papers that attempted to explain various security concepts like Security Tokens and Integrity Levels... and yet, I'm none the wiser. Fortunately, it does not bother me to read stuff that I don't fully understand. Sometimes that info comes back to mind and a few things start to fall into place.

I don't know enough to address your questions/statements about these groups...
Authenticated Users
Administrators (NA-PC\Administrators)
Users (NA-PC\Users)
...but that won't stop me from rambling on

The following info is a guess based on observation, experimentation and my readings.
This info could easily be wrong:
I think that Authenticated Users mostly deals with remote connections. That is, if you were to connect Windows Explorer from another computer to your computer, then Authenticated Users would come into play. At first glance, you might think that it would be safer to remove that group from files/folders - thinking that you don't want anyone to get to files/folders remotely. If I fully understood Microsoft's security model, I could say that removing that group did make things more secure. But I don't know enough to say that. Also, there might come a day when you do want to connect one computer to another computer (e.g. when moving things to a new computer). It would be a nightmare to put the Authenticated Users group back on all of the files/folders where Microsoft had it. It is best to leave it as is.

More specific to your question on deleting a file:
If you were connected to the computer from another computer, then deleting the file might be allowed if you connected as an member of the Authenticated Users group. If you deleted the file while sitting at the computer, then that might be allowed since you are a member of the User group. If the file being deleted is in a protected area like the Program Files folder, then the deletion might be allowed since you are a member of the Administrators group. You might not be able to delete the file via any of those means if the file is in use by one or more apps.

More guessing - but I'm pretty sure of this:
For your day to day operation of the computer, your are seen as a User. When something important (risky) needs to be done, that operation is elevated to the administrator level. Now do you see why you do need this granularity?

Not guessing:
For user that turn off the User Account Control - most every operation is done at the risky administrator level.


Let's say that you surfed to yahoo.com*. It is a somewhat reputable website. People probably would not say that you deserved to get infected because you surfed to a questionable website - and yet, yahoo.com infected lots of computers during the last part of 2014. These infections came in thru Flash based adverts. The yahoo.com servers were not infected, but 3rd party servers that delivered the adverts were compromised (and some still are). Most antivirus apps could not keep up with the quick pace at which variations of the infections were being served up. These infections required no user interaction (the user saw no warning and did not authorize changes to the system). For those that kept the User Account Control turned on, the infection could only do things at the user level. (That is not exactly true, but for simplicity, I'll leave it at that.) For those that turned the User Account Control off, the infection had full admin rights and could do "risky stuff" without any warning or prompts to the user.

*just one of thousands of websites serving up ransomware infections.


> Sorry if I seem dense.
You do not seem dense to me. You are tackling topics that most just ignore - or worse, make drastic changes to without understanding the implications.

 

[Kefren]

Check most any sub-folder in the Windows folder and you should see that SYSTEM is granted different security rights than TrustedInstaller.

Your're right: those folders don't have "Authenticated Users" or "NA (NA-PC\NA)" but they have two extra ones: "CREATOR OWNER" and "TrustedInstaller".

So there are even more different types of "Group or user names" than I first thought... And different folders have different combinations of them, with different sets of permissions, different ticks in the "Allow" or "Deny" columns... Yikes.

 

[LMiller7]

Malware in all it's forms has become very sophisticated in recent years. By default software runs with the same rights and permissions as the user account it is running under. If that software is trusted then all is well, at least for the most part. But if that software is malicious, and it is almost impossible to avoid this, then you have a problem. If your account has full and unrestricted access to all files then that malicious software will as well. You can be sure that it will take full advantage of this for it's benefit and your cost.

At the turn of the century it was acceptable for expert users to have full and immediate access. But with the introduction of XP the NT platform operating systems came into the hands of novice users who knew little of computers and didn't want to learn. And most of them were running under an admin account. That is a dangerous combination, particularly when malware is on the rise. By the time Vista was released this situation was deemed unacceptable as a default state.

It had always been a best practice to use a limited account for general use, reserving an admin account for when it was really needed. With a limited account you limited the possibility of accidentally making potentially dangerous mistakes. And even experts make mistakes. And when running under a limited account malware is limited in it's potential for damage. But many users, particularly those who would have benefited the most, found this too inconvenient. Thus they used an admin account at all times.

Thus UAC was introduced with the release of Vista. It provides most of the benefits of using a limited account but with fewer inconveniences. When logged in with an admin account you actually had only the rights and privileges of a limited account. Only by request do you attain full access.

UAC is a good compromise between security and convenience. Even when using an elevated admin account there are still restrictions on particularly sensitive areas. But it is always possible for an admin user to access these areas if necessary.

Security always has it's price and that price is paid in part in loss of convenience. But at a time when malware is becoming an ever greater danger that price is in my view a worthwhile one.

Wise computer users accept this loss in convenience in the same way they use a seat belt when riding in a car. In the early days of seat belts there was widespread resistance to them. They were considered too inconvenient. Now most people use them, if for no other reason it is required by law.

 

[Kefren]

Malware in all it's forms has become very sophisticated in recent years.

Thanks. What you say makes sense. I suppose my problem is that all the security/permissions stuff that seems to be attached to files and folders (but is not, as someone else pointed out) should ideally either be invisible to the end user (which it might have been if I hadn't run into problems with it) or be simple to understand, or explained in some way, so you know what to do when things go wrong, and what the implications of actions are. I'm trying to understand the basics of how it works, and the fact that it's not consistent (e.g. clicking on different files and folders and looking at the security tab shows different headings, in different orders, and have different ticks leading to hundreds of possible combinations per file, and no indication of what "the default" should be, or how to reset it to that if things have changed).

I used to understand it with the older versions of Windows, where it was just one or two tick boxes on file properties that I needed to pay attention to, but now there are hundreds of combinations of user groups and where the tick boxes are for each one for a single file, and I don't know if they can cause problems when sharing files, or transferring them to a new OS etc. The changes you mention make some sense (though I can't help but feel it has been implemented in a very clunky way, because it seems like I can't understand it easily without going to external sources). Or maybe it's just me! I just want to know that my files are the same as they ever were (i.e. aren't having extra permission gunk added, which looks like it has been when you right click Properties), and they won't ever lock me out from accessing them because of something Windows does to them. I can see it is a very abstract topic, I was hoping I'd be able to visualise things in a more concrete way, probably my incorrect expectation at play there! Many thanks.

 

[UsernameIssues]

...I just want to know that my files are the same as they ever were (i.e. aren't having extra permission gunk added, which looks like it has been when you right click Properties),...

Post #9 states:

~~~
4. Security information is stored in the MFT (Master File Table) of the drive. There is an entry in the table for each file and folder on the drive.
~~~

The security info is not added to the files - as far as I know.

 

[LMiller7]

Windows security system seems very complex because it is in fact very complex. And it is in fact far more complex than it seems on the surface. All modern operating systems are. Considering what it must do it is hard to image it being otherwise.

The average user isn't expected to understand Windows and NTFS security. In fact I would suggest they shouldn't even try unless they care to take the time to do it properly, and that is going to take time and effort. But this is the day of instant everything and people want to know everything right away without serious effort.

There is an old saying that is very relevant here:

"A little knowledge is a dangerous thing".

I have seen so many cases on forums where someone has learned a little about NTFS security and then tried to apply this limited knowledge, and got themselves into serious trouble. What you don't know can hurt you.

The security information in the MFT has meaning only while a file remains in the volume. When copied elsewhere it will usually take on the security attributes of the folder it is copied to. This is very much simplified.

 

[Kefren]

The security info is not added to the files - as far as I know.

Many thanks, that sets my mind at rest on one point.

 

[Kefren]

The security information in the MFT has meaning only while a file remains in the volume. When copied elsewhere it will usually take on the security attributes of the folder it is copied to. This is very much simplified.

Many thanks, that's useful. I don't know what caused the original problems which wouldn't let me copy some files, but maybe I'm worrying for no reason.