Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: multi-users: how to prevent altering executables, but allow config?

28 Aug 2015   #1

multi-users: how to prevent altering executables, but allow config?


OS: Win7 family premium home 64 bits

I have several accounts on a PC, only one has admin priviledge.

How do I prevent all users to delete/alter/create/add the content of a folder and its sub-folders, in particular exe and dll, but allow text files such as config & log files to be altered/modified/created?

By preventing, I wish either some password confirmation - just as for the parental check - or at least like the command enforce to run with admin priviledges.

Even, the admin account shouldn't be allowed to delete without having a mechanism like the command to run with admin priviledges, e.g. chkdsk.

Many thanks.

My System SpecsSystem Spec
02 Sep 2015   #2

Windows 7 Ultimate x64

What you describe is pretty much the default file system structure in Windows. Some predefined folders together with their default access permissions make this scenario the common rule rather than an exception.

Program code and assets should go into program files (by default "c:\program files" and "c:\program files (x86)"). This location is read only for standard users but allow admins to write there, which makes sense in tht normal users cannot install or modify programs but still can run them. It's also the reason why installers always ask for elevation.

Configuration files, all user-generated data and such should go into the user profile instead (c:\users\<username>, by default). This location is read-write for this particular user and non-accesible for anyone else (save admins, of course). This makes the ideal location for configuration files, within AppData or user documents, using documents, desktop or similar per-user folders. Not only this distribution fulfills your requirement, but also provides isolation for each user settings, as each one gets his own copy of the data files (this being the reason why each account gets a different desktop settings, etc.).

By just installing that program in such default locations you immediately get all you want, plus being enforced by the OS itself. Users attempting to change the exe or similar will just get an access denied or UAC prompt at most, which only the admin can elevate to carry out the action. While user data is fully accessible to each one, but isolated from others.
My System SpecsSystem Spec
03 Sep 2015   #3


Thanks Alejandro85, but

1/ "c:\program files (x86)" is dedicated for 32 bits apps, while "c:\program files" for 64 bits and one may wish(I do) not to make this distinction.

2/ Some apps "cannot run from 'C:\Program Files (x86)' folder!", see for instance:
* RBTray Portable cannot run from "C:\Program Files" folder!? | - Portable software for USB, portable and cloud drives
* Can't run installed program within Program Files (x86)
My System SpecsSystem Spec


 multi-users: how to prevent altering executables, but allow config?

Thread Tools

Similar help and support threads
Thread Forum
how to prevent outlook from altering mails it moves to junk
how to prevent outlook from altering mails it moves to junk, or, alternately use its junkmail functions but force it to move the messages to a folder i designate, not the junk mail folder that damages mails by converting them to plain text. i'm on outlook 2007, but suspect the problematic is...
Microsoft Office
Prevent executables from running on mapped network drives
Hi! In our company, we are using Windows 7 and my goal is to prevent users (also administrators) of specific workstations from running executables which are located on mapped network drives (servers). I tried different things (e.g. Software Restriction Policies or Applocker => in both cases I...
Network & Sharing
Prevent users from running executables from usb sticks
Guys, how do I prevent users from running executabels from usb sticks? I do want them to save and read files from the usb sticks, but not any executable files such as bat, exe, vbs etc.
multi users, multi ini files
Hi, I have a series of applications that depend on an INI file being in the Windows directory. Also, many diffeent users are allowed to log on and change the INI file. But Windows 7 places changed INI files in USER directories for the logged-on users. So my Apps never get to see the...
General Discussion
Special Win7 multi-boot config. problem
Greetings, Many weeks ago I built a new desktop system around an Intel Clarkdale i5-650 and Asus motherboard. Installed a newly licensed copy of Win7-64 Home Premium OEM. After weeks of installing programs, configuring, etc, I find that Win7 is not the system on which I choose to place primary...
General Discussion

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 20:55.
Twitter Facebook Google+