Introduction - About NTFS Permissions
NT6 refers to Windows Vista and Windows 7. (And now, also, Windows 8.)
Windows 2000 is NT v. 5
Windows XP is NT v. 5.1
Windows Vista is NT v. 6
Windows 7 is NT v. 6.1
(Windows 8 is NT v. 6.2)
NTFS is a type of hard disk formatting that provides the
ability to set up permissions/restrictions on file system items. Windows 2000 and XP can
be installed with NTFS formatting or FAT32 formatting. Windows Vista/7/8 can only
be installed with NTFS. That means file restrictions on Vista/7/8 are unavoidable.
NT6 Restriction Fix is designed for a simple purpose: To give you greater
control over your own PC by granting you full access to any folders and files
you want access to, easily.
Back to Top
How Permissions Work
To understand file restrictions in Windows it's important to know that Windows
is designed primarily to function as a corporate workstation operating system.
Microsoft makes a "Home" version of Windows, and a "Professional" version,
but all versions are basically the same workstation design. The different versions are just a
marketing gimmick, with various minor features added or left out of a particular version. Workstations are
meant to be used by any number of people who are corporate employees, none of whom has a right to do
anything but assigned work on the computer they use. That's why you can change
your wallpaper on Vista/7/8 but can't change or delete most files. The default
settings assume that
everyone who uses the PC is a low-level corporate employee.
Permissions are assigned for actions such as read, write, execute.
Write includes deletion. Execute refers to running an executable file. There are
default permissions for each status group. The relevant groups to know about are as follows:
Administrators: This is the group that formerly had
the silly moniker "Power Users". On Vista/7/8 an Administrator is someone who is generally
restricted but has the option to "elevate" their permissions. The constant, inane nags saying that
you need to approve what you just did are elevation prompts. The only true Administrator
on Vista/7/8 is the default Administrator, named "Administrator". That account is not visible by
default but one can make it visible and choose to use it as the normal login, thus making Vista/7/8
act more like XP.
Users: A normal "user" is someone with an account
on the system who is not an Administrator. The Users group is restricted in their access and has
no option to elevate.
Everyone: This group includes all named Users but
also Guest and Anonymous user login.
File restrictions/permissions in Windows are very complex. Microsoft has made them that way deliberately.
Microsoft systematically manufacture abstruseness for a number of reasons:
1) If Windows
is hard to use and understand then a lot of money can be made on books and classes.
2)
Abstruseness also valorizes the job of the IT worker, requiring that they take said classes, allowing tech
support people to command higher salaries, and thereby encouraging them to keep using Windows
and to approve of further abstruseness.
3) Perhaps the biggest reason for manufacturing abstruseness is to protect
the system. Most settings in Windows are so difficult to understand, so hard to find, and so poorly
documented, that most people other than system administrators have no chance of adjusting the
system for themselves. That makes Windows stable and it generally prevents corporate employees
from changing settings. For
example, Internet Explorer has literally thousands of settings, which are not fully explained anywhere (least of all in the Windows help),
and which can be secretly overridden by further arcane IE settings that few people other than system
administrators know about. So even if a corporate employee knows about IE settings, they have no
hope of actually controlling those settings themselves. ...And even that fact is hidden from them.
The big problem with this approach of security-through-abstruseness is that there
are hundreds of millions of home and small office Windows users who own their own PCs and
should understand how to adjust system settings. The longstanding security problems
with IE are a good example of the failure of the Microsoft strategy. System administrators and
malware authors know how to control IE, but the people who actually use the browser do not.
Managing file restrictions is a topic at least as abstruse as any in Windows. The only
way that Microsoft provides to do it programmatically is through a pair of primitive command-line
tools known as
takeown and
icacls.
(Even the names are mysterious.) The whole point of NT6 Fix is to provide a simple, efficient way
to remove any restrictions at will, quickly, easily, and without needing to learn special command-line incantations.
Back to Top
Using NT6 Fix
To use NT6 Restriction Fix, browse for a folder or file, or drop it onto the text
input field in the program window. You can choose anything
from a single file to an entire drive such as C:\, D:\, etc.
• Check "Include subfolders" to perform a recursive
operation, setting permission on all subfolders and files. Uncheck "Include
subfolders" to set permissions only on the selected folder and its files.
• Select the "Administrators" option to set full access permission for all
Administrators. Select the "Users" option to set full access for anyone using
the PC. (See the last part of this section for important information about removing
restrictions for Users.)
• Then just click the
Set Free button. You may have to wait several moments,
or even minutes, if you set permissions on high-level folders such as Windows,
System32, etc., because every single file and folder must be processed
individually. Once the item is "set free" it can be moved, deleted, edited, etc.
How NT6 Fix Works
The whole design of Windows restrictions is a ridiculous, Rube Goldberg-style fiasco. But it can
be dealt with. There is an "owner" of any file or folder, and there are also permissions for that
file or folder, depending on the status group one is in. An Administrator cannot change permissions
on an item they don't own, but they can take ownership, and then change permissions, at least for all
Administrators. If they
try to take ownership in order to remove restrictions for all Users it won't work. But if they take
ownership to remove restrictions for all Administrators, they can then, in a separate operation,
remove restrictions for all Users! (As the saying goes, you couldn't make this stuff up.)
So, Then... How Does One Use NT6 Fix, Given Such a Convoluted System?
NT6 Fix is designed to get around all the nonsense. If you normally run as an Administrator you probably won't want to remove
restrictions for Users. In that case you can remove restrictions for all Administrators any time
you need to, on any items you like. You will then be free to run, write, delete, etc.
Removing restrictions for all users: If you
want to remove restrictions for all Users that is normally only possible if you, yourself have
created the item in question. And if you try to take ownership in order to remove restrictions for all users
it will fail. To get around that limitation, first remove restrictions for all
Administrators, which will give you ownership of the item. Then, in a second operation, remove
restrictions for all Users. That should work in most or all cases, even with system files. (The whole thing makes no sense, but it works.)
Back to Top
Command Line
The command line functionality is limited. There is one option:
/S silent operation; suppresses message box window when an operation is finished.
The command should consist of a file or folder path:
[Path to FixNT6.exe] [Full path of file or folder]
C:\FixNT6.exe C:\Windows\SomeFolder
C:\FixNT6.exe /S C:\Windows\SomeFolder
C:\FixNT6.exe C:\Windows\SomeFolder\SomeFile.txt
C:\FixNT6.exe /S C:\Windows\SomeFolder\SomeFile.txt
The command line method is equivalent to selecting the Administrators
option and checking the box marked "Include Subfolders". There is no option at
command line to remove restrictions on a single folder only, while leaving restrictions on
subfolders. Nor is there an option to remove restrictions for all users. (In the vast majority of
cases those limitations will probably not be a problem.)
Back to Top
Context Menu
In the Settings window one can choose to add a context
menu so that "Set Free With NT6 Fix" will show when right-clicking a file or folder.
As with command line, the context menu function is equivalent to selecting the Administrators
option and checking the box marked "Include Subfolders".
(On later versions of Windows, context menus may not always work
as expected due to restrictions. Also, to create or remove the context
menu item you must have Administrator permission.)
There is also an option to enable/disable a message
window when the operation is finished. If "Show message with context
menu operation" is unchecked there will be no message shown. If the
option is checked, a message box window will serve to provide the
report that the textbox normally provides in the main program window.
Back to Top
Caveats
Using NT6 Restriction Fix is not recommended if you do not know the basics
about the Windows operating system and security issues. Removing restrictions
on system files means that if you unwittingly install "malware" it will share in
your freedoms. And if you unwittingly delete the wrong files you may not
be able to recover Windows functionality. Anyone who chooses to remove
restrictions should understand the implications. Ideally you should have backups.
(Real backups like disk image backup. Not just a "restore point".) And you should
have good online security.
NT6 Restriction Fix can remove restrictions. It cannot put them back.
Much of the bloat on Vista/7 can be safely removed, but cleanup is not without
risks. For example, while the
DriverStore\FileRepository folder should be safe to
remove, the monstrously bloated and superfluous
winsxs folder is more delicate. The files in that
folder are unnecessary by definition, but Vista/7 is a tangled, poorly documented
and brittle product. If you just remove
winsxs you may experience odd effects,
including the possibility that Windows will not boot at all. Be prepared for some
experimentation and research.
Back to Top
Troubleshooting
Error codes and messages:
NT6 Restriction Fix uses two types of error reporting to provide information
about the results of operations. When the procedure succeeds the
textbox in the lower part of the window will typically just report the
total number of folders processed.
If the operation fails at any point, some sort of error information
will usually be available for possible debugging purposes. In general,
when setting permissions for Administrators, any failure is likely to
be in taking ownership. When setting permissions for all users, any
failure will be related to access: The setting of permissions itself fails
because the current user does not have authority. (With that problem, try
freeing the item(s) for all Administrators first. Then, in a separate operation,
free the item(s) for all Users.)
In addition to the internal error report for NT6 Restriction Fix, in most
cases a Windows error will also be returned. The Windows error numbers
correspond to errors listed in the WINERROR.H header file. Some typical
errors:
2 - file not found
3 - path not valid
5 - access denied
15 - invalid drive path
32 - file in use, cannot be accessed
111 - file name or path is too long (Unexpected problems can often occur with
a file path over 255 characters in length.)
Problems with folder/file paths:
Windows Vista/7 is designed to lie to you, "for your own good".
If you want to see hidden files and folders you need to change
the settings in Control Panel -> Folder Options -> View. Even then,
you may find odd behavior. There may be missing folders when
you browse for them in NT6 Restriction Fix. That may vary depending
on who is logged on. For example, you might see the folder
C:\Windows\System32\Drivers\etc in Explorer, but not when you browse
for it in NT6 Restriction Fix. If you have such problems they can be
bypassed by entering the folder or file path manually in the NT6
Restriction Fix path textbox.
Back to Top
Update Information
The current version, 1.14.202, is a minor update of the original
version. It includes choices of whether to show a confirmation and information
message when command line and/or context menu operations are finished. It
also includes a minor bugfix: In the original version, the processing counter was
not reset when removing restrictions on folders for all users, after the same
operation had already been done for Administrators. The result was a harmless
but inaccurate folder count error. The second run, for all users, would report double
the number of folders processed.
License:
You use all script code and components from JSWare at your own risk.
The components (compiled DLL and EXE files) may be used for personal or
commercial purposes. No payment or attribution is required for either use.
The components may be redistributed if they are required as support files
for scripts or software that you have written.
Also, the script code may be used freely, in part or as whole scripts,
for any purpose, personal or commercial, without payment or attribution.
I ask only that you not redistribute these scripts and components, except
as required for your direct use. Instead, please direct others to obtain copies
of JSWare scripts and components directly from www.jsware.net.
Also, none of the code here may be redistributed under another license. If a
work using code from JSWare is distributed with restrictions of any kind
the code from JSWare must be kept exempt from those restrictions.
This includes, but is not limited to, code sold for profit, code with usage restrictions
and code distributed as so-called "Open Source" with redistribution restrictions.
Joe Priestley
Back to Top