NT6 Restriction Fix - Help

Current Version 1.14.202 - February, 2014

Contents:
Introduction - About NTFS Permissions
How Permissions Work
Using NT6 Fix
Command Line
Caveats
Troubleshooting
Update Information
License


Introduction - About NTFS Permissions
NT6 refers to Windows Vista and Windows 7. (And now, also, Windows 8.)

Windows 2000 is NT v. 5
Windows XP is NT v. 5.1
Windows Vista is NT v. 6
Windows 7 is NT v. 6.1
(Windows 8 is NT v. 6.2)

   NTFS is a type of hard disk formatting that provides the ability to set up permissions/restrictions on file system items. Windows 2000 and XP can be installed with NTFS formatting or FAT32 formatting. Windows Vista/7/8 can only be installed with NTFS. That means file restrictions on Vista/7/8 are unavoidable.

   NT6 Restriction Fix is designed for a simple purpose: To give you greater control over your own PC by granting you full access to any folders and files you want access to, easily.

Back to Top


How Permissions Work
   To understand file restrictions in Windows it's important to know that Windows is designed primarily to function as a corporate workstation operating system. Microsoft makes a "Home" version of Windows, and a "Professional" version, but all versions are basically the same workstation design. The different versions are just a marketing gimmick, with various minor features added or left out of a particular version. Workstations are meant to be used by any number of people who are corporate employees, none of whom has a right to do anything but assigned work on the computer they use. That's why you can change your wallpaper on Vista/7/8 but can't change or delete most files. The default settings assume that everyone who uses the PC is a low-level corporate employee.

   Permissions are assigned for actions such as read, write, execute. Write includes deletion. Execute refers to running an executable file. There are default permissions for each status group. The relevant groups to know about are as follows:

Administrators: This is the group that formerly had the silly moniker "Power Users". On Vista/7/8 an Administrator is someone who is generally restricted but has the option to "elevate" their permissions. The constant, inane nags saying that you need to approve what you just did are elevation prompts. The only true Administrator on Vista/7/8 is the default Administrator, named "Administrator". That account is not visible by default but one can make it visible and choose to use it as the normal login, thus making Vista/7/8 act more like XP.

Users: A normal "user" is someone with an account on the system who is not an Administrator. The Users group is restricted in their access and has no option to elevate.

Everyone: This group includes all named Users but also Guest and Anonymous user login.

   File restrictions/permissions in Windows are very complex. Microsoft has made them that way deliberately. Microsoft systematically manufacture abstruseness for a number of reasons: 1) If Windows is hard to use and understand then a lot of money can be made on books and classes. 2) Abstruseness also valorizes the job of the IT worker, requiring that they take said classes, allowing tech support people to command higher salaries, and thereby encouraging them to keep using Windows and to approve of further abstruseness. 3) Perhaps the biggest reason for manufacturing abstruseness is to protect the system. Most settings in Windows are so difficult to understand, so hard to find, and so poorly documented, that most people other than system administrators have no chance of adjusting the system for themselves. That makes Windows stable and it generally prevents corporate employees from changing settings. For example, Internet Explorer has literally thousands of settings, which are not fully explained anywhere (least of all in the Windows help), and which can be secretly overridden by further arcane IE settings that few people other than system administrators know about. So even if a corporate employee knows about IE settings, they have no hope of actually controlling those settings themselves. ...And even that fact is hidden from them.

   The big problem with this approach of security-through-abstruseness is that there are hundreds of millions of home and small office Windows users who own their own PCs and should understand how to adjust system settings. The longstanding security problems with IE are a good example of the failure of the Microsoft strategy. System administrators and malware authors know how to control IE, but the people who actually use the browser do not.

   Managing file restrictions is a topic at least as abstruse as any in Windows. The only way that Microsoft provides to do it programmatically is through a pair of primitive command-line tools known as takeown and icacls. (Even the names are mysterious.) The whole point of NT6 Fix is to provide a simple, efficient way to remove any restrictions at will, quickly, easily, and without needing to learn special command-line incantations.

Back to Top


Using NT6 Fix
   To use NT6 Restriction Fix, browse for a folder or file, or drop it onto the text input field in the program window. You can choose anything from a single file to an entire drive such as C:\, D:\, etc.

• Check "Include subfolders" to perform a recursive operation, setting permission on all subfolders and files. Uncheck "Include subfolders" to set permissions only on the selected folder and its files.

• Select the "Administrators" option to set full access permission for all Administrators. Select the "Users" option to set full access for anyone using the PC. (See the last part of this section for important information about removing restrictions for Users.)

• Then just click the Set Free button. You may have to wait several moments, or even minutes, if you set permissions on high-level folders such as Windows, System32, etc., because every single file and folder must be processed individually. Once the item is "set free" it can be moved, deleted, edited, etc.

How NT6 Fix Works

   The whole design of Windows restrictions is a ridiculous, Rube Goldberg-style fiasco. But it can be dealt with. There is an "owner" of any file or folder, and there are also permissions for that file or folder, depending on the status group one is in. An Administrator cannot change permissions on an item they don't own, but they can take ownership, and then change permissions, at least for all Administrators. If they try to take ownership in order to remove restrictions for all Users it won't work. But if they take ownership to remove restrictions for all Administrators, they can then, in a separate operation, remove restrictions for all Users! (As the saying goes, you couldn't make this stuff up.)

So, Then... How Does One Use NT6 Fix, Given Such a Convoluted System?

   NT6 Fix is designed to get around all the nonsense. If you normally run as an Administrator you probably won't want to remove restrictions for Users. In that case you can remove restrictions for all Administrators any time you need to, on any items you like. You will then be free to run, write, delete, etc.

Removing restrictions for all users: If you want to remove restrictions for all Users that is normally only possible if you, yourself have created the item in question. And if you try to take ownership in order to remove restrictions for all users it will fail. To get around that limitation, first remove restrictions for all Administrators, which will give you ownership of the item. Then, in a second operation, remove restrictions for all Users. That should work in most or all cases, even with system files. (The whole thing makes no sense, but it works.)

Back to Top


Command Line
   The command line functionality is limited. There is one option:
/S silent operation; suppresses message box window when an operation is finished.

The command should consist of a file or folder path:

[Path to FixNT6.exe] [Full path of file or folder]

C:\FixNT6.exe C:\Windows\SomeFolder
C:\FixNT6.exe /S C:\Windows\SomeFolder
C:\FixNT6.exe C:\Windows\SomeFolder\SomeFile.txt
C:\FixNT6.exe /S C:\Windows\SomeFolder\SomeFile.txt

   The command line method is equivalent to selecting the Administrators option and checking the box marked "Include Subfolders". There is no option at command line to remove restrictions on a single folder only, while leaving restrictions on subfolders. Nor is there an option to remove restrictions for all users. (In the vast majority of cases those limitations will probably not be a problem.)

Back to Top


Context Menu
   In the Settings window one can choose to add a context menu so that "Set Free With NT6 Fix" will show when right-clicking a file or folder. As with command line, the context menu function is equivalent to selecting the Administrators option and checking the box marked "Include Subfolders". (On later versions of Windows, context menus may not always work as expected due to restrictions. Also, to create or remove the context menu item you must have Administrator permission.)

   There is also an option to enable/disable a message window when the operation is finished. If "Show message with context menu operation" is unchecked there will be no message shown. If the option is checked, a message box window will serve to provide the report that the textbox normally provides in the main program window.

Back to Top


Caveats
   Using NT6 Restriction Fix is not recommended if you do not know the basics about the Windows operating system and security issues. Removing restrictions on system files means that if you unwittingly install "malware" it will share in your freedoms. And if you unwittingly delete the wrong files you may not be able to recover Windows functionality. Anyone who chooses to remove restrictions should understand the implications. Ideally you should have backups. (Real backups like disk image backup. Not just a "restore point".) And you should have good online security.

NT6 Restriction Fix can remove restrictions. It cannot put them back.

   Much of the bloat on Vista/7 can be safely removed, but cleanup is not without risks. For example, while the DriverStore\FileRepository folder should be safe to remove, the monstrously bloated and superfluous winsxs folder is more delicate. The files in that folder are unnecessary by definition, but Vista/7 is a tangled, poorly documented and brittle product. If you just remove winsxs you may experience odd effects, including the possibility that Windows will not boot at all. Be prepared for some experimentation and research.

Back to Top


Troubleshooting
Error codes and messages:

   NT6 Restriction Fix uses two types of error reporting to provide information about the results of operations. When the procedure succeeds the textbox in the lower part of the window will typically just report the total number of folders processed.

   If the operation fails at any point, some sort of error information will usually be available for possible debugging purposes. In general, when setting permissions for Administrators, any failure is likely to be in taking ownership. When setting permissions for all users, any failure will be related to access: The setting of permissions itself fails because the current user does not have authority. (With that problem, try freeing the item(s) for all Administrators first. Then, in a separate operation, free the item(s) for all Users.)

   In addition to the internal error report for NT6 Restriction Fix, in most cases a Windows error will also be returned. The Windows error numbers correspond to errors listed in the WINERROR.H header file. Some typical errors:

2 - file not found
3 - path not valid
5 - access denied
15 - invalid drive path
32 - file in use, cannot be accessed
111 - file name or path is too long (Unexpected problems can often occur with a file path over 255 characters in length.)

Problems with folder/file paths:

   Windows Vista/7 is designed to lie to you, "for your own good". If you want to see hidden files and folders you need to change the settings in Control Panel -> Folder Options -> View. Even then, you may find odd behavior. There may be missing folders when you browse for them in NT6 Restriction Fix. That may vary depending on who is logged on. For example, you might see the folder C:\Windows\System32\Drivers\etc in Explorer, but not when you browse for it in NT6 Restriction Fix. If you have such problems they can be bypassed by entering the folder or file path manually in the NT6 Restriction Fix path textbox.

Back to Top


Update Information
   The current version, 1.14.202, is a minor update of the original version. It includes choices of whether to show a confirmation and information message when command line and/or context menu operations are finished. It also includes a minor bugfix: In the original version, the processing counter was not reset when removing restrictions on folders for all users, after the same operation had already been done for Administrators. The result was a harmless but inaccurate folder count error. The second run, for all users, would report double the number of folders processed.
License:
   You use all script code and components from JSWare at your own risk.

   The components (compiled DLL and EXE files) may be used for personal or commercial purposes. No payment or attribution is required for either use. The components may be redistributed if they are required as support files for scripts or software that you have written.
   Also, the script code may be used freely, in part or as whole scripts, for any purpose, personal or commercial, without payment or attribution.

   I ask only that you not redistribute these scripts and components, except as required for your direct use. Instead, please direct others to obtain copies of JSWare scripts and components directly from www.jsware.net.

   Also, none of the code here may be redistributed under another license. If a work using code from JSWare is distributed with restrictions of any kind the code from JSWare must be kept exempt from those restrictions. This includes, but is not limited to, code sold for profit, code with usage restrictions and code distributed as so-called "Open Source" with redistribution restrictions.

    Joe Priestley

Back to Top


JSWare  •  www.jsware.net  •  jsware@jsware.net