I wanted to have access to all the files & folders in Windows 7 (like I had in Windows XP before). I found some instructions on the web on how to do this.
I made a right-click on the C:\ (system disk), Properties, Security tab, Advanced, Owner tab, Edit… and then I chose Administrators, put a tick on Replace owner on subcontainers and objects and then clicked OK.
The ownership got changed for all the files and folders (except for some Avast! files and paging files). Now I can access all folders, even the System Volume Information folder.
I’m afraid that I compromised my PC’s security. Practically, did I really make my PC less safe by applying this change? I am aware of the possibility of deleting an important system file/folder by my mistake, but is there more danger?
you just really really messed up : you should never have done that. It’s almost impossible to correct globally as many system folders don’t have inherited owners and/or rights, meaning that you can’t correct the damage globally. Thanks god you didn’t do the same for access rights ;D … you would have experienced a few access denied…
Okay, either you leave it as it is now, or you re-install Windows
ps: or try a system restore, but I don’t think that this will correct your changes…
edit: the danger is that some folders are owned by system accounts, trusted installer etc… not sure about the security implications when you change the ownership to usable (by users) accounts like admin etc…
Eh… There are some templates to apply default permissions, but those of course cover only a pristine Windows install, not anything installed after that. :
Someone from an other forum wrote me that I should expect big trouble. If someone can tell me: should I reinstall (repair?) Windows ASAP or just leave all as it is? I’m aware now that I really messed it up and am sorry. Is it possible that I’ll be just fine (and safe!) with settings as they are now? I really don’t want to reinstall Windows if it isn’t necessary.
The templates are called defltbase.inf or defltwk.inf - located in %systemroot%\inf\ (these are identical on my system) and can be applied via secedit tool. Using those you might get some basic sanity back. Not a complete fix anyway.
I think I’ve tried that once ages ago and I didn’t get the expected results…
anyway, a must read:
Limitations of importing default security templates:
The previous version of this article states a method to use the “secedit /configure” command with the caveat that the procedure does not restore all security settings that are applied when you install Windows and may result in unforeseen consequences.
The use of “secedit /configure” to import the default security template, dfltbase.inf, is unsupported nor is it a viable method to restore default security permissions on Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 computers.
Beginning with Windows Vista, the method to apply the security during operating system setup changed. Specifically, security settings consisted of settings defined in deftbase.inf augmented by settings applied by the operating installation process and server role installation. Because there is no supported process to replay the permissions made by the operating system setup, the use of the “secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose” command line is no longer capable of resetting all security defaults and may even result in the operating system becoming unstable.
As I said, this is the only way to restore at least basic sanity. There is nothing better available and the only real alternative is image restore or reinstall. Sorry.
Can someone explain to me why what I did is so bad? What exactly have I changed? I (administrator and only user of my PC) have access to (read, modify, delete…) all the files and folders on my HDD. What else has changed when I did what I did? What kind of problems should I expect? Anyone knows for sure about this stuff?
Yeah, it is a real security issue. E.g. for files owned by TrustedInstaller, the members of Administrators group have read-only access user rights. Basically, what you have done completely messes up UAC (among others).
@theOP: It’s not just about security risks, but possible malfunction of the system. For instance Windows folder is owned by “trusted installer”… Once you’ve changed this you cannot restore the default, as trusted installer is not offered. There are built in accounts you’re just not supposed to interfere with.
Maybe the next time you’ll ask first before making such a global change and see what advice you get.
At this point hopefully you have an image that you can restore if not,
Save your data and re-install windows.
Yes, I made a stupid decision without asking first. I formatted my HDD and installed Windows again. I will leave those permissions as they are (but I still don’t like the feeling of not being able to look into all the folders on my HDD). I have another question: is it OK/safe to have UAC settings set to Never notify (I don’t like the constant popups) or not?
Thanx for the suggestion. Windows XP had no UAC system, right? Only a possibility to login as an admin or a normal user (without admin rights). So, if I completly turn off UAC in Windows 7 it’s the same as if I would be still using Windows XP (secure-wise)?
If you completely turn off UAC, you’re in effect defeating the new security centry that was added to Windows Vista and Win 7.
The choice is yours, Mine is still turned on.
Well, that’s exactly what I’m doing. I felt safe half a year ago when I still had my old PC with Windows XP on it - always logged in as admin and never had any problems. The two main security applications that I rely on are Avast (free) and Sandboxie (paid). I occasionally run a MBAM (free) scan and that’s about it. I think I’ll be OK with UAC off.
Thank you all for your comments. Avast forum is always VERY helpful!
Bellzemos I believe you’re okay have the UAC turn off unless you keep MS patch update, Avast and MBAM as well as long as you don’t do anything stupid online