How to edit the security attributes of more than one file at a time


In Windows XP, you could select multiple files, right-click them, then select Properties. The resulting property sheet includes a Security page which lets you edit the security attributes of those files. But when you repeat this exercise on Windows Vista or Windows 7, the Security page is missing. Why doesn't Explorer let you edit the security attributes of more than one file at a time?

Windows might need to display an elevation prompt if any of the files in the collection require administrator privileges in order to modify the security attributes. The security prompt needs to tell you why you are elevating, but if you selected twenty files, there isn't room to display all twenty of them in the elevation dialog. Truncating the results means that users may be tricked into changing the security of files they didn't intend. "Grant everyone full access to X, Y, Z, and 17 other files?" How do you know your multiselect didn't accidentally include MergerPlans.doc? (Maybe there's some malware that waits for people to change security on multiple items and quietly sneaks NTOSKRNL.EXE into the file list.) Alexander Grigoriev says, "Holding forever to dangerous features is BAD BAD BAD."

If you need to modify the security attributes on a whole bunch of files, you can use the CACLS program, one of the command line tools that messes with security descriptors. If you want to modify the attributes of all the files in a directory tree, you can edit the security attributes of the root of the tree and indicate that you want to propagate inheritable attributes.

Pre-emptive hate: "I hate Microsoft for removing this feature." (Okay, that was too tame. A PROPER HATE REQUIRES SENTENCES IN ALL-CAPS.) And you wonder why I don't do Tips/Support topics often. Whenever I provide a tip that lets you work around something, everybody rants about the problem the workaround exists to address.

Comments (86)
  1. Anonymous says:

    Hate?  No, that’s not hate; that’s just an inconvenience.  Hate is being unable to see the Last Modified Time up to the second.  "X minutes ago" is the bane of my existence.

  2. Anonymous says:

    This explanation makes me laugh. Being paranoidal for petty reasons (and easy to work around, by providing a scrollable text box with the file names), while keeping other enormously dangerous features (such as autorun and ActiveX) is STUPID. And you understand that.

    [YOU’RE SUPPOSED TO USE ALL CAPITAL LETTERS. (And a scrolling text box doesn’t help. Are you actually going to read all 100 file names to confirm that somebody didn’t sneakily change file number 78? I also like the principle that there’s no point in addressing security risks as long as there’s something less secure than you are. Good-bye defense in depth; hello “security chicken.” I’m considering removing the other Tips/Support entries from the queue, seeing as people explicitly ignore the guidance in the pre-emptive hate.) -Raymond]
  3. Anonymous says:

    @Alexander:  I tend to agree with you, but Windows 7 is continuing the trend of dumbing things down so in that regard they probably made the right choice.

  4. Anonymous says:

    Not having tried any of this, am I correct in assuming you can still change the security properties of an entire folder?

    If so, I think it’s a great thing to remove regardless of the security concerns – the idea of having different security for specific files in the same folder makes me cringe from a support and maintenance perspective.

  5. CGomez says:

    It would be silly if you removed tips from the queue just because people spew in comments.

    At least consider disabling comments on those entries first.  Who cares if some people think that makes it "not a blog".

    I think the blog is too valuable a learning resource.  If others make you feel like changing something, that sucks for me.  I would live, obviously.  I just wouldn’t be as well-informed.

    One thing I’ve learned from this blog is the prior practice of just adding a new dialog or an advanced mode just makes it easier to break things.  You can tell from the comments some people haven’t figured that out, yet, and they want their Advanced and AdvancedEx and AdvancedEx2 interfaces, please.

  6. GregM says:

    "Windows might need to display an elevation prompt if any of the files in the collection require administrator privileges in order to modify the security attributes. The security prompt needs to tell you why you are elevating,"

    At first I thought that the page should still be shown when this doesn’t apply.  However, after considering some more, I’m guessing that it isn’t for either or both of these reasons:

    1. it is too expensive to check ahead of time that changing the security of any of the files would require elevation.
    2. it would be confusing that sometimes you could change the security of a bunch of files and sometimes you couldn’t, and this would either require an explanation to the user or would just leave the user confused and cursing windows.

    Is that an accurate assessment?

  7. Anonymous says:

    What if none of the files in the collection require administrator privileges in order to modify the security attributes? Does it still disable the multiple file security dialog then? (I don’t have a Windows newer than XP at home or work to check.)

  8. Anonymous says:

    How about this for a solution – if any of the files requires elevation, gray out the Edit button or simply say “Sorry, can’t do that – run an elevated Explorer and try again.” Then at least people can see the properties, and in some cases they can edit them.

    [Wow, that’s such an awesome solution that Windows 7 implemented it! Windows 7 was your idea! -Raymond]

    I don’t buy the argument “if you need to edit 50 files, open a command prompt and type 50 file names”. That’s ridiculously poor usability.

    [Who said you had to type them by hand? -Raymond]
  9. Anonymous says:

    @Ivo –  He never said you need to type 50 filenames, you should read the whole post.

    What he said was:

    "If you need to modify the security attributes on a whole bunch of files, you can use the CACLS program, one of the command line tools that messes with security descriptors. If you want to modify the attributes of all the files in a directory tree, you can edit the security attributes of the root of the tree and indicate that you want to propagate inheritable attributes."

  10. Anonymous says:

    Raymond, I love your blog. I’m fully aware that you don’t personally design every single feature of Windows/Explorer. I also believe that most people who gripe about Windows are either:

    1) Hypocrites: "Windows XP doesn’t have enough security! Windows Vista has too many UAC prompts!"

    2) Clueless: "Why can’t we just write an .ini file to the Program Files folder like we did 15 years ago?"

    3) Simply gripers who would gripe regardless of the change.

    Anyway, I just wanted to drop in some support. Thanks for the blog.

  11. Anonymous says:

    I, for one, really appreciate the tips/support posts. It’s very interesting to hear about the rationale behind certain features, or why they may have been removed.

    No OS is perfect, and there will always be haters. But I think that your articles are quite valuable in any case, if for nothing else to understand how to work around some of the imperfections.

    Keep up the good work!

  12. Anonymous says:

    “How about this for a solution – if any of the files requires elevation, gray out the Edit button or simply say “Sorry, can’t do that – run an elevated Explorer and try again.” Then at least people can see the properties, and in some cases they can edit them.

    [Wow, that’s such an awesome solution that Windows 7 implemented it! Windows 7 was your idea! -Raymond]”

    No, it didn’t implement it. The Security tab is missing. I’m suggesting that it is always there and be read-only if I don’t have permissions to edit all files.

    [Oops, you’re right. Didn’t do enough research before responding. But then again, that’s pretty much in line with most commenters, so I’m in good company. -Raymond]

    “I don’t buy the argument “if you need to edit 50 files, open a command prompt and type 50 file names”. That’s ridiculously poor usability.

    [Who said you had to type them by hand? -Raymond]”

    How else are they going to end up on the command line? The easiest thing I could find was to multi-select in Explorer, shift+right-click, “copy as path”, paste in Notepad, replace new lines with spaces, copy everything, then paste in the command prompt. Still, that’s quite a few hoops to jump through.

    [Wow if only there was a way to automate repetitive actions. I thought computers would be good at that. Oh well. -Raymond]

    @Steve – Sure, there is a special case when the files happen to be all files in the current directory, but that just that – a special case.

  13. Anonymous says:

    This change is fine, keep up the good work.  And anyone who can’t think of a better solution than typing out 50 individual filenames on the command prompt shouldn’t be taken seriously.

    (I normally wouldn’t have posted this, but I feel like you want those of use who are OK with it to chime in to balance the haters)

  14. Anonymous says:

    BTW, if you really want to reduce the griping, just ban Grigoriev and "anon" from commenting. In recent months, they alone are responsible for like 2/3rds of the griping.

    Grigoriev occasionally posts something useful, but I don’t think I’ve ever seen anything useful from "anon."

  15. Anonymous says:

    Based on observed posting behavior, I’ve come up with the following algorithm for being a poster on Raymond’s blog:

    if (BlogIsAboutWindows() || BlogIsAboutSecurity())

    {

       GripeAboutMicrosoft(CHANGE_WAS_BAD);

    }

    else if (BlogIsAboutKnitting())

    {

       GripeAboutMicrosoft(CHANGE_REQUIRED);

    }

    else

    {

       GripeAboutMicrosoft(VISTA_SUCKS);

    }

  16. Anonymous says:

    "[You’re confusing the timeline. The change to the security attributes dialog was made in Vista…"

    You’re right, I was. The changes are consistent with the direction Vista was going in and what you said about why the changes were made makes sense in that light. Thanks for correcting me.

    (I still think it could’ve been done in a much better way but I can see the consistency now.)

    "… (I find it interesting that people complained that they wanted fewer UAC prompts, and then when we made changes to avoid some UAC prompts, they complained that they wanted them all back.) -Raymond]

    Well, it was largely two distinct groups of people. Of those (like me) who wanted to keep the prompts but see fewer of them (classic example being how Explorer originally displayed four prompts when you created a new directory), we asked for fewer, better prompts but we never asked for what was actually done.

    It’s an example of your politicians’ logic. :)

    1. People wanted fewer prompts.
    2. Whitelisting certain executables will result in fewer prompts.

    3. Therefore, we must whitelist certain executables (even if it also effectively whitelists bad 3rd party executables while excluding all good 3rd party executables from the whitelist).

    1 does not imply 3, and it’s 3 that people complain about. Of course, with UAC people will complain no matter what you do. :) What makes UAC so frustrating is that no two people can possibly agree on every aspect of it. :)

  17. Anonymous says:

    @Shaun:

    There is a legitimate case when one needs to change permissions. It’s when someone moved a bunch of files from a private profile folder to a public folder. Such a move will produce files that are not readable by others. Only if the files are copied, they will get the permissions of the target directory.

    @James Schend:

    If you want to be Steve Ballmer’s advocate and think everything is all right, that’s OK. I don’t want Windows to become a laughing stock like certain “email client which is not email client but a database”. I wish Windows devs and progmans didn’t live in ivory towers and knew what happens in real world. I wish they did competitive comparison once in a while, even though SteveB would beat anyone who runs Linux with a chair.

    [I like how people think that everybody in the “real world” is somebody just like them. Apparently, in your “real world”, people spend most of their days changing security attributes on collections of 50 heterogeneous files. -Raymond]
  18. barrkel says:

    I wouldn’t mind so long as a UI was available somewhere to edit file permissions on multiple files simultaneously.

    CACLS doesn’t cut it.

    This was one of my main reasons for avoiding Vista, FWIW. I blogged about it here, under heading "Missing Security tab for multiple selection":

    http://blog.barrkel.com/2008/08/venting-on-vista.html

  19. Anonymous says:

    Raymond: what people are really missing here is that Microsoft just opened up a business opportunity.

    Go ahead and use the API to implement your own "multi-file-permissions-changer" application, sell it for $5 a pop and profit!

    Of course, I think you’ll probably still go broke since I’m 90% sure that all the people griping about that feature being missing never used it in the first place.

    (Still would be nice if someone made it, just so we can shut these discussions up.)

    Shaun: If you’re talking about the email client I think you’re talking about, Windows would need to backslide for about 15-20 years to even be in the same neighborhood of awfulness. I don’t think there’s any risk there.

    Anyway, if you’re talking "ivory tower", try looking into W3C web standards sometime! Talk about people with a ton of power being out-of-touch with real-world requirements! You’re barking up the wrong tree.

  20. Anonymous says:

    @MShaters

    What do you accomplish by posting here how dumb or silly you think a decision made by MS was?  Whether you are correct or not, it is annoying and childish (even if you use an educated argument).  I for one am getting really tired of it.  Next time, please email your therapist with the rant or start sending us checks for $50/post.

  21. Anonymous says:

    The only thing I find annoying here is that this seems to just continue the double-faced terror that UAC has become.

    If you listen to and read works by very knowledgeable people (for example, Mark Russonavich), you quickly learn that UAC is NOT designed to act as a security measure and that it does NOT prevent malware from gaining admin rights.  Everything I’ve seen on the topic indicates that UAC is nothing more than an incentive to ISVs to change their development model to better support users without admin rights.

    The problem is that there are still many, many that push and/or indicate that UAC is supposed to increase security somehow. Many changes were made and decisions influenced by this (now obviously) flawed idea, and it is this, I think, that drives most people (especially the type of people that read a blog like this) crazy.

    If I’m wrong, please tell me, but all evidence I’ve seen says that UAC needs to take off the Rent-A-Cop badge and start being treated like the temporary patch/hack it is.  It’s worth noting that the sudo privilege escalation provided by most *nix desktops is just as bad — it does NOT increase security, it only provides an illusion.

    A false sense of security is worse than no security.

  22. Anonymous says:

    You know what else is a dangerous feature? The power button.

  23. Anonymous says:

    cacls is deprecated since vista, so it is not a suitable replacement. MS doesn’t even guarantee it will be in next SP (does it?).

    Anyway, if only Vista supported drag-and-drop in console apps, then you can in theory select the files, drop them on the console, press enter, and move on. Unluckily, it doesn’t. Oh, and by default it hides the run dialog which could be used as poor man’s command prompt (though that’s a weak argument, if you know what security is, you probably know how to invoke the run dialog). So the only option you have is to type them one by one :-(

    Frankly, Windows 7 fixed most of the problems and probably it’ll have greater market share than Vista till the end of the year, so everything is a bliss now.

  24. Anonymous says:

    "Whenever I provide a tip that lets you work around something, everybody rants about the problem the workaround exists to address."

    I always thought the purpose of this site was

    "not actually to establish a blogging point where individuals can enrich their learns on facilitating and leveraging .NET-related activities most effectively" !!!

    PLEASE, DON’T REMOVE THE OTHER TIPS/SUPPORT ENTRIES FROM THE QUEUE!

  25. Anonymous says:

    @Nick: oh, but UAC is a security feature, Protected IE is just UAC stuff (Integrity Level etc) and MS is pushing that as a security feature all the time (And it is)

  26. Anonymous says:

    [Wow, [running an elevated version of Explorer] is such an awesome solution that Windows 7 implemented it! Windows 7 was your idea! -Raymond]

    Actually after more than one year of running with UAC as a limited user, I still don’t know how you are supposed to do that. The only way I know of involves an elevated copy of notepad and the open file dialog.

    Preemptive comment: I’m not claiming that you know how to do that — I’m just wondering if it is possible at all. All the obvious ways (runas, elevate powertoy, etc.) either fail or result in an unelevated instance of Explorer.

  27. Anonymous says:

    @Teo

    cacls is deprecated since vista, so it is not a suitable replacement.

    What about lcalcs?

    @Raymond

    Thank you for all the wonderful writing you do.  The vast majority of us really appreciate and enjoy it.

  28. Anonymous says:

    Fundamental fallacy: you are working with your own list of "dangerous", not Alexander’s one.

    Nice example of necessary paranoia, anyway.

  29. Anonymous says:

    I HATE ALL-CAPS SENTENCES!

  30. Anonymous says:

    Raymond, I love these tips. Please don’t stop posting them.

    I had no idea that you couldn’t change the security on multiple files at the same time. I guess I never needed to.

    As for some of the comments. Just like all command line tools, if you can’t use wildcards to pass in the selection of files to CACLS, a very simple batch script can do the job.

    BTW, CACLS says it’s depreciated, ICACLS should be used instead. (At least on my Vista machine)

  31. Anonymous says:

    For every gripe post, there are 25 people reading, but not posting, that do appreciate these tips.

  32. Anonymous says:

    Sorry Raymond but this excuse doens’t wash for me, either.

    The prompt which says why the shell is about to display a UAC prompt is not on the elevated side of things. The UAC prompt is but not the promt-about-the-prompt which you’re talking about.

    Anything running as the user can modify the data in that prompt as well as the arguments passed to the elevated object.

    ** It doesn’t matter if it’s one file being passed or a million files; if you’re worried about things modifying it then it can happen in both cases. **

    If the list of files were displayed by elevated code — e.g. as part of the actual UAC prompt, or within the elevated UI — then the list would be reliable. (Since it would be an accurate description of what the elevated code was passed by the non-elevated code, and could only be manipulated by other elevated code.)

    Since the list, and parameters passed through UAC, and all UAC prompts in general[1], are inherently unreliable I don’t see what you gain by removing this feature.

    [1] Since you can inject into a process to make it launch an elevation with a prompt saying that process is doing it, and the user is given no information other than the process and the target object in the actual UAC prompt.

    I like UAC as a whole and (prior to Windows 7 at least[2]) have spent a lot of time defending it, but I’ve always thought it a large flaw that the actual UAC prompt cannot display a proper description of the operation the user is consenting to.

    (Of course, there are issues to tackle there as you’d want the target object to generate that description based on the arguments passed and outside the influence of non-elevated code. You’d need to ensure the target object couldn’t be tricked into executing elevated code whule simply parsing the argumetns into a description.)

    [2] Windows 7’s UAC changes, made for the shell team so that Explorer & control panels can bypass UAC prompts, in turn made it so that everything can bypass UAC prompts (by injecting into Explorer), so it seems contradictory that the same shell team would care about the file permissions issue when they don’t care about the bigger picture.

    Whenever I tried to raise the Windows 7 UAC prompt-bypass issue with Microsoft I was fobbed off by (some very senior) people saying that if there is untrusted code running (unelevated) on the machine then it’s already game over and UAC will not help you and was not designed to. (Among other statements like, “who cares if malware has admin rights.”)

    The state of the file permissioning UI is diabolical from Vista onwards:

    http://www.pretentiousname.com/misc/win7_filepermdlgs.html

    Nobody has taken the time to redesign them *properly* to work with UAC. Having to click through so many windows, many of them copies of each other, is a joke. I don’t blame the programmers but I think the project managers do not want to allocate any time to the file permissioning UI.

    Given [1] (that making UAC stronger was clearly not a goal of Windows 7) and [2] (that there clearly is no desire to put time into the file permissioning UI even though it desperately needs it), I’m surprised if the problem with showing a list of filenames in the prompt-about-the-UAC-prompt was that it was as insecure & spoofable, rather than that nobody could find the time to actually code the dialog.

    [You’re confusing the timeline. The change to the security attributes dialog was made in Vista. The weakening of UAC happened in Windows 7—after the security attributes dialog was changed. If the security attributes dialog had a time machine, then your arguments in [2] might make more sense. (I find it interesting that people complained that they wanted fewer UAC prompts, and then when we made changes to avoid some UAC prompts, they complained that they wanted them all back.) -Raymond]
  33. Anonymous says:

    I’ll second the idea to replace the "missing Security tab function" with a button that’ll launch elavated wizard for changing file permission.

    Afterall it has been doing like that since Windows Vista (the "Edit" button) – only that it doesn’t have file list in it.

    Just make it to display the wizard if the user select multiple files or select empty area in empty area of a folder.

  34. Anonymous says:

    I was wondering why you guys did that.

    @Ivo

    There’s a performance penalty in ensuring you have full access to every file you’ve selected and then only showing the security tab if that criteria is met (though the lag probably varies based on the location e.g. network drive). Windows Vista was criticized for being slow.

    @Teo

    For whatever reason I can only drag a single file at a time into the command line (cmd.exe or PowerShell), and I assume that limitation is for everyone. Kind of kills that approach when you’ve got 50 that a wildcard won’t work for. There are other ways to do it through the UI I think (I think moving files to new folder, setting ACL on new folder and propagating them down to files, and then moving the files back would work).

  35. Anonymous says:

    I’m always amazed how vitriolic supposedly mild-mannered geeks can get be. I wonder if we bash (or csh?) our wives/kittens more than other people.

    Raymond, blog what you want. Can you add this to your blog?

    [x] I agree to abide by Raymond’s Terms and Conditions

    [x] I will not bash Vista.

    [x] I have not edited Raymond Chen’s Wikipedia entry

    [x] I am not [your least favourite posters]. I just don’t care what you have to say.

  36. Anonymous says:

    I appreciate the eye towards security.  It is a pain to have to learn and remember the existence of and the syntax for another command line tool.  I honestly can’t see the case where something is sneaking items I am unaware of into my file selection.

    I wonder what it would take to reenable this feature in the UI by shell extensions.

  37. Anonymous says:

    I don’t get you, people. Why do you interpret every single suggestion for improvement, or attempt at constructive discussion, as bashing Vista?

    I like Vista, I’ve been using it for 2 years and for the most part it’s been just fine. It has its ups and downs just like every other software product in history.

    But do you expect me to only post things like "Thank you for enlightening us, Master Raymond", or "All hail Steve Balmer"? What’s the point of having comments if that’s all that’s allowed?

    Now back on topic. I don’t personally need to edit security attributes, be it on a single file or multiple. But people have asked me on multiple occasions to implement a similar feature. Don’t worry, I am not a security expert and I know better than to attempt that trick. Instead my specialty is UI and usability. So when Raymond presented the problem, my engineering brain came up with a possible solution. Apparently the solution was so obvious that Raymond thought that Windows 7 already works this way :) But oh, well, there is always next time. Maybe someday I will say "Windows 8 was my idea!"

  38. Anonymous says:

    > It’s an example of your politicians’ logic. :)

    >

    > 1. People wanted fewer prompts.

    >

    > 2. Whitelisting certain executables will result in fewer prompts.

    >

    > 3. Therefore, we must whitelist certain executables (even if it also

    > effectively whitelists bad 3rd party executables while excluding all good

    > 3rd party executables from the whitelist).

    >

    > 1 does not imply 3, and it’s 3 that people complain about.

    Exactly. They solved the wrong problem, why does Windows need to elevate during basic day-to-day use in the first place ?

    [It doesn’t. What do you do all day that keeps requiring elevation? I elevate to administrator maybe once a month. -Raymond]
  39. Anonymous says:

    "But do you expect me to only post things like "Thank you for enlightening us, Master Raymond", or "All hail Steve Balmer"?"

    Pretty much nailed it.

  40. Anonymous says:

    Nick:

    The most important files on your drive can be nuked or scraped from userland, because they are your personal files. Thats true on Windows. Thats true on OS/X. Thats true on Linux.

    You complain that UAC doesnt offer security.. but the fact is that non of the usable OS’s do. Some OS’s protect *themselves* better than others, and some OS’s segregates users much more strictly than others.

    The OS files are quite frankly the least important files on the drive. I’ve got a DVD and can put those right back.

    If its a multi-user system, there is no modern OS that cannot keep me from trashing the other users files if I wanted to. But all the modern OS’s keep me (or a program that I am running) from doing so by accident (bug), which is all that you can expect from them.

  41. Anonymous says:

    Without sounding like a hate post, I request Microsoft to address this in Service Pack 1 for Windows 7 as "not being able to see all file names" is truly a lame excuse. Windows Vista didn’t show the file names at all when copying files!!! How do I know then that my multiselect didn’t accidentally include MergerPlans.doc? Why doesn’t the same lame logic apply to NTFS compression ot encryption? Those operations nicely show an elevation prompt with "Continue" button. Please I want this feature back if Microsoft really cares.

  42. Anonymous says:

    If any developer is ready to fix this for Vista and Windows 7 and modify an existing GUI ACL editor to support UAC, please take a look at a project called FilePermsBox on CodeProject. FilePermsBox also had its own Property sheet extension similar to Windows’ but Vista/Windows 7 broke it like dozens and dozens of other shell extensions.

  43. Anonymous says:

    Why can’t Windows simply display this alternate elevation dialog?: http://img511.imageshack.us/img511/5607/alternateelevationdialo.png

  44. Anonymous says:

    @James Schend, I don’t attack other commenters personally like you just did by telling Raymond to ban me.

  45. Anonymous says:

    @barrkel

    “CACLS doesn’t cut it.”

    And to think years ago, Sysadmins would complain about using a GUI for performing tasks.

    @Raymond

    This “security chicken” you refer to.  Is it related to the last-check-in chicken, or is it a totally different breed?

    [I just made it up, but it’s based on “schedule chicken”. -Raymond]
  46. Anonymous says:

    First they say I shouldn’t use Notepad to edit my Unix Shell Scripts, and now I can’t even use the GUI to change security permissions on multiple, unrelated files in different directories simultaneously.

    Next, they’ll probably slow down my one remaining real world task: repeatedly activating and then dismissing the Secure Desktop to see how responsive it is.

  47. gauravkale@vista.aero says:

    Do us a favor and please fix this in Windows 7 SP1 Microsoft so more of us who are holding on to XP can upgrade.

  48. Anonymous says:

    It has been requested 160 times by people on Windows7Taskforce (http://www.windows7taskforce.com/view/193) and AeroTaskforce (http://www.aerotaskforce.com/view/364).

  49. Anonymous says:

    Geez. Here’s how to change the permissions on 50 files that can’t be wildcarded.

    Make a temporary directory.

    Move the 50 files to said temp directory.

    In temp directory "icacls *.* blab blah blah"

    Move files back. Hell, "Undo move" probably works!

    C’mon, so it takes a few more clicks. If you’re gonna do it hourly, powershell it. If not, you’ve spent a couple minutes more.

    PS – Win7 fixed the drag-and-drop to cmd prompts. It works again. I think Raymond even blogged about it, and WHY it works again.

    PPS – You can set Win7 UAC to be similar to Vista’s. Just set it to the most warning setting, where even whitelisted apps will get a dialog. I won’t miss the multiple elevation prompts during a single operation, though.

  50. Anonymous says:

    @Nick: Everything I’ve seen on the topic indicates that UAC is nothing more than an incentive to ISVs to change their development model to better support users without admin rights.

    Bullseye! That’s exactly the reason why uac was added to vista.

    The decision was NOT based on any technial details. It was an economic, strategic decision aimed against ISVs.

    UAC is not real security at all. It’s only perceived security. As usual.

  51. JamesNT says:

    You people seem to be missing out on the incredible opportunity MS is presenting you with.  Here’s an example:

    Whenever we add a new client, we have to change security permissions on several files/groups in a share to allow them access, but never all files/groups in that share.  My boss will sometimes ask me, "Can you show me how to do that?  That way you can focus more on programming."

    I then pull up the UI and show him how.  Upon realizing this is going to take him all day because there are hundreds of files/groups/shares, he tells me to handle it.  I then whip out POWERSHELL and write a quickie to handle it all and I’m done in 3 minutes!  My boss exclaims, "How did you do that so fast?"  

    I show him my POWERSHELL commands and he exclaims again, "You used the box with all the words in it!!!  How can I learn how to do that?!?!?"  

    I then explain that for a $10,000 raise I would teach him now.  My boss typically then laughs aloud and trots his annoying ass back to the golf course where he belongs thereby leaving me in peace for the rest of the day.

    I either get a raise, or get peace and quiet.  Either way, I win.

    JamesNT

  52. JamesNT says:

    @640k

    Awwww…did we wake up with the wrong distro installed this morning?

    JamesNT

  53. JamesNT says:

    Mr. Chen,

    It appears that you are once again under siege from those who should have never been granted a computer science degree or never got one.

    Please be reminded that there are those of us who truly appreciate your blog and all the help you are trying to give us in understanding why things are the way they are in Windows.

    Your blog is awesome and you are my programming god.

    /kneels

    JamesNT

  54. Anonymous says:

    @Raymond

    “What do you do all day that keeps requiring elevation?”

    Running WizMouse (right at startup), daily.

    Running regedit, often

    Running defrag, once or twice a month

    running Hyper-V Admistration client (multiple times a week) – now solved through runas with storing credentials

    Beating old software into submission – still to often

    Runing Everything (file search accessing native NTFS) – at least daily

    Re-Registering old versions of COM servers (that just are writing to HKCR) for diagnostics and comparison

    Editing config files of apps that are installed  in %PROGRAMFILES%

    Copying files manually to %PROGRAMFILES%

    Testing setups

    That’s just from what I remember right here, right now.

    I know I’m not a typical user, and I can live with the dialogs – still it seems more like “punish developers” than “making life more secure”. (Not that I disagree completely…)

    [Then create a single elevated command prompt at logon, and any time you need to do something elevated, re-use that command prompt. (There are spot-fixes you can make for some of these actions, like relaxing ACLs on CLSIDs in the registry, or files/directories in %PROGRAMFILES%.) -Raymond]
  55. Anonymous says:

    Wow, I had no idea so many people change permissions on large groups of files at once.

  56. Anonymous says:

    I love it when people whine about a feature they use once every five years.

    (If someone is constantly changing security for files, they need to reconsider what they are doing.)

  57. Anonymous says:

    (Maybe there’s some malware that waits for people to change security on multiple items and quietly sneaks NTOSKRNL.EXE into the file list.)

    This argument is truly ridiculous. It’s very easy for non-elevated malware to gain elevated privileges any time the user elevates anything (and in 7 by default, that’s not even necessary since some stuff auto-elevates).

    UAC does not provide any real security, it was never designed to do so. It has other purposes. Read: http://technet.microsoft.com/en-us/magazine/2009.07.uac.aspx

    Besides, permissions are broken in Windows anyway. I could never understand the concept behind the design. If an object is inheriting all of its permissions and you move it elsewhere, it still has the old permissions, but they are still inherited. You have to disable and re-enable inheriting for it to get the new permissions. Combine that with the "bypass traverse checking" privilege everything and everyone has, and that’s lots of trouble waiting to happen.

    And what’s up with Explorer’s permissions UI? It’s one of the worst, most inconvenient UI I’ve ever seen, even if you don’t count this particular problem. In 7 the amount of steps you have to do to change privileges to some files is staggering, half of them being clicking again and again the "click here to view" buttons, then closing and reopening for the thing to refresh itself.

    Even more offtopic but: John: > ‘"X minutes ago" is the bane of my existence.’ < You’re not alone. To add insult to injury, it says "Today, 8 of April of 2010, 2 hours ago". That’s the pinnacle of stupidity: it says TODAY, then it says the whole day AGAIN, then it doesn’t tell you the time. Sometimes I don’t even know what these people are thinking.

  58. Anonymous says:

    @Joe:

    “I love it when people whine about a feature they use once every five years.”

    Scenario: your teenage kid saves the pictures from a camera to his private Pictures. Then Mom comes and tells: why don’t you move them to Public Pictures. OK. then Mom says: Why it keeps telling me “access denied”? WTH? Happens more often IRL than you know.

    [This scenario was fixed in Windows 2000. If you use Explorer to move files, it changes the ACLs to match the security of the destination folder. -Raymond]
  59. Anonymous says:

    @JamesNT:

    "Whenever we add a new client, we have to change security permissions on several files/groups in a share to allow them access, but never all files/groups in that share."

    How about just creating a new user group and adding the "client" (User?) to the group? And simply allowing access to the whole group for the share?

  60. Anonymous says:

    I could never understand the concept behind the design.

    I suggest that is not a problem with the OS.

  61. Anonymous says:

    @JamesNT:

    > I show him my POWERSHELL commands and he exclaims again, "You used the box with all the words in it!!!  How can I learn how to do that?!?!?" <<

    PowerShell: the ACL Mutilator. It’s got what computers crave. It’s got electrolytes.

  62. Anonymous says:

    What’s this attitude of doing away with a feature because it may require some reworking instead of making it work? Everyone gets that resources are limited when preserving existing shipping features in the product has to have priority over new features.

    [The new feature was UAC. Are you saying that the correct decision in this case was to say “Sorry, in order to preserve this feature we have to cut UAC”? -Raymond]
  63. Anonymous says:

    "The OS files are quite frankly the least important files on the drive. I’ve got a DVD and can put those right back."

    Could you explain your process for this in a bit more detail please? I sincerely hope it entails replacing every single shared library and executable on the disk with known-good versions, as well as the bootloader, all at once from a clean environment where malware is known to not reside or be running. Otherwise, if malware has had the opportunity to run as Administrator (which it will have to have done to get infect your shared system files in the first place), you may as well not have bothered.

    Oh, and you probably want to clean, repair or restore the data from *every* *single* *user* on the system as well, in case the malware has copied itself there.

    I don’t know about you, but on most systems I’m aware of, cleaning, repairing or restoring one user’s files is a hell of a lot easier than reimaging or reinstalling the OS and all applications, and then restoring *all* users’ files.

    "If its a multi-user system, there is no modern OS that cannot keep me from trashing the other users files if I wanted to."

    Really? Could you expand on this please? Preferably with a Linux example (it’s what I’m most familiar with) but any OS will do…

  64. Anonymous says:

    Why not just show one elevation prompt for each file that requires elevation? It would be more annoying than a single prompt, but less annoying than changing the security properties for each file individually. Of course it would also shift complaints from the "missing features" bucket to the "UAC" bucket.

  65. Anonymous says:

    When you are argumenting, that you removed that feature, because a malware could wait for that action and put NTOSKRNL.EXE into that list, why isn’t the same malware able, to do the same with (i)cacls?!

    [Um, since icacls does not attempt to elevate, any such injection would imply that the malware can inject into an elevated process, in which case it is already on the other side of the airtight hatchway. -Raymond]
  66. Anonymous says:

    @Gabe

    "Why not just show one elevation prompt for each file that requires elevation?"

    Because that behaviour gets tiring real fast.  Saw that during one of the early Vista betas.  A file copy operation would prompt for every file needing elevation for copying.

    Every time you improve something in a mature product, you annoy people.  What do you do, do nothing?  Or be like those folks in Cupertino, who get to wipe the slate clean every few years?

  67. Anonymous says:

    [The new feature was UAC. Are you saying that the correct decision in this case was to say "Sorry, in order to preserve this feature we have to cut UAC"? -Raymond]

    I don’t know whether he’ll say that or not but I’ll say that.

    I’ll turn UAC back on the day I can disable folder and registry redirection globally. Until then, it goes out of its way to make my life miserable.

  68. Anonymous says:

    [This scenario was fixed in Windows 2000. If you use Explorer to move files, it changes the ACLs to match the security of the destination folder. -Raymond]

    I hesitate to disagree with you, Raymond, but this isn’t the behavior I’m familiar with.  I’ve always found that moving a file on the same NTFS volume will not change the ACLs.  For kicks I just tried creating a new file, Picture.png (on XP):

    C:Documents and SettingsNickDesktop>icacls Picture.png

    Picture.png PHYSICSNick:(F)

               NT AUTHORITYSYSTEM:(F)

               BUILTINAdministrators:(F)

    I then moved the file normally using Explorer, and:

    C:Documents and SettingsAll UsersDesktop>icacls Picture.png

    Picture.png PHYSICSNick:(F)

               NT AUTHORITYSYSTEM:(F)

               BUILTINAdministrators:(F)

    Am I misunderstanding something?

    By the way, please don’t take this as criticism.  Like most others here, I strongly appreciate your blog and the effort you put into it.

    [You probably disabled simple file sharing. I explained the logic a few years ago. -Raymond]
  69. Anonymous says:

    [You probably disabled simple file sharing. I explained the logic a few years ago. -Raymond]

    Yes, and I also have all users (including myself) as Limited Users, and I also have a real Administrator enabled. Everything contrary to the default Windows XP config. This is why I didn’t have any security problem in so many years. Actually I had one incident because of Flash, but it didn’t cause full system compromise.

    [Not sure why you bring up all that other stuff since it’s unrelated to the issue of setting ACLs on multiple files. If you turn on simple sharing (which is on by default), then the issue you brought up (moved files need their ACLs fixed) does not arise. if you turn it off, then you accept that you will be spending a lot of time fixing ACLs. Maybe you could write a script to make that easier. -Raymond]
  70. Anonymous says:

    [You probably disabled simple file sharing. I explained the logic a few years ago. -Raymond]

    That explains it (and now that you bring it up, I remember that blog post).  Thanks for the clarification.

  71. Anonymous says:

    Gutting features from the user experience is very typical for Microsoft. The same Microsoft that goes way way too far in the name of compatibility for business applications written by nephews of nepotistic CEOs.

    [Okay, so you’re saying that we should just stop changing the UI effective immediately? No matter what you change, somebody will complain that they liked it the old way. -Raymond]
  72. Anonymous says:

    [The new feature was UAC. Are you saying that the correct decision in this case was to say “Sorry, in order to preserve this feature we have to cut UAC”? -Raymond]

    Yes. Look at Vista. Much of its hate was due to UAC. UAC was clearly not ready to ship then.

    “Windows might need to display an elevation prompt if any of the files in the collection require administrator privileges in order to modify the security attributes.”

    Was it too hard to preserve the feature for files which didn’t require elevation?

    “[Wow if only there was a way to automate repetitive actions. I thought computers would be good at that. Oh well. -Raymond]”

    Wow if only there was a way for MS to preserve a dialog so that you don’t need to know scripting to make a removed feature work.

    [Yes, there is a way (after all, “it’s only software”) – the question is whether it can be done in the time allotted with the resources available, bearing in mind that it is in competition with all the other things that need to be done. Sorry the balance didn’t turn out the way you’d have liked it. It’s not the way I would have liked it either, but that’s not the point of the article. -Raymond]
  73. Tihiy says:

    Sorry to barge, but nobody uses UAC.

    So removing this feature was pretty stupid… But who forbids writing new Security page (or other ACL GUI tool), all-powerful and shiny? I would even buy it if it would have "Grant me all permissions for those files forever" button.

  74. Anonymous says:

    @Warll: You know what else is a dangerous feature? The power button.

    You can say that again.  Whoever designed my work computer’s box thought it was a really good idea to put a black power button with a (functionally invisible) black power logo on it, right next to the DVD drawer. They also made the DVD eject button almost tiny, circular, unlabeled and further away from the DVD than the power button.

    I’ve lost count of the number of times I’ve turned the computer off trying to eject a DVD.

  75. Anonymous says:

    @Tihiv

    "Sorry to barge, but nobody uses UAC."

    I do, and I know several organisations which do.  Who are these "nobody" that you’re talking about?

  76. Anonymous says:

    So what’s the future of this feature going to be? Several people have asked for this in quite a number of places. Surely it can be fixed in SP1 by adding a dialog shown by "ranter"? There would be no need to show filename of even a single file. That’s how it behaves when multiple items are selected for NTFS compression or encryption in UAC protected locations.

  77. Anonymous says:

    Karellen:

    You seem to be missing the point. If something gets root, its true that none of the binaries can be trusted…

    ..but the fact is that the existance of ANY malware puts all the binaries in doubt, even if that malware coincedentally lives entirely in userland, becase you cannot prove that it lives entirely in userland.

    As you see, the thoroughness which the OS protects its own files is completely irrelevant to everything! YOU HAD MALWARE! YOU MUST REFORMAT!

    As far as how to get root in Linux… really? You really need to ask this? Google can explain it.

  78. Anonymous says:

    @Joseph Koss,

    I hope, Windows ultimately will come to the point where only MS signed binaries (and only those ISV’s binaries vetted and signed by MS) will be allowed to run in trusted context. And that will be better for everybody.

  79. Anonymous says:

    UAC has several configurable security levels. Why can’t *any* level be useful AND secure?

  80. Anonymous says:

    I just had a situation where I was dual booting Windows 7 and XP. The source code tree was on the XP partition. In Windows 7, users had only read access. I could either elevate Visual Studio to run as administrator, or do the obvious: change the permissions at the root of the tree.

    Seems to me that anyone having to change permissions on multiple files is missing the point entirely.

  81. Anonymous says:

    Joe (and others),

    Yes, there are many situations where you can just change from the root and blat permissions over everything below it.

    Equally, there are even more situations where you don’t need to change file permissions at all. By the logic of many people here* there shouldn’t be a UI for changing file permissions at all and the filesystem should assign permissions only on directories at the root level with all other files and sub-folders inheriting those.

    (* Which seems to be, "if I never use something then nobody in the entire world could possibly use it either, but also thanks for the great workaround that I will apparently never use.")

    That’s silly, though. There are cases where not all items in or below a certain folder have the same permissions and you then want to change some items but not others. (If such cases didn’t exist then there would be no reason for the workaround to be posted in the first place.)

    I’ve run into this problem several times on my own machines, as have others. Of course, it’s not the majority of people and maybe not enough for MS to care about in the grand scheme of things.

    If you haven’t run into it then good for you, but don’t say other people are wrong to need to do something just because you haven’t needed it.

    People are frustrated because dealing with this situation was made much more difficult for tenuous reasons.

    It’s not the end of the world and we’re not all going to jump ship to another OS because of it but it is an annoyance.

  82. Anonymous says:

    @Joseph Koss: "the fact is that the existance of ANY malware puts all the binaries in doubt, even if that malware coincedentally lives entirely in userland, becase you cannot prove that it lives entirely in userland."

    Uh, boot from a clean CD/DVD, check MD5 sums of kernel image + all installed binaries & libraries, and optionally run virus scanner from CD (might be required for /usr/local and /root).

    Easy.

  83. Anonymous says:

    I’ve always seen [the file management aspect of] Explorer as a tool aimed at desktop end users, not admins or power users.

    I don’t think the intersection of people who have a good reason to change permissions on a per-file rather than directory wide basis and people who don’t have the ability to script it is big enough to worry about.

  84. JohnCKirk says:

    Joshua wrote:

    "I’ll turn UAC back on the day I can disable folder and registry redirection globally. Until then, it goes out of its way to make my life miserable."

    Use Group Policy, and go to:

    "Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsUser Account Control: Virtualize file and registry write failures to per-user locations"

    I haven’t tested this, but apparently if you define that setting and choose Disabled: "Applications that write data to protected locations will simply fail as they did in previous versions of Windows." You should be able to define that GPO setting centrally, and apply it to as many machines as you like.

  85. Anonymous says:

    Karrelen, having a plethora of "known good" MD5 hashes doesnt support your original argument.

    You argued that its easier to replace one users files than to replace all users files, and that thats why the OS files are so important to protect..

    ..but here you are with a system that in fact computes an MD5 of every single binary on the drive and checks them against a database of known good ones, and that you intend to do this when *ANY* user gets malware.

    You are in the boat that I suggested you were in, after all.

    Glad we could sort this out.

  86. Anonymous says:

    ★ The MD5 checker could also be infected.

Comments are closed.