Why did Windows 8.1 damage the security permissions on a drive from another Windows installation

07
2014-07
  • user331793

    I have a problem with Windows 8.1 and doing a "quick" backup of the files and folders on another installations HDD

    Scenario:

    Computer A: My computer = Windows 8.1 fully patched Computer B: Other computer = Windows 8.0 fully patched (apart from 8.1)

    1. Removed HDD from Computer B in order to check files system and copy users files and >folders prior to some clean-up work
    2. Placed HDD into computer A and it came up as drive K
    3. Accessed the K drive .\users\userA folder
    4. Got told I did not have permission etc. Do you want access Y/N - Clicked Y
    5. Waited about 2 minutes for it to think about it

    5a Gained Access and copied documents and pictures etc to temporary holding area on >Computer A

    1. Removed drive of B and put it back into Computer B
    2. Booted up
    3. Got to log on screen
    4. Logged on to computer B

    Problem 1 - Start screen in computer B was totally empty Problem 2 - Could not even access the "Desktop"

    It appears that the ACL got messed up doing the steps above.

    I tried and suceeded to get access back by running:

    • icacls c:/ * /T /Q /C /RESET - got loads of "access denied" bust also I guess is reset a lot as well (not sure if I needed to do this though)
    • Explorer and changed ownership of c:\users\userA back to "userA". Gave UserA full control of both c:\users\userA and c:\users\public and all their subordinates.

    I have replicated the steps in Windows 7 on a Windows 8 HDD and also in MiniXP both of which use the same ACL methodology.

    My questions are:

    1. why does it do it in 8 but not in Hiren (miniXP) or Windows 7 as the host computer. Is this a specific change in the way ACL is handled in Windows 8 and above?

    2. Is the command icacls c:/ * /T /Q /C /RESET in Windows 8 and 8.1 the correct command to recover from this corruption of the ACL.

    • Answers
  • Sami Kuhmonen

    a) Because you answered "yes" to the question about changing permissions. NTFS permissions are based on the SIDs in the system. If you put the drive into another machine, only the built-in SIDs match (Everyone, Administrator etc). All other accounts have different SIDs, so the ACLs must be changed if you want access. Windows doesn't know that you actually have ripped a drive from another computer, or its SIDs, it may well remove them, or do whatever.

    b) Add permissions manually for your user accout and don't touch other ACLs. That way it won't happen. If it does, then you have to painstakingly manually restore all permissions.


    • Related Question

    windows 7 - Why would the NTFS ACL utility `icacls` alter the system partition behind the scene?
  • netvope

    I attached an hdd to my win7 machine and assigned the drive letter I: to the only partition on the hdd. The hdd was originally from another computer, and to avoid all those "you don't currently have permission..." dialogs, I decided to use icacls to clear all ACLs.

    I ran icacls I:\ /reset /t /c /l. After a while, Chrome stopped working. Safari crashed. I traced the problem and find that the ACLs of my home folder (in C:\Users) are all messed up. Chrome and Safari couldn't write to their cache folder. I fixed the ACLs of my home folder and everything seems to be OK now.

    Why would icacls mess with my home folder when I specifically told it to work on the I: drive? I have even put in the /L switch so that it won't resolve symbolic links. Did I misunderstood the switch?

    For your reference, below is the relevant parts of the help screen. 

    ICACLS name /reset [/T] [/C] [/L] [/Q]
    replaces ACLs with default inherited ACLs for all matching files.

    /T indicates that this operation is performed on all matching
        files/directories below the directories specified in the name.

    /C indicates that this operation will continue on all file errors.
        Error messages will still be displayed.

    /L indicates that this operation is performed on a symbolic link
       itself versus its target.

    • Related Answers
  • netvope

    OK I found the answer...

    The hidden Documents and Settings in I:\ is a junction pointing to C:\Users. The target of the junction is an absolute path (as opposed to a relative path). Since /L takes care of symbolic links only, icacls resolved I:\Documents and Settings into C:\Users and reset all the ACLs there.

    Therefore, never use icacls unless you have examined all the junctions in the folder you want icacls to work on! This makes icacls practically useless as a recursive ACLs modification tool... If the folder contains a junction pointing to C:\ deep inside the folder structure, you could have killed your Windows without even knowing why!

  • Luisp

    First and formost, what the heck is MS doing making it so complicated to use Windows? Don't they know that people are bound to partition their 500GB+ HDD into sections to seperate their data and make their data less prone to viruses, accidental deletions, etc.?

    Did I step through some Reverso World here? What a F.Job!

    So, it looks like the only answer is to not move anything that Microsoft set up. Live with what they give you. Ha! That, the Windows 2010 x64/Windows Mobile incompatability, and XP/IE9 incompatabiitly are the final straw in my book.

    I am going back to XP 64 until I can find an alternative OS. It's time to talk to the attorneys.