Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Endpoint Management Community Blog

Vista Ignores Attribute Changes and Blocks Modification of Network Copied Files

Created: 22 Feb 2008 • Updated: 22 Feb 2008 • 1 comment
scottwed's picture
0 0 Votes
Login to vote

This one was driving me up a wall. There's tons of hits on Google, but nobody had an actual answer.

To reproduce the problem, copy some files from another computer to the network file share on your Vista box. This could come up frequently during a Vista migration.

In my situation, I transfered a directory to d:\vmdisks\vmName1

Next, attempt to modify one of the files with notepad. You can tell the file is protected, as notepad will claim the file is no longer present when you attempt to save it. (This is supposed to happen for any files under \Program files and \Program Files (x86))

Also, if you attempt to remove the read-only attribute from one of the copied files, you will be prompted by UAC to approve, and Vista will report the operation was successfull. Closing the properties window and reopening it will show the attribute was not modified.

Automatic Vista file protection is supposed to be limited to certain protected folders and a few file extensions (*.exe). It shouldn't be paying attention to VMWare files on a secondary drive. If anyone can find a concise set of rules for triggering this file flag, I'd love to have it.

The Fix:

  1. Right-click on cmd.exe and select "Run as administrator"
  2. Execute icacls folderpath setintegritylevel low

Comments 1 CommentJump to latest comment

scottwed's picture

I found some more information on this issue this past week. One explanation is that Vista enforces NTFS ACLS differently, depending upon the "integrity level". With an increased integrity level (medium or high?), the Vista file redirector enforces a most restrictive rights policy. Unfortunately, it doesn't trigger a UAC prompt.

The explanation I found seems to make sense, but I haven't tried to reproduce the problem again. I'll do so in the next week. The problem will also exist when attaching a USB drive to a Vista box.

In my situation, the built-in Users group was allowed to inherit read-only access to the destination directory. I had tried a direct rights assignment for my personal administrator account with full NTFS permissions to the directory. I also double-checked that the Administrators group had full permissions to the directory. I also verified that the Effective Permissions function indicated that my account had full access to the files and directories.

NTFS permissions are traditionally enforced as a combination of the least restrictive set of rights. If your account has directly assigned rights, or is a member of any groups that has rights to a file/directory, then you are granted the rights from all of them. The exception to the rule is any "Deny" right which serves as a universal block.

Because my administrator account is both a member of the Administrators group and the Users group, my attempts to modify the file were silently discarded by the Vista file redirector.

Scott Wedekind

 

+3
Login to vote