...to hide selected drives/volumes from less qualified users.
OK. My box is Win7 Home Premium SP1, with 4 accounts, Admin and 3 user accounts--family members. I have 3 drives, 2x 500GB and one 3TB.
Drive0 has drives C: (boot, 243GB) and D: (compressed data, 223GB) and System Reserved (100GB);
Drive1 has drives F: (pagefile, 5GB) and E: (uncompressed data, 461GB);
Drive2 has drive G: (monolithic data storage, 2794GB).
I want to hide drive F: from everyone except Admin. It is obviously a System Disk, so even if I had Group Policy on this box, I can't hide it, at least on W7. Unfortunately, the security settings on F: include "Users:(Read, List folder contents, Read & Execute)", and I am reluctant to even touch those in case I wreck the system.
I have been using "NoDrives" in HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer in each of the three user accounts from Admin with regedit, which works for a while until Windows does a scan and deletes it. The really silly bit is that I can successfully hide C: from two of my users with no visible dramas!
So my thought is that while we are looking at the fundamentals in ReactOS, getting the kernel to work properly, can we make sure we have a better mechanism than Microsoft offers to hide sensitive drives from unauthorised users?
Gordon.
NoDrives registry entry...
Moderator: Moderator Team
Re: NoDrives registry entry...
I believe ReactOS should follow the MS way.
If however some slight "enhancements" are possible then in this case the "Local Group Policy Editor" could allow hiding any drive letter(s). I think by default (in Windows) we can hide only C or C-D or something like that.
Maybe ReactOS "Local Group Policy Editor" could also show the user what registry key it is actually modifying.
It would be easier than using for example "Regshot" or "Process Monitor".
Anyway regarding hiding F-drive on Windows (7) it should work with these two registry changes (my examples use reg.exe command).
First the one you had already figured out:
In addition this one is also needed:
I don't know what scan Windows does in your case, but when I used to use this nothing was removing these automatically.
I used this on my HTPC for the HTPC user when it was running windows 7.
If however some slight "enhancements" are possible then in this case the "Local Group Policy Editor" could allow hiding any drive letter(s). I think by default (in Windows) we can hide only C or C-D or something like that.
Maybe ReactOS "Local Group Policy Editor" could also show the user what registry key it is actually modifying.
It would be easier than using for example "Regshot" or "Process Monitor".
Anyway regarding hiding F-drive on Windows (7) it should work with these two registry changes (my examples use reg.exe command).
First the one you had already figured out:
Code: Select all
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoDrives" /t REG_DWORD /d "0x00000020" /f
Code: Select all
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoViewOnDrive" /t REG_DWORD /d "0x00000020" /f
I used this on my HTPC for the HTPC user when it was running windows 7.
.nsh
Re: NoDrives registry entry...
G'day nsh -
Well, I learn something every day!!! In all my searching, the NoViewOnDrive key never surfaced at all.
Anyway, thanks for that, I've just done it to all User accounts from Admin. Now let's see if it sticks... As I said, it seems that making a drive into a pagefile makes it a system disk/file with different properties to user files. This may also be something ROS devs might want to suss out. I should say that doing the same thing on W2K with only the HKCU\\NoDrives key effectively hid my pagefile from all users while leaving it visible where it was needed, in Admin, with no dramas. Maybe W7 UAC is getting its knickers in a knot?
When my box lights up, the drive light stays on for some (variable) time. It seems Windows is scanning for disk errors, and that I certainly approve of, rather like the registry scan W2K would do at start-up, and I devoutly hope W7 does as well.
As far as ROS goes, I don't care how it's done, as long as it is done, and in a more robust and accessible fashion: I'd like to see Group Policy accessible to all versions, not just a privileged few.
Gordon.
Well, I learn something every day!!! In all my searching, the NoViewOnDrive key never surfaced at all.
Anyway, thanks for that, I've just done it to all User accounts from Admin. Now let's see if it sticks... As I said, it seems that making a drive into a pagefile makes it a system disk/file with different properties to user files. This may also be something ROS devs might want to suss out. I should say that doing the same thing on W2K with only the HKCU\\NoDrives key effectively hid my pagefile from all users while leaving it visible where it was needed, in Admin, with no dramas. Maybe W7 UAC is getting its knickers in a knot?
When my box lights up, the drive light stays on for some (variable) time. It seems Windows is scanning for disk errors, and that I certainly approve of, rather like the registry scan W2K would do at start-up, and I devoutly hope W7 does as well.
As far as ROS goes, I don't care how it's done, as long as it is done, and in a more robust and accessible fashion: I'd like to see Group Policy accessible to all versions, not just a privileged few.
Gordon.
Re: NoDrives registry entry...
Happy to be of help and I hope it works for you!
I don't know if the drive having pagefile.sys on it affects the registry settings as I've not used a paging file since NT4 (I know not to use too much RAM so my hidden (from users) drive didn't have that. It was just a disk that contained backups.
But UAC was on for non admin users on the Windows 7 so that shouldn't break this.
If it does not work for you maybe you could change the NTFS rights on the F-drive so that users don't have "list" rights. Just "read" and/or "write" if they need any access to the drive.
That way even if it shows it will appear empty... If that helps you.
Yeah, definitely things like GPO editor should not be restricted in ReactOS I don't see why ROS would even need to limit "features" the way MS does with different editions.
edit: typos.
I don't know if the drive having pagefile.sys on it affects the registry settings as I've not used a paging file since NT4 (I know not to use too much RAM so my hidden (from users) drive didn't have that. It was just a disk that contained backups.
But UAC was on for non admin users on the Windows 7 so that shouldn't break this.
If it does not work for you maybe you could change the NTFS rights on the F-drive so that users don't have "list" rights. Just "read" and/or "write" if they need any access to the drive.
That way even if it shows it will appear empty... If that helps you.
Yeah, definitely things like GPO editor should not be restricted in ReactOS I don't see why ROS would even need to limit "features" the way MS does with different editions.
edit: typos.
.nsh
Re: NoDrives registry entry...
gordon451 wrote:...to hide selected drives/volumes from less qualified users.
OK. My box is Win7 Home Premium SP1, with 4 accounts, Admin and 3 user accounts--family members. I have 3 drives, 2x 500GB and one 3TB.
Drive0 has drives C: (boot, 243GB) and D: (compressed data, 223GB) and System Reserved (100GB);
Drive1 has drives F: (pagefile, 5GB) and E: (uncompressed data, 461GB);
Drive2 has drive G: (monolithic data storage, 2794GB).
I want to hide drive F: from everyone except Admin. It is obviously a System Disk, so even if I had Group Policy on this box, I can't hide it, at least on W7. Unfortunately, the security settings on F: include "Users:(Read, List folder contents, Read & Execute)", and I am reluctant to even touch those in case I wreck the system.
I have been using "NoDrives" in HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer in each of the three user accounts from Admin with regedit, which works for a while until Windows does a scan and deletes it. The really silly bit is that I can successfully hide C: from two of my users with no visible dramas!
So my thought is that while we are looking at the fundamentals in ReactOS, getting the kernel to work properly, can we make sure we have a better mechanism than Microsoft offers to hide sensitive drives from unauthorised users?
Gordon.
same here Gordon! I learned a lot each day browsing here and there! I've been using Nodrives since then and this really helps me a lot!
Who is online
Users browsing this forum: No registered users and 8 guests