File security issues after converting FAT32 partitions to the NTFS file system (810142)



The information in this article applies to:

  • Microsoft Windows XP Professional
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP Service Pack 1
  • Microsoft Windows XP Service Pack 2

SYMPTOMS

After you run the Convert.exe utility on an installation of Windows XP Professional or on Windows XP Home Edition, the All Users folder and all subfolders (that is, the folders with inheritable permissions) show only the following permissions:

Everyone: by default, all items (including Full Control) are selected.



The subfolders include:
  • Desktop
  • Favorites
  • Shared Documents
  • Start Menu

CAUSE

Convert.exe is used to convert the file system from FAT32 to the NTFS file system. During the conversion process, Convert.exe uses the Setup Security.inf file in the C:\Windows\Security\Templates folder to apply security settings to the partition. The Setup Security.inf file is created during Windows XP setup. If the OS was installed on a FAT32 partition, the file security settings will differ from an installation on an NTFS partition. This difference causes the problem.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

Note if you purchased your computer from an original equipment manufacturer (OEM), Microsoft has investigated this problem and is working directly with OEMs to provide a solution.
With a manual installation of Windows XP Professional or Windows XP Home Edition, the default permissions of the All Users folder and all the subfolders that have inheritable permissions are as follows:
  • Administrators: All items (including Full Control) are selected.
  • Everyone: Read and Execute, List Folder Contents, and Read are selected.
  • Power Users: All items except Full Control are selected.
  • System: All items (including Full Control) are selected.
  • Users: Read&Execute, List Folder Contents, and Read are selected.

Microsoft has reviewed the security settings that are defined in the Setup Security.inf file that is mentioned earlier in this article. As a result of that review, please note the following points:
  • The following directories were determined to have special access control lists (ACLs) set incorrectly, or not set at all.
  • The following directories also have a corresponding list of appropriate special ACLs that are based on a review of NTFS permissions on a natively configured NTFS system.
  • Not all of the following directories are necessarily present on every system. Many directories are pertinent to specific components that may not be installed.

Windows XP

  • Documents and Settings System and Administrator: Full Users, Power Users, and Everyone: Read and Execute
  • Documents and Settings\username System and Administrator: Full User: Full
  • Documents and Settings\Default User Inherited from "Documents and Settings"
  • Documents and Settings\All Users System and Administrator: Full
  • Users and Everyone: Read and Execute
  • Documents and Settings\All Users\Desktop Inherited from "All Users"
  • Documents and Settings\All Users\Favorite Inherited from "All Users"
  • Documents and Settings\All Users\Start Menu Inherited from "All Users"
  • Documents and Settings\All Users\Template Inherited from "All Users"
  • Documents and Settings\All Users\Shared Documents System and Administrator: Full
  • Creator Owner: Full
  • Power Users: Modify
  • Users: Read, Execute and Write
  • Documents and Settings\All Users\Application Data Same as "All Users\Documents"
  • ...Application Data\Microsoft\Network\Downloader:
    • Full access to LocalSystem
    • Full access to Local Administrators
      Note: Inherited ACLs are enabled.
  • %allusersprofile%\Start menu\Programs\Accessories (and all of the link files and subfolders underneath it) Inherited from %allusersprofile%\Start menu\Programs
  • %allusersprofile%\Start menu\Programs\Startup Inherited from %allusersprofile%\Start menu\Programs

Windows 2000

  • Documents and Settings System and Administrator: Full Users, Power Users, and Everyone: Read and Execute
  • Documents and Settings\username System and Administrator: Full
  • User: Full
  • Documents and Settings\Default User Inherited from "Documents and Settings"
  • Documents and Settings\All Users System and Administrator: Full
  • Users and Everyone: Read and Execute
  • Documents and Settings\All Users\Desktop Inherited from "All Users"
  • Documents and Settings\All Users\Favorite Inherited from "All Users"
  • Documents and Settings\All Users\Start Menu Inherited from "All Users"
  • Documents and Settings\All Users\Template Inherited from "All Users"
  • Documents and Settings\All Users\Shared Documents System and Administrator: Full
  • Creator Owner: Full
  • Power Users: Read and Execute, Write
  • Users: Read, Execute and Write
  • Everyone: Read and Execute
  • Documents and Settings\All Users\Application Data Creator Owner: Full
  • Users: Read&Execute
  • Everyone: Read&Execute
  • %allusersprofile%\Start menu\Programs Administrator: Full
  • Everyone: Read and Execute, List Folder contents
  • Power Users: Everything but Full Control
  • System: Full Control
  • Users: Read and Execute, List Folder contents
  • Note Everyone has the right to view this file. Only Power Users and Administrators have the privilege to change these folders or files.
    %allusersprofile%\Start menu\Programs\Accessories (and all of the link files and subfolders underneath it) Inherited from %allusersprofile%\Start menu\Programs
    %allusersprofile%\Start menu\Programs\Startup Inherited from %allusersprofile%\Start menu\Programs

WORKAROUND

To correct the ACLs that are listed for the specified directories in this article, and to correct any additional incorrect settings that the user may have found, you can use the Cacls.exe utility. The Cacls.exe utility (included in systemroot\System32 folder) is a tool designed for modifying permissions (access control lists [ACLs]) of NTFS files and folders.
For additional information about the correct use of the Cacls.exe utility, click the following article number to view the article in the Microsoft Knowledge Base:

318754 HOW TO: Use Xcacls.exe to Modify NTFS Permissions


Modification Type:MajorLast Reviewed:5/19/2005
Keywords:kbprb KB810142 kbAudDeveloper