Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Disable access to FAT partition

Posted on 2002-05-06
Medium Priority
Last Modified: 2013-12-14

I'd like to disable access to a FAT partition under NT4
for normal users. The system however shall still be able
to allow access to network shares on that partition. Any

BTW.: I know how to disguise the existence of a partition
in the explorer, but that's not what I am looking for.
Question by:fremsley
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
  • 2
LVL 51

Expert Comment

ID: 6993487
the only way I know is TWEAKUI where you can disable drives so that they won't appear in "My Computer".
'cause TWEAKUI simply changes the registry, there must be a setting there.

Hope following links is still alive:

Author Comment

ID: 6994281
Thank you,

but that's the method I wrote I am not looking for because:

  a) the user is still allowed to access the drive if he
     knows the drive letter

  b) this is done in the user's registry tree, so he can
     always change it back

What I am trying to do is getting some degree of access
control (using the net share level restrictions) on a FAT
drive. The machine has installed NT4 and Linux and
unfortunately FAT partitions are the only file system
that both systems can read and write.

Best regards

Author Comment

ID: 6996729
I just found information about using the old NT 3.5 HPFS
driver with NT4. If it really does work the partition could
as well be formatted with a HPSF file system, since Linux
offers read/write access to HPFS, too.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 51

Expert Comment

ID: 6996754
BTW, I'm using Linux's NTFS driver for read/write since years, without problems (didn't do extensive tests, just simple text files).
And there's also a ext2 explorer for NT (didn't test writing with it 'cause I won't trust NT:)
LVL 10

Expert Comment

ID: 6999957
I don't know why this is a problem.

Highlight the Drive in My Computer, left click for properties and then goto Security.  Select the users that you want to have access to the entire drive (Administrators, etc.)

Then goto each shared directory, do the same and give whoever you want to have access rights to those shares the same.

LVL 51

Expert Comment

ID: 7000614

Author Comment

ID: 7005460
> BTW, I'm using Linux's NTFS driver for read/write since years,
> without problems (didn't do extensive  tests, just simple text files).

I once tried the NTFS driver of the 2.2 kernel and the file system got
corrupted -- that's probably the reason why write support is still
called 'dangerous.'

> And there's also a ext2 explorer for NT (didn't test writing with it
> 'cause I won't trust NT:)

And I don't trust the users of the systems I have to administrate!
That's why I am trying to restrict access to the NT/Linux shared
volume. Linux does not respect access control lists on NTFS file
systems so security is, like with FAT partitions, all or nothing.
For the same reason giving the users access to ext2 file systems
under NT is not a solution.

FAT volumes however can be mounted using the umsdos driver adding
Unix access modes to the file system. Maybe an even better solution
would be using an HPFS file system (I tried the old NT 3.5 driver
this weekend and it seems to work perfectly) because the Linux
HPFS driver uses its extended attributes for Unix access control,
symlinks, etc.

Best regards

Author Comment

ID: 7024451

yesterday I noticed an interesting feature of NT that might
help getting some sort of access control on FAT/HPFS

Drive S: stores directories for all users and one called
'public' which all users should be able to access. I used
the subst command to redirect them to drive letters:

  subst H: S:\fremsley
  subst P: S:\public

After that I opened the Disk Manager (windisk.exe) and
removed the associated drive letter S: from the partition.
Now access to drive S: is not possible, the substituted
drive letters however still work well.

Is there any way to run windisk in batch mode with
system access rights (I don't want the normal users to
run it explicitly) at each login?
LVL 51

Accepted Solution

ahoffmann earned 600 total points
ID: 7025464
> Is there any way to run windisk in batch mode with system access rights

Install su.exe and the corresponding service from NT's ResKit. And use su like you do on UNIX :-)

Author Comment

ID: 7027352
Hello ahoffmann,

That's half the solution already, but -- as I have found
out meanwhile -- there is no way to run windesk.exe without
the graphical interface, which makes it perfectly unusable
for this job :-(

I have found however a tool called NTsubst which will
create drive letters for directory trees whose partitions
do not even have an associated drive letter. Trying to
understand what this little program does, I had to dive
a bit deeper into the details of NT's architecture, and
I believe to have found a way:

- There must be one special acount which can log onto the
  machine and has the right to create symbolic links in
  the kernel object manager's namespace under \??\, aka
  \DosDevices\ (this is the one that will be used with the
  su command)

- All normal user accounts must _not_ be able to create
  such symbolic.

So my question is: do you think the above configuration
is possible (and what's the name of the access right I'll
have to restrict for normal users -- there are quite a
lot and I am not an expierenced NT admin, but originated
from Unix land)?

Unfortunately I have no NT4 machine at hand for the
moment, but I would try it on weekend.

Best regards

LVL 51

Expert Comment

ID: 7028017
> .. above configuration is possible ..
hmm, if you say it works, I'll believe it ;-)

> .. and what's the name of the access right ..
I do not know either (UNIXman too), but I suggest to use cacls.exe, or better xcacls.exe, and check what changes in the registry.
But keep in mind that permissions are done in NTFS, while mapped drive letters are inh registry, IIRC

Author Comment

ID: 7029173
> I do not know either (UNIXman too), but I suggest to use cacls.exe

cacls.exe only deals with access control lists of files -- the \??\
directory is part of the virtual namespace controlled directly by the
kernel (it's a bit like the data mapped to the /proc file system
in Unix).

> But keep in mind that permissions are done in NTFS, while mapped
> drive letters are in registry

There are some values stored in the registry which the Win32 subsystem
uses to initialize the object manager's namespace, maybe somewhere is
also a hook to control ACLs for \??\. I assume it might be possible
to restrict rights there using the User Manager where there are options
like 'user may start/stop services' (I hope to find out the right one
in a try and error approach).

If you are interested in more information about these parts of NT,
there is a program called WinObj available for download at:

that can browse through the object manager's name space. Under \??\
you'll find all devices that are used by the Win32 subsystem, e.g. a
smbolic link called C:. You can also directly access those devices
using the following notation in cmd.exe, e.g:

  dir \\.\C:\
  dir \\.\CdRom0\
I'll check how far I can get this way next weekend, and if it
works this I'll accept your comment about su.exe as it will play
a crucial role in securing the system.

Best regards
LVL 51

Expert Comment

ID: 7030514
had a short look at the registry, think the hive is in HKLM/System/Devices
Just a hint ...

Featured Post

Enroll in October's Free Course of the Month

Do you work with and analyze data? Enroll in October's Course of the Month for 7+ hours of SQL training, allowing you to quickly and efficiently store or retrieve data. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question