Users can not access c:\Programdata directory

We had an application that was running on window xp. The app is a desktop .net application which runs on the pc/laptop, all local. The app wrote to c:\programdata. Some customers upgraded the pc's to windows 7 and windows 10. Regular users can not access the files anymore, they have to have user administrator accounts to use the app.

I have tried to change the permissions programmatically which works only if you are an administrator running the program. Basic users get the "need to be admin or no rights" error.

I can only have one instance of the application on a pc as the users need to share the same database and files.

Has anyone been able to fix this so users can access c:\programdata?

Thanks
Bill
LVL 1
BillSoftware EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Any legitimate user can write to Program Data.  There was no Program Data in Windows XP, only Program Files . In XP, users could write to Program Files (that security hole has been blocked).

So your application is probably trying to write to Program Files and that will not work. You need to change your program to write to Program Data or a folder within USER\Documents.
0
BillSoftware EngineerAuthor Commented:
Hi John,
THe app is using system.environment.specialfolder.commonApplicationData which maps to ProgramData in windows 7. I am not sure about windows xp as I was not around this app when it was written for that. What I do know is that regular users can not access the programData directory, if they are admins they can, if not no luck.  This seems to be a problem. You can search here and a Google search. I have not seen any fixes for it yet.  

Thanks for the input
Bill
0
JohnBusiness Consultant (Owner)Commented:
The app is probably mis-designed as it was an XP App.

ProgramData was specifically made for users to write to (that is, their applications). Any regular user can write to this folder and that has been true from Vista forward. No issues at all for a properly designed app.

So you need to change the app to concur / be compliant with newer technology.

I have had such bad XP apps and I use USER\Documents as the folder if there is no other choice in the app.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

BillSoftware EngineerAuthor Commented:
John i have to disagree.  It uses the environment variables as it is supposed to so you do not have these issues.  I need one instance of the files for the users so USER\Documents won't work.  This is not a new app and was working fine until customers upgraded to windows 7 and windows 10.

I appreciate the input. Have a great day.

BIll
0
JohnBusiness Consultant (Owner)Commented:
You can disagree and that is fine. But ProgramData works fine for ALL (100% of) behaved applications. True since 2008 nearly 10 years ago.

So you are in a distinct minority (of probably 1) here.
0
NVITEnd-user supportCommented:
> The app wrote to c:\programdata

In a certain subfolder of it? Maybe try giving users ntfs full control to that subfolder
0
Joe Winograd, Fellow&MVEDeveloperCommented:
I am not sure about windows xp
It maps to this in XP:

C:\Documents and Settings\All Users\Application Data

Of course, that maps to C:\ProgramData in W7 and W10.

It's possible that Users do not have Full Control or Modify or Write permission on ProgramData — I think that it's the default not to have those permissions, but I'm not sure (Administrators-Yes; Users-No). I just checked the Users permission on a system where I'm certain that it hasn't been changed from the default, and it shows this:

ProgramData W7 default permissions
Also, I checked a W10 system where the defaults have not been changed and C:\ProgramData has the same permissions as shown above. If that's the case on your W7 and W10 systems, change its settings for Users to Full Control, Modify, Write, or whatever you prefer. Regards, Joe
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
Try that, but all applications I have (hundreds across clients) do not need special permissions to write to Program Data.

So the program coming from XP would be flawed if it demands special permissions.

I have done these transfers before and all I need was a chat with the Application Support people to determine the best location for the data and then a change in the setup to point to the new location
0
Joe Winograd, Fellow&MVEDeveloperCommented:
Btw, here's that same screenshot for the Administrators:

ProgramData W7 Admin default permissions
Shows that they have Full Control, Modify, and Write permissions, which the Users do not have.
0
JohnBusiness Consultant (Owner)Commented:
I am not clear about that. Any well-behaved program can write to Program Data using a Standard User. It was designed this way to move data from Program Files (XP) to a location that would work easily in Windows Vista and up.
0
Joe Winograd, Fellow&MVEDeveloperCommented:
John,
Maybe you're thinking of ApplicationData, which maps in XP to:

C:\Documents and Settings\<user>\Application Data

and in W7/W10 to:

C:\Users\<user>\AppData\Roaming

Or LocalApplicationData, which maps in XP to:

C:\Documents and Settings\<user>\Local Settings\Application Data

and in W7/W10 to:

C:\Users\<user>\AppData\Local

Both of those have default permissions for the Users group of Full Control, Modify, Read&Execute, List Folder Contents, Read, Write. Regards, Joe
0
JohnBusiness Consultant (Owner)Commented:
That might work (because the user has access to this) if the application writes there. This cannot be assumed.

There is more than one way to make an XP program work this way but Application Support needs to say how to change the program to do this. Otherwise it may not work.
0
Shaun VermaakTechnical SpecialistCommented:
Open Advance options and you will see the User write access there
appdata.png
0
BillSoftware EngineerAuthor Commented:
ok everyone thanks I will have to try your suggestions on Monday. Ran out of time to work on this today.

Joe, one quick question. Above the screen shot where you have the userName blocked out. Is that the name of the computer?

Thanks
Bill
0
Joe Winograd, Fellow&MVEDeveloperCommented:
Hi Bill,
Yes. I don't like to expose the computer name on the Internet, so I always redact it in my screenshots. Regards, Joe
2
David Johnson, CD, MVPOwnerCommented:
When you need to store data common to all users of an application locally, Microsoft recommend using System.Environment.SpecialFolder.CommonApplicationData. In addition they also suggest creating a sub folder here with your CompanyName and a sub folder in that of ApplicationName.

The issue with this is the folders and files you create only have read/execute permissions for other users other than the creator. This means that they cannot be appended to or replaced by another user without UAC elevation
https://www.codeproject.com/Tips/61987/Allow-write-modify-access-to-CommonApplicationData

So you have to change the permissions of that folder, I'd give EVERYONE full control of that folder and subfolders and files.
0
JohnBusiness Consultant (Owner)Commented:
In all the cases I have looked at, all modern programs can do this without additional permissions.

So while I agree with the points about permissions, semi - modern and modern software does not need this.
0
it_saigeDeveloperCommented:
In a unmodified system, John is spot on.  However, since it is windows we are talking about here and your,  I am assuming, company has an OS image.  It is very likely that some incompetent, insecure or overzealous Administrator decided that Users don't need explicit write access to the ProgramData folders.  It is also very likely that they may (or may not) have configured policies in the hopes of creating a white-list based form of accepted applications.

Take a look at an example computers configuration to verify that Users do (or do not) have write access to ProgramData.

-saige-
1
Joe Winograd, Fellow&MVEDeveloperCommented:
> In a unmodified system, John is spot on.

As I mentioned in my posts above, I checked a W7 and a W10 system (both are Pro 64-bit, if that matters) where the permissions on C:\ProgramData have not been changed from the defaults. Both of them have the Users group set for Read&Execute, List Folder Contents, Read; while both of them do not have Full Control, Modify, Write. Regards, Joe
2
arnoldCommented:
Programdata is settings, commonly, the user programs do not write into
0
Shaun VermaakTechnical SpecialistCommented:
Joe. Run this from the command prompt. I am sure you have write access
cacls ProgramData

Open in new window

0
it_saigeDeveloperCommented:
Joe you might be getting confused by this:Capture.PNGYou are correct, the "Write" right is not explicitly allowed, rather it is a special permission:Capture.PNGTo see it, click Advanced:Capture.PNG
-saige-
0
Joe Winograd, Fellow&MVEDeveloperCommented:
rather it is a special permission
Ah, thank you for that, saige — I missed the Special Permissions! Looks a little different on W7:

Advanced ProgramData W7
But double-clicking the Users>Special entry shows that the Users group has the two Create and two Write permissions:

Permissions ProgramData W7
So, you are right! Thanks for the correction. Interesting, though, that the Users group doesn't have the two Delete permissions. That could affect a program, such as the one that Bill is trying to run, that attempts to delete files and/or subfolders. That said, I just tested it and the behavior does not match the two Delete settings. When I tried to delete a file in a ProgramData subfolder, it worked; but when I tried to delete a subfolder of ProgramData, I got this:

cannot delete subfolder of ProgramData W7
Strange stuff!

I am sure you have write access
Shaun, you are correct!

Regards, Joe
0
arnoldCommented:
use cacls, icacals to list the permissions on the various files.
Check whether the application is 32 bit and is running on a 64bit and is version aware.

it is difficult from the information you provided to determine where the issue is. Your reference to programdata might not be the cause of the issue.

sysinternals from ms technet.microsoft.com/ has tools you can use to monitor what resources the application is attempting to access to confirm where and when the failure occurs.
0
BillSoftware EngineerAuthor Commented:
Hello Arnold,
The app uses System.Environment.SpecialFolder.CommonApplicationData - which is programdata in windows7 and hopefully windows 10. With and an appended folder name so lets say it is JOE

When the app starts up it checks to see if the folder exists which would be "c:\programdata\joe". If it does not exist, it tries to create it , then it  creates log files etc.  If it does exist it writes data to log files as well as pull data from existing database in the folder.

This works fine for ADMINS.
For regular users it give them the "you need to be and admin message" when the app checks to see if the directory exists.

So, I believe you are all correct in stating this is privileges... I hope.  So thanks all I will check it out first thing Monday morning.

Bill
1
arnoldCommented:
Ok, as prior suggested, use cacls/icacls to check the permissions of the folder, see if Joe which may have been created by admin. And now no one can access it.
Point, checking if Joe inherits permissions from programdata or .....

Try navigate as a user to programdata, create a folder any name.
See if that is the issue.
It seems your .net app does not relay to the user what the cause for the error I.e. Access denied, etc.

Adding error detection if not in use to provide better context to the situation your users face when running this application.
0
BillSoftware EngineerAuthor Commented:
i need to give Joe some points as well
0
Joe Winograd, Fellow&MVEDeveloperCommented:
Hi Bill,
First, I'm glad to hear that it works fine now — that's great news! If you could let us know exactly what you did to fix it, that would be very helpful. I'm really curious to know how you went about fixing the permissions issue — or fixing whatever the problem was.

Second, I see that you've asked to have the question re-opened so that you can distribute the points differently. Since this is your first question at Experts Exchange, you may find the EE support article on how to accept multiple comments as helpful:
How do I accept multiple comments as my solution?

Regards, Joe
0
BillSoftware EngineerAuthor Commented:
Hi Joe.
It was a permissions issue and that was all it was. I should of checked that first thing but assumed it had already been checked. As soon as I gave computername\users read, write, modify permissions it worked for all users. I will get back to assigning points in a bit.

thanks
Bill
0
Joe Winograd, Fellow&MVEDeveloperCommented:
Thanks for the update, Bill...very helpful! No rush on assigning points...whenever convenient for you. Regards, Joe
0
BillSoftware EngineerAuthor Commented:
great job guys. thanks!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.