Kyoto Kid: I was a Unix sysadmin a quarter of a century ago. This stuff is handled sanely and simply in Unix. If Microsoft messes it up any worse—all else being equal—I’ll probably either buy a Mac (stuff in my price range is oddly designed), or sacrifice some software that won’t port and move to Linux (in which case I’ll have to miss Daz Studio. Too bad).
You’re fairly warned: I don’t know half a bean about Windows internals. Follow me at your own risk. Daz’ll surely fix this problem.
But this is how I deal with Windows 7:
1. Get Macrium Reflect. Make an image of C:, all partitions, before you start messing around—and I strongly suggest you do it with the verify option on, so you know it’s a valid image. Make the WinPE boot optical disk they recommend. Make sure you can boot from it, and that it finds your backup when the Macrium routine comes up.
Windows 7 allegedly has a backup and restore utility. It doesn’t work, last I knew. It will make backups; but then it frequently won’t be able to find the backup to restore from.
2. Take Ownership. Download, scan, and install. This utility will add a Take Ownership right-click option to Windows Explorer.
3. Next, you’re going to disable User Access Control, as completely as I know how. You should be able to leave it active—but the UAC code is either buggy or insane. You as an administrator will frequently be denied access to files you ought to control. So you need to get it out of the way.
Go to Control Panel/Administrative Tools/Local Security Policy/Local Policies/User Rights Assignment.
You’ll see a screen with a bunch of privileges listed. We want to make sure that you have these privileges:
Act as part of the operating system
Modify an object label
Take ownership of files or other objects
There’s two ways to have a privilege assigned in Windows: having it assigned as an individual user, or having it assigned as part of a group. You should already be part of the group Administrators. So if you see Administrators listed in the Security Setting column, you should already have the privilege, and you can leave it alone.
If you see your individual username—what you called yourself when you set up the computer—you have the privilege.
Look at the policy called Act as part of the operating system. Your username probably isn’t there, and neither is Administrators. So click on this line.
A window with two tabs will open up: Local Security Setting tells you who has the privilege, and Explain tells you what it means. In the Local Security Setting tab, click on Add User or Group.
Yet a third window opens up. In the lowermost box, labelled Enter the object names to select, type your username. Then press the Check Names button. If you’ve typed it correctly, it will probably prepend the computer’s name in front of the username. Click OK.
When the Add User window closes, you’ll be at the two-tabbed Act as part of the operating system window. You should see your username in the box. Click OK.
Now you should see your username in the Security Setting column for the Act as part of the operating system policy.
Now find Modify an object label. Same procedure: click to open, add your username if it isn’t there already.
Now look at Take ownership of files and other objects. If the Security Setting column already reads Administrators, you don’t have to do anything. If it doesn’t, add your username.
Some of these policies will only accept your individual username as privileged. There are others where you can add groups. For those, you can add the group Administrators instead if you want.
We’re done with the User Rights Assignment section. Hit the back button in the top left corner of the Local Security Policy window. You should see three items in the right pane again: Audit Policy, User Rights Assignment, and Security Options. This time, open Security Options.
This section works like the last section, except that most of the time, instead of adding names, we’re going to be turning policies on or off.
Here are the policies, and what we want to change them to:
Recovery console: Allow automatic administrative logon—Enabled
Recovery console: Allow floppy copy and access to all drives—Enabled
User Account Control: Admin Approval Mode for the Built-in Administrator account—Disabled
UAC: Allow UIAccess applications to prompt without using the secure desktop—Enabled
UAC: Behavior of the elevation prompt for administrators in Admin approval mode—Elevate without prompting
UAC: Behavior of the elevation prompt for standard users—Prompt for credentials
UAC: Detect application installation—Disabled
UAC: Only elevate executables that are signed—Disabled
UAC: Run all administrators in Admin Approval mode—Disabled
UAC: Switch to the secure desktop when prompting for elevation—Disabled
UAC: Virtualize file and registry write failures—Enabled
It is not necessary, but I also did this:
Accounts: Administrator account status—Enabled
This enables a built-in account called Administrator. You usually don’t need it; but I had occasion to be glad I’d enabled it once, when my hard drive was corrupt and I couldn’t log in as myself. I could still get into the built-in Administrator account.
Recovery console doesn’t have anything to do with this problem either. If you ever need the recovery console, you want as few obstacles between you and the hard drive as possible. So I enable those options.
We’re done with Local Security Policy and Administrative Tools. Close the window.
Go to Control Panel/User Accounts. Click on Change User Account Control settings. Put the slider to the bottom if it isn’t there already. Click OK.
Close the Control Panel. We’re done with that.
When you do this, you’re partly busting your security. Caveat lector! But I didn’t have any problems when I was running XP.
I wish we could get back to making it as easy to use as XP. Or, more securely, Unix. Alas, we’re not going to manage that. You’ll still want to hit Windows with a stick; but at least you can now fix some of the broken stuff.
4. So you can see what you’re doing, we’re going to change some of Windows Explorer’s standard display options next.
Open Windows Explorer. In the top left corner, click on Organize. Then go to Folder and search options, the View tab, the Advanced settings down below.
Check Show hidden files, folders, and drives.
Uncheck Hide extensions for known file types and Hide protected operating system files. Click OK.
You still can’t see everything on the disk this way. But you can see more.
Done with this part.
This is all prep for fixing permissions on individual files and folders, so you can finish the installation. And it probably belongs in another thread, ultimately. It’s also getting pretty long, so I’ll write the actual permission-fixing in another post.