Enabling standard users to write to the root folder

by Mitch Tulloch [Published on 12 April 2012 / Last Updated on 16 Sept. 2011]

Can you enable standard users to write to the root folder C:\\ in Windows 7? Should you?

In Windows 2000, standard (non-admin) users could create new files in the root of C: drive.  Beginning with Windows XP however, this was no longer allowed by default.  While it's possible in Windows 7 to change the DACLs and make some other tweaks to allow standard users to do this, there is a very good reason why you shouldn't.

Suppose for example that an attacker compromised the user's computer and created a malicious file named Program.exe in the root of C: drive.  If the user later tried to run a program in the Program Files folder but specified the path incorrectly, then Windows could end up running the malicious file instead of the intended program.  So in other words, allowing users to write files to the root of C: drive constitutes an elevation of privileges risk. 

Bottom line is, don't try to allow standard users to write to the root folder on their machines!

Mitch Tulloch is a seven-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.

 

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .

Latest Contributions

Featured Links