WIndows 10 and newest ShadowProtect: access to user file denied

I am frustrated.  This is the simplest thing one can do .. browse a backup created on another windows 10 system with SP.  But I am gettingd the "You have been denied permission to access this folder" as soon as I try and get to my user data.  There is a long Greek to me post that talks about turning off mount as read only .. well I did that and still get the failure as soon as I try and go to the user data.  That 2015 post is probably not for windows 10.

anyone on windows 10 had success just browsing another windows 10 backup?  Any simple solution?  I am not a security/permissions expert so walk me though the steps as you would a child.  (But I know a lot about networks).

 

Thanks

Lynn

 

PS -- Is there a phone number and/or someone to talk to at StorageCraft?  Or good youtube tutorial?

Comments

STC-Nephi

There may be multiple

There may be multiple requirements to get you access to the locked folders in your image, but there are some things to keep in mind.

  1. This issue is only happening because you are mounting the image files from a different user account configuration with a different security ID.
    1. Your personal files are protected in your Windows user account because locks the permission of those folders to your security ID.
    2. There are certain factors that can make this lock harder to get through than normal.
    3. If you mount the image from the exact same windows installation/user account, then you don't encounter any kind of issue like this because you are using the same user security ID that your personal folders are locked to.
    4. This is all Windows Operating System behaviors, not ShadowProtect.

If you mount the image and you cannot browse to your personal folders, you'll need to do all of the following things until you get access to your files.

  1. You must be logged into your computer as a Computer/Local Administrator account.
  2. The ShadowProtect Image must be mounted as Writable (Uncheck the read-only option, or check the Writable option, depending on what version of ShadowProtect and what interface you are using)
  3. When you browse to your personal folder, and Windows says that it needs your permissions to continue to get access to the folder, you must click continue.
  4. Then you must wait for Windows to stop processing that folder.  If Windows is still thinking about it, you need to leave it alone to process the folder and it may take a long time to change the permission settings on all of the files and folders contained in your user profile folder.  Depending on your system speed this can take an hour or more sometimes.  This is also why it's a good idea to save the incremental changes, then you can mount that incremental change image and you don't have to go through the permission adjustments again.
  5. If you have replaced your machine, and you want everything how it was before, it might be faster to just restore your C drive image to the new machine using the recovery environment.
    1. https://www.storagecraft.com/support/book/storagecraft-recovery-environment-user-guide/restoring-system-volume

 

Now if Windows goes through the permission adjustment for a long time, and then you are still encountering any access denied errors afterward, then you'll need to run through the steps from our KB or from Microsoft's writeup to claim ownership of the folders to your current user security ID.

If you still have issues, you may be encountering an issue caused by different kind of encryption program or method (possibly even a virus), so if you had any other file protection/encryption programs installed, you may need to look to their support.

If you need further one-on-one technical assistance, please submit a support case.
https://www.storagecraft.com/support/support-request

Good luck!

JCN9801

Same issue... Access denied on a different laptop I own...

Hmmm....  Perhaps this is a reason to use a Network User ID?

If I am then "the same" person across all of my machines, does this then make the issue of browsing backup images on a system other than the one they were created on, go away?

RE:  The proposed solutions herein linked to.  If I wind up taking OWNERSHIP of the image in question (not doing the above) and writing that back as a new INCREMENTAL will I then have the same PERMISSIONS problem viewing files on the original creating system, OR can I bypass this by simply DELETING that last incremental or not even mounting it through that image?   A really annoying aspect would occur if I am progressively going through multiple daily incrementals to "hunt down" a particular critical file.  I can see this being an astronomical understaking on a non-originating system.  Which never gives pause to the ultimate purpose behind these backups:  What happens when that original system dies?  It seems that then the entire long arc of the incrementals is frozen behind a STEEL PERMISSIONS wall designed to PREVENT ACCESS to your own stuff, merely because your system died!

If the whole point is PROTECTION of infromation then some sort of User ID based encryption would seem more suitable.  I get access by entering a key not by fighting with Windows!

When I need a SYSTEM IMAGE restore SPD has been great but I am beginning to think that for user file backupss I need a different solution..  I seldom need to go back months and months for system level stuff, but having a user file archive going back incrementally for several years would be beneficial.   SPD is a sledge hammer, right for boulders, but not for furniture upholstry repair!

I am most curious as to how very large installations of Shadow Protect manage to access and restore the files of arbitrary users on their vast networks.  DO they too wait for hours for images to mount and permissions to be adjusted?

My advice to all would be to grab a copy of XXCOPY from PixeLab [note speliing]  while you still can.  It was very unfortunate that creator  Kam Yabumoto died on March 31, 2017.  The software still works but development and bug fixes have ceased and the Yahoo Support Group is in limbo and probably will follow suit at some point.

JCN9801

Update to "Access Denied..."

Well here I am several hours later watching the sub-folder traversal / spinning wheel doing their thing, trying to change ownership of a <User Name> and all of its files and sub-folders ina  write-mounted backup image.  ONE IMAGE!   Mere "Read & Write" permission attempted change failed miserably.  As did trying to target just single folders and single sub-folders down the desired path.  Maybe I missed something obvious.  For all I know the ownership change could fall apart in the end as well.

Believe me this is no way to casually browse for some log files in a sub-folder 4 levels down...  There has to be a better way... Somebody has to have a BEST PRACTICES solution to this...  A handful of us cannot be the first or only ones to encounter this problem:  Just me, one user, and three laptops.  Very thankful that I only do my main work on ONE laptop, the other two are compute engines almost exclusively.

I have even thought of radical solutions like moving all of my "work-a-day" folders and files to F:\AAA_MyStuff\ to get at least those out from under the clutches of the Windows hemongeny "Users" structure; which is cluttered beyound belieef.  For example, you can't even use "Properties" to discover how much "stuff" is underenath <User Name>, probably because it isn't even all local (Google Drive, DropBox, etc).   But, like fighting the Borg, this is probably futile anyway as the log files I am after for my current exercise are buried 4-5 levels down under "AppData" regardless of any of my efforts at excising my more personal Excel, Word and Powerpoint files.  So the problem would remain.

Years back, I used XXCOPY for other tasks and often frowned on why people used it for "backups" -- perhaps now I see the issues more clearly.  Ditto with other utilities that can run scripted cross-drive synchronizations (e.g. Beyond Compare 4, another potential solution for "file level backup").   Let SPD do its thing but for history browsing of locally created stuff rely on the other solution and, if needed, thumb-drive sneaker net.

For System Restore, SPD has saved my bacon (on all three systems) more than two dozen times in 9+ years, six times in the last month alone.  For file access and recovery of files it is nearly as good, as long as the system the backup was made on survives and is available.  If not, you are in for a long slog....

Backing up is never "done" until you have encountered every scenario.  Most of them you will not have thought of!

I had thought of adding each of my <User Name>s to a common Network Group but I am not sure that would help with anything.

It should not be the case that >1 computer means a degree in IT and a server-level tool-kit to match!

----JCN

STC-Nephi

Standard Windows OS Functionality

This is standard Windows operating system file and folder security ownership behavior.  When Windows is installed and the user account and user folders are created, it has a UNIQUE Security Identifier (SID) for your local user account.  So any files stored under your user folder are locked with your local account security key, which you unlock when you log into your windows system.  You have no issues accessing your own files on that installation because you have identified yourself with your local password when you login.

So when Windows is installed again, or a new user account is created, the new user account has a DIFFERENT User SID which means it does not have the same SID permissions key as the original user account.  This is the reason you have to claim ownership of the different user account files when you are using a new user account.  Microsoft System Administrators should become very familiar with the behavior at some point in their career:

https://support.microsoft.com/en-us/help/2623670/-access-denied-or-other-errors-when-you-access-or-work-with-files-and

You can feel free to try and fight the standard windows file security permissions and if you assign permissions that allow "Everyone" access to your local User folder, your files are now open for anyone to access.  (But messing with Windows security permissions could mess up your windows installation and you could potentially lose access to files, so I don't recommend it.)  If you take the backup that way then the file permissions are unlocked and assigned to the Everyone security id in your source system and also in a new incremental image file.

You've already mentioned my preferred workaround method.  For my shared files on my systems I don't store the data under C:\Users.  I create a D:\File Library folder to store files I want easily accessible by anyone.  I understand and appreciate that the files stored in folders under C:\Users\Nephi are not easily accessible by anyone else, unless they gain system administrator access and know how to claim ownership of my files/folders.

Regarding the permissions around the SPF/SPI file itself, if you store it in your users folder it's going to inherit those same permissions, so that is never a good idea.  The backup images are generally stored OUTSIDE of the locked user folders, so if they are stored in D:\Backup they will be assigned the security permissions for that folder when saved there.  Changing the security permissions on the backup image file will not be the same permissions contained in your windows file system which is compressed and encrypted inside of the image file (depending on your backup job settings).  So the only way to change the permissions of the file system contained in the image, is to mount or restore it.

Some things that will contribute to the time it takes to change these permissions:

  • Not performing consolidation and retention in your image chain with ImageManager.  (It's free, and critical to have a smooth operation and peace of mind: https://www.storagecraft.com/products/imagemanager )
    • If you are taking incremental images and are not using ImageManager, then it will take a lot longer to change permission bits on files that have been changed across many images.  I recommend using the Image QP utility and specify the image point you are running this operation on.
    • https://www.storagecraft.com/support/kb/article/202
    • Performing a full volume restore uses the Quickest Path of image files this utility displays for the specified image in the image chain.  But mounting an image will use ALL available images in that folder just in case there is a damaged image file it needs to work around and find a different pointer to restore that part of the file.  So if there are a lot more images in the folder compared to the number of images in the QP list for your desired incremental point, you can speed up this operation by Isolating the Quickest Path chain and moving/copying those files to an empty folder.
  • Other environmental factors:
    • If there is a functional hardware issue with the source or target drives, or the cables in-between are damaged.
    • Security software scanning everything you are doing, especially if there are multiple real-time protection AntiVirus/AntiMalware/Encryption/Etc background programs causing some disk IO interference.  This slows everything down in your system.

We have a new product for protecting/restoring individual user files, which makes it a lot easier to restore files from a previous system.  It provides file level backup if you prefer restoring individual files versions from your backup store in the cloud.  It is not designed to backup your windows and application files the same way so it doesn't provide a 100% volume backup/restore like ShadowProtect, it's fine to use both products on a system.  File Backup and Recovery is designed for managed service providers to be able to target and backup critical user/company data based on a backup configuration recommended by the backup analyzer.   (The security is handled by a security certificate file that has to be backed up and restored to the new system to access those files)

https://www.storagecraft.com/products/file-backup-recovery-with-backup-analyzer

Terms and Conditions of Use - Privacy Policy - Cookies