Just ignore the previous post. Not one of my finer moments.
Apologies,
mm
>> Martin O’Brien 2007-03-05 23:30 >>>
This is a strange one, and I definitely do not know the answer for
certain, but I have an idea may or may not be part of the problem, and
other than something like a kernel rootkit (which, in my opinion, are
exceedingly rare, and those that can install themselves, across a
network, without user intervention in the form a double click are to the
best of my knowledge border on non-existent), the only way that I can
come up with that might be able to produce your scenario and still boot,
would be if:
- The ACL/DACL (probably very imprecise usage of the terms) of the
\Windows folder was changed to either remove your rights to see it, or
possibly explicitly deny them. - The ACL/DACLs for the subfolders were either not affected, or
changed to explicitly allow access for your account - The Bypass Traverse Checking privilege was removed from your
account
I think that this might produce your situation, although I really have
no idea of whether it would boot or not. You might try running
GPEDIT.MSC and check what it says about Bypass Traverse Checking. While
you’re there, you might see what group the Local Security Policy says
you are a member of. Also, you might try using CACLS to see what the
rights of the folder are, although I don’t think that you will be able
to see it. As you are using a laptop, roaming my play in to this as
well. If you really get stuck and have another system and some time on
your hands, you could try installing the disk as a second drive in
another system and see what it has to say about the security of
\Windows.
This is all at best hypothetical, and in the interest of full
disclosure, neither Windows security nor networking are my thing.
Normally, I would investigate something like this further before
posting, but there is simply no way that I am trying anything that like
this, even on a test machine.
Caveat Emptor.
mm
>> xxxxx@llnl.gov 2007-03-05 18:27 >>>
Hi all, long time lurker, first time posting.
Over the weekend I booted up my XP laptop and strange things began to
happen. I eventually traced it down to the fact that “\Windows,
\Documents and Settings and \Program Files” had disappeared. Now, it
would seem like windows wouldn’t boot if the entire directory and it’s
children were gone, but in this case, all the children were still there.
Opening up explorer directly to “C:\Documents and
Settings\user_name\Desktop” still works. But "C:\Documents and
Settings" “refers to a location that is unavailable”.
Things I’ve tried:
- chkdsk; no effect
- recovery console; everything looks fine. I can see \windows etc.
without any problems - acl tools; fail due the inability to open the directory (i assume if
there was a tool to set an acl via inode that it might work) - Knoppix Live CD ntfsinfo; it seems to read the file info just fine
though i wouldn’t necessarily know if there was something amiss - safe mode; um, a hosed agp bus forces me to use the pci-pci bridge as
my graphics path. safe mode tries to default to agp and hangs the
system.
Questions:
- is this the right forum to ask this question?
- is this a corrupt NTFS structure issue?
- is this a security descriptor issue (because the recovery console
and knoppix have no issues loading/browsing the mounted file system) - could i use knoppix to copy the entire \widows dir to a new dir,
delete the old, and then copy it back?
Any comments are much appreciated!
Thanks,
jonathan
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@evitechnology.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
