I noticed that I cannot access user files from one account across another. However, if someone took my HDD, hooked it up to another computer, would they be able to see the files? Is there a way to encrypt user files without encrypting the entire HDD? I would like to encrypt my files on my laptop, but only those in my user account. This because I do not want a password prompt on the HDD, as I am using Prey and users need to be able to do Windows gust user logins for Prey to (potentially) track stolen property.

3 Answers 3


What you have noticed is ACLs (Access Control Lists), which specify which users can read or write to which files.
This relies on the OS to enforce it; as you suspected, anyone with physical access to the disk can read anything.

You can tell Windows to encrypt files using EFS by right-clicking one or more files or folders, clicking Properties, Advanced, Encrypt these files.
This will encrypt the files using your Windows login password, so that they will not be readable outside your account.
If you forget that password, you will lose the files.

  • Is the password entered upon user account login, or each time the file is accessed?
    – Zombies
    Commented Dec 30, 2012 at 14:42
  • @Zombies: It's entered on login. From your account, encrypted files work just like regular files.
    – SLaks
    Commented Dec 30, 2012 at 14:43
  • 1
    As Ash noted in his answer, it's trivial to mount the volume on a Linux OS and have the ACLs completely ignored. They're not enforced if the OS doesn't understand them. Conversely, *nix permissions don't work on Windows either. See security.stackexchange.com/questions/26041/…
    – Polynomial
    Commented Dec 30, 2012 at 20:10
  • 2
    @Polynomial: That's what I said.
    – SLaks
    Commented Dec 30, 2012 at 20:13
  • @SLaks You said that the OS enforces it, yes; I was just expanding on that. Figured it was worth providing a link to the Sec.SE question.
    – Polynomial
    Commented Dec 30, 2012 at 20:38

I haven't tested this in Win7, but I mount my Vista HDD from Linux all the time. There is no protection, I can make any changes I like. I can only guess that Windows 7 would behave in the same way.

Regarding encryption: Have a look at TrueCrypt if you haven't already. That lets you set up an encrypted file and then mount it as a logical drive (after entering password), which you can then access from the file system like any other drive.


In Ash's case, either he/she is going over the network (logged in either as the user or the administrator) which means that Windows is still doing all the access (and therefore using Windows security), or if physically mounted, he/she has the special group Everybody granted with full rights on the volume.

I was worried about this on a 1TB portable drive I got for my birthday/Christmas. But when I checked security, the entire drive had been marked to give Everybody full access. So when I move the drive to another computer, I will still have full access to all the files, and can add more files that I know I will be able to access on other machines.

Dealing with getting the data off other hard drives from previous machines can be a pain. You have to grant ownership to the directory (if done through properties, you have to completely get out of the properties dialog to continue making the further changes you need to make, which usually entails setting yourself up with full rights (getting ownership does NOT automatically grant you those right!), and applying them to all the subdirectories that may reside under that directory.

  • I physically mount the drive. As a test, I just ran up a Linux Live CD and wrote a file to c:/Windows/System32 with no problem. The Everybody group definitely does not have write access to that directory (after booting back into Windows, confirmed with "effective permissions"). As I said, I only have access to Vista, but I would be surprised if this has changed.
    – Ash
    Commented Dec 30, 2012 at 22:25

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .