Treesize can see folders and files it doesn't have access to

Question

I have an issue with a program that I’m running on one of my work machines.

Treesize pro is a program that will scan an area (C:\, \\nasdrive\home, etc.) and give you a tree-view as well as other information on the area.

now I run this program on an account that has admin privileges and when I lunch it give the user account control pop up.

However if I search an area my admin account does not have access to (there are a few) it will work fine and show me all the info for the files, folder, size, modified and creation dates. I cannot open the files but I can see their names and go into subfolders. If I try this in explorer, I will get access denied.

I tried to do this with a script that I wrote it C# however if I try and do a Directory.getDirectories(); and Directory.GetFiles(); but even if I run my program as admin (right click run as admin) it will just give access denied command in the Catch block.

I really would like to know how Treesize is managing to list folders, sub-folders, and files that my account does not have access to.

Thanks

Answer 1

TreeSize reads the data through the NTFS backup API (see https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/back-up-files-and-directories ).

From the notes from treesize: https://manuals.jam-software.de/treesize/EN/notesonntfs.html

Access Control Lists The way users can access files and folders can be restricted. One can grant or deny other users or groups certain rights [...]. That way one can even deny administrators to access files and folders. If an administrator tries to access a folder in the Windows Explorer to which the owner denied any other users reading access, an "Access Denied" error message will be displayed. However, TreeSize is able to scan such folders, if you are logged in as administrator or as a user that has the right to perform backups (This option can be changed at "Control Panel > Administrative Tools > Local Security Policy" and with the user editor of Windows).

An in-depth look into the access rights can be found in https://learn.microsoft.com/en-us/windows/win32/fileio/file-security-and-access-rights

The SE_BACKUP_NAME and SE_RESTORE_NAME access privileges were specifically created to provide this ability to backup applications. If these privileges have been granted and enabled in the access token of the backup application process, it can then call CreateFile to open your file or directory for backup, specifying the standard READ_CONTROL access right as the value of the dwDesiredAccess parameter. However, to identify the calling process as a backup process, the call to CreateFile must include the FILE_FLAG_BACKUP_SEMANTICS flag in the dwFlagsAndAttributes parameter. This will allow the backup application process to open your file and override the standard security checking.

HANDLE hFile = CreateFile( fileName,                   // lpFileName
                       READ_CONTROL,               // dwDesiredAccess
                       0,                          // dwShareMode
                       NULL,                       // lpSecurityAttributes
                       OPEN_EXISTING,              // dwCreationDisposition
                       FILE_FLAG_BACKUP_SEMANTICS, // dwFlagsAndAttributes
                       NULL );                     // hTemplateFile

You can find more information on

• https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-backupread
• https://learn.microsoft.com/en-us/windows/win32/backup/creating-a-backup-application