About the Fonts folder in Windows, Part 4 (Eto Akta Gamat, aka Magical Protection?)

by Michael S. Kaplan, published on 2007/12/13 10:01 -05:00, original URI: http://blogs.msdn.com/b/michkap/archive/2007/12/13/6754293.aspx


Recently, Tony read About the Fonts folder in Windows, Part 3 (aka What changes in Vista?) that was posted last year and commented:

Hm, the Fonts folder has changed drastically in Vista.

I'm one of the people trying to install Office 97 SP2b and getting hung up because the installer can't rename Tahoma.ttf.

It seems in addition to all the nice NTFS ACLs, Microsoft in its infinite wisdom has added magical protection so that not even Administrator can change the privileges on fonts or the font folder.

So where's the manual override now?

So to start with, if it is true that Office 97 (any service pack) is attempting to overwrite the version of Tahoma that ships in Vista with the version it has, then Office 97 setup has a serious bug where what pretty much has got to be an older file with an older version attached to it is trying to replace a newer, more recent version.

Now that is a serious no-no. And one of the number one problems with the way people install fonts some of the time.

I won't be too surprised though. :-(

Remember that David Vaskevitch story I told a few years back? Well, let's just say I had an easy time finding the setup bugs because before that (when I was working with Suzanne Goebel on the ODE 97 Setup Wizard, we spent days tracking down problems that would turn out to be Office setup bugs that were always postponed without really being able to present much more than the bug title. And since David V. and I don't have the kind of relationship that I could use to get all of those bugs fixed, let's just say that I knew of quite a few bugs that weren't fixed and had the lack off sleep to prove it -- including one week when I had to bill out something like 81 hours.

So any time a new Office 97 setup bug is pointed out to me, I can't ever even pretend to muster surprise....

But to get to the second part of Tony's questions, the "magical protection" stuff, there is no magic. I'll explain....

If you go the Fonts folder, right-click on Tahoma and look at the menu that pops up:

You can click on the Properties option on the right-click menu:

And then click on the Security tab:

Now those permissions on SYSTEM? They are also the same permissions on the Administrators and Users groups. None of them have permission to delete the file....

None of those users/groups have permission to give themselves permission either. At least not explicitly. :-(

So that Edit... button is not going to help much just yet....

Now TrustedInstaller? Slightly different story:

And that is obviously what is being used to do all kinds of Windows-specific setup tasks.

But let's hit that Advanced button:

Kind of tells us what we already knew.

But let's slide over to the Owner tab:

Assuming you have permission to do it, you can set the owner here if you like the choice, or hit the Edit... button and see the large number of choices:

Pick your new owner, and you will be given one last piece of information:

And after that you will be able to do things to the file -- no magic tricks or ACLs, just regular old NTFS security stuff.

But this should never be your first thing to do out of some strange need to control files or whatever -- only when there is a bug like the one Tony describes with a setup trying to replace a newer file with an older one.

If you know what I mean :-)

 

This post brought to you by(U+0f16, aka TIBETAN LOGOTYPE SIGN LHAG RTAGS)


# Alex on 13 Dec 2007 10:43 PM:

This is what we do when we want to update a font manually. What if we want to distribute a font file to other machines?

# Michael S. Kaplan on 13 Dec 2007 11:11 PM:

Hi Alex --

This is what Microsoft does with fonts that IT includes as a part of Windows only. These cannot be redistributed. Which fonts are you thinking of here?

There is a separate topic in the suggestion box about installation issues that will I think touch more on what you are thijking about here? Though if not then you should add another there so I can cover the whole topic....

# Larry Osterman [MSFT] on 14 Dec 2007 1:58 AM:

I do feel obliged to point out that that following Michael's instructions can (and will) cause your machine to be unusable in the future.

Messing with the ACLs can cause unexpected results, and may result in disasterous consequences for your system.  KB articles 885409 and 823659 spell out some of the issues: http://support.microsoft.com/kb/885409 and http://support.microsoft.com/kb/823659/

There has been at least one security update that failed because people changed the ACLs on system directories (MS05-051): http://support.microsoft.com/kb/909444

So you can make these changes, but you're playing with fire.

# Alex on 14 Dec 2007 3:47 AM:

Ah, you mean it only applies to the original files, and if I create new font file using the eudc editor and copy the TTE file to other computers, I won't run into the same situation?

# Michael S. Kaplan on 14 Dec 2007 8:59 AM:

Exactly....

# Michael S. Kaplan on 14 Dec 2007 10:07 AM:

I do agree with Larry that caution is warranted, though all of the problems reported thus far have to do with adding restrictions, not removing them....


referenced by

2008/10/09 About the Fonts folder in Windows, Part 5 (Nothing personal!)

go to newer or older post, or back to index or month or day