VirtualizationAdmin.com

How do I Hide Drives in My Computer in Windows NT or Terminal Server.

First things first, remember to do an rdisk /s before messing with the registry. The Thin Net or any other parties mentioned on this page will not be responsible for any damage you may do to your system from these hints. Be sure and read the Thin Net Copyright statement so that you fully understand this.

The first and easiest way to hide all the drives in My Computer is via a policy. If you don’t understand how to use policies you should review Microsoft’s Guide to Policies and Profiles as it is too lengthy here to discuss.

If you do have policies set for users and want to hide all drives all you need do is open System Policy Editor and choose the user and click on Shell/Restrictions and check the box next to hide drives in my computer. I suggest that you do not set this setting for the Default user, rather add a group or user and set the policy on them in Policy Editor. If you set it for default user all the other users who have policies set will inherit this restriction.

-----------------------------------------------------------------------------------------------------------------------------------------------

The next way you can block access to drives/directories is using the command line CACLS.exe command from the NT resource kit. Cacls controls the security access control lists for NT. You must be using NTFS partitions for it to work. CACLS displays or modifies access control lists (ACLs) of files. You must be very careful using this command as if you restrict too much access users will not be able to run programs. Giving a user NO Access via security permissions to the systemdrive is not a good idea.

But you can use this utility to successfully hide or limit access to certain directories on the disk.

Here is the syntax of the command:

CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]] filename - Displays ACLs.

  • /T - Changes ACLs of specified files in the current directory and all subdirectories.
  • /E - Edit ACL instead of replacing it.
  • /C - Continue on access denied errors.

  • /G user:perm - Grant specified user access rights.

    Perm can be:

    • R - Read
    • C - Change (write)
    • F - Full control
  • /R user - Revoke specified user's access rights (only valid with /E).

  • /P user:perm - Replace specified user's access rights.

    Perm can be:

    • N - None
    • R - Read
    • C - Change (write)
    • F - Full control
  • /D user - Deny specified user access.

Wildcards can be used to specify more that one file in a command.

You can specify more than one user in a command.

If you are not registry shy you can hide individual drives using Regedt32.exe

The NODRIVES entry (reg_dword) located in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer uses a 32-bit word to define local and network drive visibility for each logical drive in the computer.

The lower 26 bits of the 32-bit word correspond to drive letters A through Z.

Drives are visible when set to 0 and hidden when set to 1. Drive A is represented by the rightmost position of the bitmask when the radix is viewed in binary mode.

Example: A bitmask of 10000000000000000000000111(0x7h)

The bitmask above hides local drives A, B, and C (rightmost bits from right to left) and drive Z (leftmost bit).

A bit mask of 11111111111111111111111111 (0x3FFFFFFh) would hide all drive letters.

Administrators may also use the NODRIVES entry to disable access to floppy drives on a per-user basis, replacing functionality previously found in the Floplock.exe utility from the Windows NT 3.x resource kits.

Drives hidden using the NODRIVES setting are not available through Windows NT Explorer, under the My Computer icon, or in the File Open\Save dialog boxes of Windows applications. File Manager and the Windows NT command prompt are not affected by this registry setting.

Andrew Wood graciously gave us this excel spreadsheet to figure out the decimal value to enter for multiple drive combinations. It is also available in zip format for download at: Hidedrive.zip.

Also available is a VBS script to put in usrlogon.cmd that will set the decimal value in the users registry at: Hidedrives.zip

If your not happy working in Hex, add these decimal numbers to hide the drive(s):

A: 1, B: 2, C: 4, D: 8, E: 16, F: 32, G: 64, H: 128, I: 256, J: 512, K: 1024, L: 2048, M: 4096, N: 8192, O: 16384, P: 32768, Q: 65536, R: 131072, S: 262144, T: 524288, U: 1048576, V: 2097152, W: 4194304, X: 8388608, Y: 16777216, Z: 33554432, ALL: 67108863

NOTE: If you hide the System drive it is not available under the My Computer icon or in the File Open\Save dialog boxes, however it is visible in Windows NT Explorer.

If you set NoRun to a 1, the user will not be able to view local files by typing a file address or URL (file://c:\....) into the Address box.

Setting NoRun to 1 will also prevent access to the local file system from an embedded HTML link.

You could also implement the NoDrives registry value to totally inhibit access to a local drive.

In addition, for compatibility with the various versions of IE 4.x/5.x, navigate to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Add Value name NoFileUrl as a type REG_DWORD and set the data value to 1, to prevent use of the file://c:\.... syntax in the Address box.

Another way I have found to hide drives in my computer that is very easy is by the use of one of two FREEWARE utilities. One is called TweakUI and the other is called X-Setup. Both work on all version of NT including Terminal Server. Xsetup can be downloaded from Thethin.net at /files/xsetup.zip and TweakUI can be downloaded from Microsoft(it does work in NT/2000 and WTS) at http://www.microsoft.com/ntworkstation/downloads/PowerToys/Networking/NTTweakui.asp.

To install Tweakui just unpack the file and right click on Tweakui.inf and choose install. Tweakui will install a control panel applet that you can just put a check mark next to each drive you want to hide.

X-Setup uses a GUI to set these settings and only allows you to restrict access to the first 6 drives (A-F)The setting is found under explorer/options/hide drives. The benefit of X-Setup is that it gives you hundreds of excellent check boxes of things you can change without going into the registry via a GUI. It is a great FREE utility.


Receive all the latest articles by email!

Receive Real-Time & Monthly MSTerminalServices.org article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become an MSTerminalServices.org member!

Discuss your Terminal Services & Citrix issues with thousands of other SBC experts. Click here to join!

Solution Center