{"id":94825,"date":"2016-11-29T07:00:00","date_gmt":"2016-11-29T22:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/?p=94825"},"modified":"2019-03-13T10:34:20","modified_gmt":"2019-03-13T17:34:20","slug":"20161129-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20161129-00\/?p=94825","title":{"rendered":"The case of the volume label that doesn’t change"},"content":{"rendered":"

A customer liaison forwarded a problem from their customer: When the customer changed the volume label on a drive, the change is not reflected in Explorer. Explorer continues to show the old volume label. <\/p>\n

A ProcMon<\/a> trace revealed that svchost.exe<\/code> running as NT AUTHORITY\\SYSTEM<\/code> attempted to open the root of the drive but got STATUS_ACCESS_DENIED<\/code>. The access was coming from the shell hardware service at a point where it calls Get­Volume­Information<\/code> to get the volume label. <\/p>\n

Okay, that makes sense that the shell hardware service was trying to access the volume to read the volume label. After all, it was told that there was a change to the volume label, so it’s going to the volume to see what the new label is. The question is why the shell hardware service, running as SYSTEM<\/code>, got STATUS_ACCESS_DENIED<\/code>. <\/p>\n

I asked, “How did that happen? The SYSTEM<\/code> account should have full access to the drive by default. Did the customer apply a custom ACL that revokes SYSTEM<\/code> access? You’ll find that a lot of things stop working when you revoke SYSTEM<\/code> access.” <\/p>\n

The customer liaison wrote back, “Indeed, the customer did remove the SYSTEM<\/code> account from the drive’s permissions. I am not sure exactly what they were thinking when they revoked SYSTEM<\/code> access. I need to ask them.” <\/p>\n

We didn’t hear back from the customer, so maybe the customer was too embarrassed to explain why they revoked SYSTEM<\/code> access to the drive. <\/p>\n

Another case of a customer changing a security setting without really understanding why they did it, and then wondering why stuff stops working. <\/p>\n","protected":false},"excerpt":{"rendered":"

Who can read it?<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[104],"class_list":["post-94825","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-tipssupport"],"acf":[],"blog_post_summary":"

Who can read it?<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/94825","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=94825"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/94825\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=94825"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=94825"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=94825"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}