Forum Discussion
Regarding Windows 10 file system access and privacy
Hi,
here is the official support article about this:
Q: Does that mean, that there is no apps that have access to my file system?
A: yes, no UWP app, but Win32 apps can have access to file system.
Exceptions to the file system access privacy settings
Not all apps will appear under Choose which apps can access your file system. Certain Windows programs, such as those that are downloaded from the internet or installed with some type of media (such as a CD, DVD, or USB storage device) won’t appear in that list and are not affected by the Allow apps access your file system setting. To allow or deny file system access for one of these programs, check the settings in the program itself.
Q:Is the Windows Pictures folder and Windows Documents folder?
Is it the WHOLE drive?
A: according to the description of file system in Windows settings:
it's not whole drive, it includes Documents, Pictures, Videos and local OneDrive files.
if you want to control the whole drive (and against Win32 apps), you can use controlled folder access feature in Windows Security (aka Windows Defender)
Q: Where can I see, which apps previously have been granted access to my file system?
A: in Windows Settings => Privacy => File system
Q: Is it possible to see, if deleted apps were granted access to file system?
A: probaby using Event Viewer in Windows
HotCakeX
Thank you for your reply!
I have never installed any software using CD, USB or another drive, so that excludes that.
A: according to the description of file system in Windows settings:
It states: Documents, Pictures, Videos and OneDrive files
1)
Does it refer to the standard / generic Windows folders?
2)
The same folders as in the menus for Privacy - Documents and Picutes and Videos?
3)
So the File system access function, only covers the Documents, Pictures, Videos and OneDrive folders?
My uncertainty sprung from other articles / forums using other phrases like:
"apps can access your full file system"
"permission to have broad file system access"
Q: Where can I see, which apps previously have been granted access to my file system?
A: in Windows Settings => Privacy => File system
4)
Apps that have requested permission (both declined and granted), do they appear in the list Choose which apps can access your file system?
Thanks in advance
The filesystem access permission you refer to is broad access to the filesystem. It includes every folder the user has access to. This permission should never be needed or used by any normal app, so it is good that this list is empty.
Every UWP has certain default permissions for file system access which do not need to be granted seperately:
- The applications install directory
- The applications data location
- Removable drives if it uses the AutoPlay extension
- Files and Folders in the users "Downloads"-Directory, but only those which the App created itself
Fo an app to gain access to additional locations it has different options. For example it can gain access to well-known user folders (Pictures, Music, Videos, Documents...) with special permissions it has to be granted first. Each of the well known folders has it's own access mechanics for UWP apps and none are granted by default.
The second option (and most used normally if an app needs access to additional files on your system) is using the filepicker-dialog. This dialog is not part of the app and is presented by Windows to the user. The user then selects the file (or folder) that he wants to open in the app. The app now only gets a handle to the file or folder selected by the user, it does not gain access to the actual location.
The last option is the permission you asked for. This would grant an app broad filesystem access, meaning it can access everything the user can access, and without asking first! No normal app should ever need this permission and you should be very careful if you want to give this permission to any app at all.
If the list is empty, no currently installed App on your system uses this permission (as it should be).
As already mentioned by HotCakeX: All this only applies to UWP Apps (apps from the Microsoft Store) and not to old-school win32-applications. If you install anything on your system not from the Microsoft Store, you can't easily know what it can access. It can be nothing or all and everything in between.
"This would grant an app broad filesystem access, meaning it can access everything the user can access, and without asking first!"
what's the Source for that?
the description this
broad file system access, everything a user can access, I as the user, can access every single file on my computer, on any drive, hidden or not. I don't think that privacy option, once turned on, gives the same capability to UWP apps. but if it does, I like to read the source for that.
The official documentation for file access permissions for UWP apps:
https://docs.microsoft.com/en-us/windows/uwp/files/file-access-permissions
Also experience from developing UWP apps helps. 😉
Never trust the simplified descriptions from end-user GUIs.
The full file system access permissions should never be used for any UWP app, the only reason it exists at all is that some special applications that wanted to port to UWP couldn't, because there was no way to get the same filesystem access as a normal win32-app. So microsoft added this permission in later Windows 10 builds, to lower another barrier for porting older apps to UWP.
Every normal app should never need this though. It is completely enough to just use the filepicker dialog or ask for permission to access pictures or music. In rare cases eventually even documents, but most of the time, none of this is needed for UWP.
I wrote a media-file-converter in UWP and as such the user needs to be able to open any video or audio file on his computer inside my app. Still I didn't need any file system access at all because I just used a filepicker dialog which the user can use to select the file he wants to convert. My app does not need any access to the file itself. The filepicker dialog (which is handled by Windows itself) hands me over the file and I don't even need to know where it came from.
UWP security is very top-notch and any app that asks for this "file system level permission" is very suspicious! I can't imagine a single valid scenario for any app to need this permission at the moment. I'm sure there are special cases, but none that I can think of.
- CD,DVD,USB or Internet, they basically mean Win32 software but they use that language for non-tech-savvy people.
1 and 2. not sure what you mean by generic exactly but if you have Windows 10, you have documents, videos, music etc. and they are located in your User directory.
C:\Users\UserName
3. yes. only those folders and only applied to UWP apps.
4. yes. I only have 1 app in there, "Search", the rest of the apps I use didn't need access to file system, aka user folders in here: C:\Users\UserNameHotCakeX
I meant the Documents, Videos etc. folders in C:\Users\UserName, yes.I assume those are the same they refer to in The same folders as in the menus for Privacy - Documents and Picutes and Videos?
Ysera_Dreamer wrote:HotCakeX
I meant the Documents, Videos etc. folders in C:\Users\UserName, yes.I assume those are the same they refer to in The same folders as in the menus for Privacy - Documents and Picutes and Videos?
Yes, that's correct
