HOW TO RESTORE THE OPERATING SYSTEM TO A PREVIOUS STATE IN WINDOWS XP

HOW TO START SYSTEM RESTORE TOOL AT COMMAND PROMPT IN WINDOWS XP

A DESCRIPTION OF THE SAFE MODE BOOT OPTIONS IN WINDOWS XP

HOW TO TROUBLESHOOT THE SYSTEM RESTORE TOOL IN WINDOWS XP

HOW TO MANUALLY OPEN PORTS IN INTERNET CONNECTION FIREWALL IN WINDOWS XP

HOW TO TURN ON AND OFF THE FIREWALL IN WINDOWS XP

DESCRIPTION OF THE WINDOWS XP INTERNET CONNECTION FIREWALL

COMPUTER VIRUSES: DESCRIPTION : PREVENTION : RECOVERY

HOW TO CONFIGURE FILE SHARING IN WINDOWS XP

CAN LOG ON WITHOUT PASSWORD BY USING GUEST ACCOUNT AFTER UPGRADE FROM WIN 2000

HOW TO RESTORE THE OPERATING SYSTEM TO A PREVIOUS STATE IN WINDOWS XP
This article describes how to use the System Restore tool to return your computer to a previous working state. System Restore takes a "snapshot" of critical system files and some program files and stores this information as restore points. You can use these restore points to return Windows XP to a previous state.
If Windows XP starts
1. Log on to Windows as Administrator.
2. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. System Restore starts.
3. On the Welcome to System Restore page, click Restore my computer to an earlier time (if it is not already selected), and then click Next.
4. On the Select a Restore Point page, click the most recent system checkpoint in the On this list, click a restore point list, and then click Next. A System Restore message may appear that lists configuration changes that System Restore will make. Click OK.
5. On the Confirm Restore Point Selection page, click Next. System Restore restores the previous Windows XP configuration, and then restarts the computer.
6. Log on to the computer as Administrator. The System Restore Restoration Complete page appears.
7. Click OK.
Troubleshooting
You may inadvertently restore Windows XP to a previous configuration that you do not want. To undo the restoration: 1. Log on to Windows as Administrator.
2. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore. System Restore starts.
3. On the Welcome to System Restore page, click Undo my last restoration, and then click Next. A System Restore message may appear that lists configuration changes that System Restore will make. Click OK.
4. On the Confirm Restoration Undo page, click Next. System Restore restores the original Windows XP configuration, and then restarts the computer.
5. Log on to the computer as Administrator. The System Restore Undo Complete page appears.
6. Click OK.
REFERENCES
For additional information about System Restore, click Start, click Help and Support, type system restore in the Search box, and then press ENTER

This article describes how to start the System Restore tool in Safe mode by using Command Prompt.

Start the System Restore tool at a command prompt
1. Restart your computer, and then press F8 during the initial startup to start your computer in Safe Mode with a command prompt.
2. Log on to your computer with an administrator account or with an account that has administrator credentials.
3. Type the following command at a command prompt, and then press ENTER:
%systemroot%\system32\restore\rstrui.exe
4. Follow the instructions that appear on the screen to restore your computer to an earlier state.

Top

DESCRIPTION OF THE SAFE MODE BOOT OPTIONS IN WINDOWS XP
This article discusses the several Safe Boot options that Windows supports. These options load a minimal set of drivers. You can use these options to start Windows so that you can modify the registry or load or remove drivers.
To use a Safe Boot option, follow these steps: 1. Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
2. Select an option when the Windows Advanced Options menu appears, and then press ENTER.
3. When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.
Description of Safe Boot options
• Safe Mode (SAFEBOOT_OPTION=Minimal): This option uses a minimal set of device drivers and services to start Windows.
• Safe Mode with Networking (SAFEBOOT_OPTION=Network): This option uses a minimal set of device drivers and services to start Windows together with the drivers that you must have to load networking.
• Safe Mode with Command Prompt (SAFEBOOT_OPTION=Minimal(AlternateShell)): This option is the same as Safe mode, except that Cmd.exe starts instead of Windows Explorer.
• Enable VGA Mode: This option starts Windows in 640 x 480 mode by using the current video driver (not Vga.sys). This mode is useful if the display is configured for a setting that the monitor cannot display.

Note Safe mode and Safe mode with Networking load the Vga.sys driver instead.
• Last Known Good Configuration: This option starts Windows by using the previous good configuration.
• Directory Service Restore Mode: This mode is valid only for Windows-based domain controllers. This mode performs a directory service repair.
• Debugging Mode: This option turns on debug mode in Windows. Debugging information can be sent across a serial cable to another computer that is running a debugger. This mode is configured to use COM2.
• Enable Boot Logging: This option turns on logging when the computer is started with any of the Safe Boot options except Last Known Good Configuration. The Boot Logging text is recorded in the Ntbtlog.txt file in the %SystemRoot% folder.
• Starts Windows Normally: This option starts Windows in its normal mode.
• Reboot: This option restarts the computer.
• Return to OS Choices Menu: On a computer that is configured to starting to more than one operating system, this option returns to the Boot menu.
An environment variable is set when you use one of the Safe Boot options. The environment variable is SAFEBOOT_OPTION. This variable is set to either Network or to Minimal.

The default Microsoft VGA driver is used for display at 640 x 480 resolution and in 16 colors. You must log on in all modes by a domain or by the local Security Accounts Manager, depending on which Safe Boot mode you select.

Top

HOW TO TROUBLESHOOT THE SYSTEM RESTORE TOOL IN WINDOWS XP
This article describes how to perform basic troubleshooting for issues that involve the System Restore tool in Microsoft Windows XP.
MORE INFORMATION
To troubleshoot System Restore issues, use one or more of the following methods: • If you receive an error message that is related to System Restore, always make sure that you first record the error message, and then follow the instructions that the error message contains to try to resolve the issue. Most System Restore issues generate an error message that contains a description of the issue and suggestions for how to resolve the issue.
• Make sure that you have sufficient disk space on all the drives where System Restore is enabled.
• Make sure that the System Restore service is running. To do this, use one of the following methods: • Look in Control Panel. To do this, follow these steps: 1. Click Start, click Run, and then type compmgmt.msc in the Open box.
2. Expand Services, and then click System Restore Services.

• Open a command prompt window. To do this, follow these steps: 1. Click Start, click Run, and then type CMD.
2. Press ENTER, and then type Net Start at the command prompt to make sure that the System Restore service is up and is running.


• Make sure that System Restore is enabled on the drives where you want System Restore enabled.
• Try to run System Restore in Safe Mode.
• If you suspect that you do not have as many restore points as you should have, make sure that the data store is the size that you want the data store to be.
• View the event logs to investigate System Restore service errors. To do this, follow these steps: 1. Click Start, click Control Panel, and then click Performance and Maintenance.
2. Click Administrative Tools, click Computer Management, double-click Event Viewer, and then click System.
3. Click the Source tab to sort by name, and then look for "sr" or "srservice." Double-click each of these services, and then evaluate the event description for any indication of the cause of the problem.

Top

HOW TO MANUALLY OPEN PORTS IN INTERNET CONNECTION FIREWALL IN WINDOWS XP
Programs may require ports to be manually opened so that the programs work correctly when ICF is in use either on the local computer or on the gateway computer. You may have to manually open a port if there is a service that is running on a computer that has ICF enabled that you want to make available to users on the Internet.

Note The actual port settings vary from program to program.

To manually open a port, follow these steps: 1. Click Start, and then click My Network Places.
2. Under Network Tasks, click View Network Connections. (Or, right-click My Network Places on the desktop, and then click Properties.)
3. Right-click the connection that you use for the Internet, and then click Properties.
4. Click the Advanced tab, and then click Settings.

Note If the Settings button is unavailable, ICF is not enabled on this connection, and you do not have to open any ports (because they are all already open).
5. Click Add to open a new port.
6. In the Description box, type a friendly name. For example, type File Sharing : Port 445.
7. In the Name or IP address of the computer hosting this service on your network box, type 127.0.0.1.

Note You can specify the IP address of an internal computer. But you typically will use 127.0.0.1.
8. In the External port and Internal port boxes, type the port number. Generally, this number is the same.
9. Click either TCP or UDP, and then click OK.
10. Repeat steps 1 through 9 for each port that you want to open.

Top

The firewall feature in Windows XP is designed for home and small business use. ICF and Windows Firewall help to provide more protection for computers that are directly connected to the Internet. This feature is available for local area network (LAN), for high-speed Internet connections, and for dial-up Internet connections. The firewall feature also helps to prevent the scanning of ports and of resources, such as file and printer shares, from external sources.

This article discusses how to enable ICF in Windows XP or in Windows XP SP1, and also how to enable Windows Firewall in Windows XP SP2. This article also discusses how to disable the Internet Connection Firewall feature in Windows XP or in Windows XP SP1, and how to disable Windows Firewall in Windows XP SP2. Disabling the firewall may help you to troubleshoot applications that do not function as expected behind a firewall.
Enable Internet Connection Firewall in Windows XP or Windows XP SP1
The firewall feature can be useful when you want to protect a dial-up connection when dialing directly into an Internet service provider (ISP), or to protect a LAN connection that is connected to an asymmetric digital subscriber line (ADSL) or cable modem. You can also enable the firewall feature on the Internet connection of an Internet Connection Sharing (ICS) host computer to provide protection to the ICS host computer.

To enable Internet Connection Firewall feature using the Network Setup Wizard in Windows XP or Windows XP SP1: 1. Run the Network Setup Wizard. To access this wizard, point to Control Panel, double-click Network and Internet Connections, and then click Setup or change your home or small office network.
2. The Internet Connection Firewall is enabled when you choose a configuration in the wizard that indicates that your computer is connected directly to the Internet.
To configure Internet Connection Firewall manually in Windows XP or Windows XP SP1: 1. Click Start, click Run, type control.exe netconnections, and then click OK.
2. Right-click the connection on which you would like to enable ICF, and then click Properties.
3. On the Advanced tab, click the box to select the option to Protect my computer or network.
4. If you want to enable the use of some applications and services through the firewall, you must enable them. To do this, click Settings, and then click to select the programs, protocols, and services that you want to enable for the ICF configuration.

Enable Windows Firewall in Windows XP SP2
1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, click On (recommended), and then click OK.

Disable Internet Connection Firewall in Windows XP or Windows XP SP1
Note A firewall is designed to help protect your computer from attack by malicious users or by malicious software. Malicious software includes viruses that use unsolicited incoming network traffic to attack your computer. Before you disable your firewall, you must disconnect your computer from all networks, including the Internet. To do this, follow these steps:1. In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.
2. Right-click the connection on which you want to disable ICF, and then click Properties.
3. On the Advanced tab, click to clear the Protect my computer or network check box.

Disable Windows Firewall in Windows XP SP2
Note A firewall is designed to help protect your computer from attack by malicious users or by malicious software. Malicious software includes viruses that use unsolicited incoming network traffic to attack your computer. Before you disable your firewall, you must disconnect your computer from all networks, including the Internet. To do this, follow these steps:1. Click Start, click Run, type Firewall.cpl, and then click OK.
2. On the General tab, click Off (not recommended), and then click OK.

Top

DESCRIPTION OF THE WINDOWS XP INTERNET CONNECTION FIREWALL
This article describes the Internet Connection Firewall (ICF) that is included with Microsoft Windows XP Home Edition, Microsoft Windows XP Professional, Windows XP Home Edition Service Pack 1 (SP1), and Windows XP Professional SP1. This article does not describe the firewall that is included in Windows XP SP2.

Description of Internet Connection Firewall
Internet Connection Firewall is software that you can use to set restrictions on the information that is communicated between your home or small office network and the Internet.

If your network uses Internet Connection Sharing to provide Internet access to multiple computers, it is a good idea to turn on Internet Connection Firewall on the shared Internet connection. However, you can turn on Internet Connection Sharing and Internet Connection Firewall separately. It is a good idea to turn on Internet Connection Firewall on the Internet connection on any Microsoft Windows XP-based computer that is connected directly to the Internet.

Internet Connection Firewall can also help protect a single computer that is connected to the Internet. If you have a single computer that is connected to the Internet with a cable modem, a DSL modem, or a dial-up modem, Internet Connection Firewall helps protect your Internet connection. Do not turn on Internet Connection Firewall for virtual private network (VPN) connections because Internet Connection Firewall interferes with file sharing and other VPN functions.

How Internet Connection Firewall works
Internet Connection Firewall is a "stateful" firewall. A stateful firewall is one that monitors all aspects of the communications that cross its path and examines the source and the destination address of each message that the firewall handles. To prevent unsolicited traffic from the public side of the connection from entering the private side, Internet Connection Firewall keeps a table of all the communications that have originated from the computer that is running Internet Connection Firewall. For a single computer, Internet Connection Firewall tracks traffic that originates from the computer. If you use Internet Connection Firewall in conjunction with Internet Connection Sharing, Internet Connection Firewall tracks all the traffic that originates from the computer that is running Internet Connection Firewall and Internet Connection Sharing, and tracks all the traffic that originates from private network computers. Internet Connection Firewall compares all inbound traffic from the Internet to the entries in the table. Inbound Internet traffic is permitted to reach the computers in your network only if there is a matching entry in the table that shows that the communication exchange began in your computer or private network.

Communications that originate from a source outside the computer that is running Internet Connection Firewall, such as from the Internet, are dropped by the firewall unless you create an entry on the Services tab to permit passage. Instead of sending you notifications about activity, Internet Connection Firewall silently discards unsolicited communications. This stops common hacking attempts such as port scanning. Such notifications might be sent frequently enough to become a distraction. Instead, Internet Connection Firewall can create a security log so that you can view the activity that is tracked by the firewall.

You can configure services so that unsolicited traffic from the Internet is forwarded by the computer that is running Internet Connection Firewall to the private network. For example, if you are hosting an HTTP Web server service, and you turned on the HTTP service on your computer, unsolicited HTTP traffic is forwarded by the computer that is running Internet Connection Firewall to the HTTP Web server. Internet Connection Firewall requires operational information (known as a service definition) to permit the unsolicited Internet traffic to be forwarded to the Web server on your private network.

Internet Connection Firewall considerations
It is not a good idea to turn on Internet Connection Firewall on any connection that does not directly connect to the Internet. If you turn on Internet Connection Firewall for the network adapter of a client computer that is running Internet Connection Sharing, Internet Connection Firewall interferes with some communications between that computer and all other computers on the network. For a similar reason, you cannot use the Network Setup Wizard to turn on Internet Connection Firewall on the Internet Connection Sharing host private connection. This is the connection that connects the Internet Connection Sharing host computer with the Internet Connection Sharing client computers. Turning on a firewall in this location would prevent network communications.

You do not have to use Internet Connection Firewall if your network already has a firewall or proxy server.

If your network has only one shared Internet connection, it is a good idea to try to protect the network by turning on Internet Connection Firewall. Individual client computers may also have adapters, such as a dial-up or DSL modem that provide individual connections to the Internet and are vulnerable without firewall protection. Internet Connection Firewall can check only the communications that cross the Internet connection where you have turned it on. Because Internet Connection Firewall works on a per-connection basis, you must enable it on all computers that have connections to the Internet to help protect your whole network. If you turned on Internet Connection Firewall on the Internet Connection Sharing host computer's Internet connection, but a client computer with a direct Internet connection is not using Internet Connection Firewall for protection, your network is vulnerable through that unprotected connection.

The service definitions that permit services to operate across Internet Connection Firewall also work on a per-connection basis. If your network has multiple firewall connections, you must configure service definitions for each Internet Connection Firewall connection through which you want the service to work.

Internet Connection Firewall and notification messages
Because Internet Connection Firewall examines all incoming communications, some programs, especially e-mail programs, may behave differently if you turn on Internet Connection Firewall. Some e-mail programs periodically poll their e-mail server for new mail. Some e-mail programs wait for notification from the e-mail server.

Microsoft Outlook Express, for example, automatically checks for new e-mail messages when a timer tells it to do so. If new e-mail messages are present, Outlook Express prompts you with a new e-mail message notification. Internet Connection Firewall does not affect the behavior of Outlook Express because the request for new e-mail message notification originates from inside the firewall. Internet Connection Firewall makes an entry in a table that notes the outbound communication. When a new e-mail response is acknowledged by the mail server, Internet Connection Firewall finds an associated entry in the table and permits the communication to pass. You then receive notification that a new e-mail message has arrived.

Microsoft Outlook 2000 is connected to a Microsoft Exchange-based server that uses a remote procedure call (RPC) to send new e-mail message notifications to clients. Outlook 2000 does not automatically look for new e-mail messages when it is connected to an Exchange-based server. The Exchange-based server notifies Outlook 2000 when new e-mail messages arrive. Because the RPC notification is initiated from an Exchange-based server that is outside the firewall (not by Outlook 2000), Internet Connection Firewall cannot find a corresponding entry in the table. Internet Connection Firewall does not permit the RPC messages to cross from the Internet to the home network. The RPC notification message is dropped. You can send and receive e-mail messages, but you must manually look for new e-mail.

Advanced Internet Connection Firewall settings
You can use the Internet Connection Firewall security logging feature to create a security log of firewall activity. Internet Connection Firewall can log both traffic that is permitted and traffic that is rejected. For example, by default, incoming echo requests from the Internet are not permitted by Internet Connection Firewall. If the Internet Control Message Protocol (ICMP) Allow incoming echo request setting is not turned on, the inbound request does not succeed, and a log entry that notes the unsuccessful inbound attempt is generated.

You can modify the behavior of Internet Connection Firewall by turning on various ICMP options, such as Allow incoming echo request, Allow incoming timestamp request, Allow incoming router request, and Allow redirect. Brief descriptions of these options appear on the ICMP tab.

You can set the permitted size of the security log to prevent an overflow that might be caused by denial-of-service attacks. Event logging is generated in the Extended Log File Format as established by the World Wide Web Consortium (W3C).

Top

COMPUTER VIRUSES DESCRIPTION : PREVENTION : RECOVERY
This article discusses how to determine if your computer is infected with a virus, worm, or trojan, how to recover from an infection, and how to prevent future infections from a virus.

A virus is code written with the express intention that the virus code replicates itself. A virus tries to spread itself from computer to computer by attaching itself to a host program. It may damage hardware, software, or data. A worm is a subclass of virus. A worm generally spreads without user action and distributes complete copies (possibly modified) of itself across networks. A worm can exhaust memory or network bandwidth, causing a computer to stop responding. A virus that appears to be a useful program, but that actually does damage, is a "trojan horse."

Take steps to prevent viruses even if you do not visit unknown or untrusted Web sites or open e-mail attachments. There are three steps that you can take to start to improve the security of your Windows-based computer: use a firewall, receive regular updates, and use antivirus software.

step-by-step: www.microsoft.com/protect

On a Windows XP-based computer, the Protect Your PC Web site can automatically detect and configure Internet Connection Firewall (ICF), configure Automatic Updates settings, and provide information about antivirus software. On a Windows XP Service Pack 2 computer, Internet Connection Firewall (ICF) is renamed as "Windows Firewall (WF)."

Symptoms of viruses, worms, and trojan horse viruses
If you suspect or confirm that your computer is infected with a virus, obtain current antivirus software. When a virus infects your e-mail or other files, it may have the following effects on your computer: • The infected file may make copies of itself. This may use all the free space in your hard disk.
• A copy of the infected file may be sent to all the addresses in your e-mail address list.
• The virus may reformat your disk drive and delete your files and programs.
• The virus may install hidden programs, such as pirated software. This pirated software may then be distributed and sold from your computer.
• The virus may reduce security. This could allow intruders to remotely access your computer or network.
The following symptoms are frequently caused by or associated with a virus: • You received an e-mail message that has a strange attachment. When you open the attachment, dialog boxes appear or a sudden degradation in system performance occurs.
• There is a double extension on an attachment that you recently opened, such as .jpg.vbs or .gif.exe.
• An antivirus program is disabled for no reason and it cannot be restarted.
• An antivirus program cannot be installed on the computer or it will not run.
• Strange dialog boxes or message boxes appear onscreen.
• Someone tells you that they have recently received e-mail messages from you containing attached files (especially with .exe, .bat, .scr , and .vbs extensions) that you did not send.
• New icons appear on the desktop that you did not put there, or are not associated with any recently installed programs.
• Strange sounds or music plays from the speakers unexpectedly.
• A program disappears from the computer, but you did not intentionally remove it.
A virus infection may also cause the following symptoms, but these symptoms may also be the result of ordinary Windows functions, or problems in Windows that is not caused by a virus. • Windows will not start at all, even though you have not made any system changes, and you have not installed or removed any programs.
• There is much modem activity. If you have an external modem, you may notice the lights blinking too much when the modem is not being used. You may be unknowingly supplying pirated software.
• Windows will not start because certain critical system files are missing, and then you receive an error message that lists the missing files.
• The computer sometimes starts as expected, but at other times it stops responding before the desktop icons and taskbar appear.
• The computer runs very slowly, and it takes a long time to start.
• You receive out-of-memory error messages even though your computer has much RAM.
• New programs do not install correctly.
• Windows spontaneously restarts unexpectedly.
• Programs that used to run stop responding frequently. If you try to remove and reinstall the software, the issue continues to occur.
• A disk utility such as Scandisk reports multiple serious disk errors.
• A partition disappears.
• Your computer always stops responding when you try to use Microsoft Office products.
• You cannot start Windows Task Manager.
• Antivirus software indicates that a virus is present.

Recovering from and preventing virus infection
To prevent a virus infection, or to recover from a virus, follow these steps: 1. Use an Internet firewall.
A firewall is a piece of software or hardware that creates a protective barrier between your computer and potentially damaging content on the Internet. It helps guard your computer against malicious users and many computer viruses and worms.

Use a firewall only for network connections that you use to connect directly to the Internet. For example, use a firewall on a single computer that is connected to the Internet directly by using a cable modem, a DSL modem, or a dial-up modem. If you use the same network connection to connect to both the Internet and a home or office network, use a router or firewall that prevents Internet computers from connecting to the shared resources on the home or office computers. Do not use a firewall on network connections that you use to connect to your home or office network unless the firewall can be configured to open ports only for your home or office network. If you connect to the Internet by using your home or office network, a firewall can be used only on the computer or the other device, such as a router, that provides the connection to the Internet. For example, if you connect to the Internet through a network that you manage, and that network uses connection sharing to provide Internet access to multiple computers, you can install or enable a firewall only on the shared Internet connection. If you connect to the Internet through a network that you do not manage, verify that your network administrator is using a firewall.

Note If you use a firewall on all computers on your home or office network you may be not be able to browse (search) for other computers on your home or office network, and you may not be able to share files with other computers on your home or office network.

Top

HOW TO CONFIGURE FILE SHARING IN WINDOWS XP
SUMMARY
With Microsoft Windows XP, you can share files and documents with other users on your computer and with other users on a network. There is a new user interface (UI) named Simple File Sharing and a new Shared Documents feature. This article describes the new file sharing UI and discusses the following topics:
• How to turn Simple File Sharing on and off.
• How to manage and configure levels of access to shares and files.
• Guidelines for file sharing in Windows XP.
• How to troubleshoot file sharing problems.
Windows XP Home Edition-based computers always have Simple File Sharing enable

INTRODUCTION
On a Windows XP-based computer, you can share files among both local and remote users. Local users log on to your computer directly through their own accounts or through a Guest account. Remote users connect to your computer over the network and access the files that are shared on your computer.

You can access the Simple File Sharing UI by viewing a folder's properties. Through the Simple File Sharing UI, you can configure both share and NTFS file system permissions at the folder level. These permissions apply to the folder, all the files in that folder, child folders, and all the files in the child folders. Files and folders that are created in or copied to a folder inherit the permissions that are defined for their parent folder. This article describes how to configure access to your files based on permission levels. Some of the information that this article contains about these permission levels is not documented in the operating system files or the Help file.

MORE INFORMATION
With file sharing in Windows XP, you can configure five levels of permissions. Level 1 is the most private and secure setting, and Level 5 is the most public and changeable (non-secure) setting. You can configure Levels 1, 2, 4, and 5 by using the Simple File Sharing UI. To do this, right-click the folder, and then click Sharing and Security to open the Simple File Sharing UI. To configure Level 3, copy a file or folder into the Shared Documents folder under My Computer. This configuration does not change when you turn on or turn off Simple File Sharing.

Turning on and turning off Simple File Sharing
Simple File Sharing is always turned on in Windows XP Home Edition-based computers. By default, the Simple File Sharing UI is turned on in Windows XP Professional-based computers that are joined to a workgroup. Windows XP Professional-based computers that are joined to a domain use only the classic file sharing and security interface. When you use the Simple File Sharing UI (that is located in the folder's properties), both share and file permissions are configured.

If you turn off Simple File Sharing, you have more control over the permissions to individual users. However, you must have advanced knowledge of NTFS and share permissions to help keep your folders and files more secure. If you turn off Simple File Sharing, the Shared Documents feature is not turned off.

To turn Simple File Sharing on or off in Windows XP Professional, follow these steps: 1. Double-click My Computer on the desktop.
2. On the Tools menu, click Folder Options.
3. Click the View tab, and then select the Use Simple File Sharing (Recommended) check box to turn on Simple File Sharing. (Clear this check box to turn off this feature.)

Managing levels of access to shares and to files
You can use Simple File Sharing to configure five different levels of access to shares and files:• Level 1: My Documents (Private)

• Level 2: My Documents (Default)

• Level 3: Files in shared documents available to local users

• Level 4: Shared Files on the Network (Readable by Everyone)

• Level 5: Shared Files on the Network (Readable and Writable by Everyone)
NOTES• By default, files that are stored in My Documents are at Level 2.
• Levels 1, 2, and 3 folders are available only to a user who is logging on locally. Users who log on locally include a user who logs on to a Windows XP Professional-based computer from a Remote Desktop (RDP) session.
• Levels 4 and 5 folders are available to users who log on locally and remote users from the network.

Level 1: My Documents (Private)
The owner of the file or folder has read and write permission to the file or folder. Nobody else may read or write to the folder or the files in it. All subfolders that are contained in a folder that is marked as private remain private unless you change the parent folder permissions.

If you are a Computer Administrator and create a user password for your account by using the User Accounts Control Panel tool, you are prompted to make your files and folder private.

Note The option to make a folder private (Level 1) is only available to a user account in its own My Documents folder.

To configure a folder and all the files in it to Level 1, follow these steps: 1. Right-click the folder, and then click Sharing and Security.
2. Select the Make this Folder Private check box, and then click OK.
Local NTFS Permissions: • Owner: Full Control
• System: Full Control
Network Share Permissions: • Not Shared

Level 2 (Default): My Documents (Default)
The owner of the file or folder and local Computer Administrators have read and write permission to the file or folder. Nobody else may read or write to the folder or the files in it. This is the default setting for all the folders and files in each user's My Documents folder.

To configure a folder and all the files in it to Level 2, follow these steps: 1. Right-click the folder, and then click Sharing and Security.
2. Make sure that both the Make this Folder Private and the Share this folder on the network check boxes are cleared, and then click OK.
Local NTFS Permissions: • Owner: Full Control
• Administrators: Full Control
• System: Full Control
Network Share Permissions: • Not Shared

Level 3: Files in shared documents available to local users
Files are shared with users who log on to the computer locally. Local Computer Administrators can read, write, and delete the files in the Shared Documents folder. Restricted Users can only read the files in the Shared Documents folder. In Windows XP Professional, Power Users may also read, write, or delete any files in the Shared Documents Folder. The Power Users group is only available in Windows XP Professional. Remote users cannot access folders or files at Level 3. To permit remote users to access files, you must share them out on the network (Level 4 or 5).

To configure a file or a folder and all the files in it to Level 3, start Microsoft Windows Explorer, and then copy or move the file or folder to the Shared Documents folder under My Computer.

Local NTFS Permissions:• Owner: Full Control
• Administrators: Full Control
• Power Users: Change
• Restricted Users: Read
• System: Full Control
Network Share Permissions: • Not Shared

Level 4: Shared on the Network (Read Only)
Files are shared for everyone to read on the network. All local users, including the Guest account, can read the files, but they cannot modify the contents. Any user can read and change your files.

To configure a folder and all the files in it to Level 4, follow these steps:1. Right-click the folder, and then click Sharing and Security.
2. Click to select the Share this folder on the network check box
3. Click to clear the Allow network users to change my files check box, and then click OK.
Local NTFS Permissions: • Owner: Full Control
• Administrators: Full Control
• System: Full Control
• Everyone: Read
Network Share Permissions: • Everyone: Read

Level 5: Shared on the network (Read and Write)
This level is the most available and least secure access level. Any user (local or remote) can read, write, change, or delete a file in a folder shared at this access level. Microsoft recommends that this level be used only for a closed network that has a firewall configured. All local users including the Guest account can also read and modify the files.

To configure a folder and all the files in it to Level 5, follow these steps:1. Right-click the folder, and then click Sharing and Security
2. Click to select the Share this folder on the network check box, and then click OK.
Local NTFS Permissions: • Owner: Full Control
• Administrators: Full Control
• System: Full Control
• Everyone: Change
Network Share Permissions: • Everyone: Full Control
Note All NTFS permissions that refer to Everyone include the Guest account.

All the levels that this article describes are mutually exclusive. Private folders (Level 1) cannot be shared unless they are no longer private. Shared folders (Level 4 and 5) cannot be made private until they are unshared.

If you create a folder in the Shared Documents folder (Level 3), share it on the network, and then permit network users to change your files (Level 5), the permissions for Level 5 are effective for the folder, the files in that folder, and the child folders. The other files and folders in the Shared Documents folder remain configured at Level 3.

Note The only exception is if you have a folder (SampleSubFolder) that is shared at Level 4 inside a folder (SampleFolder) that is shared at Level 5. Remote users have the correct access level to each of the shared folders. Locally logged-on users have writable (Level 5) permissions to the parent (SampleFolder) and child (SampleSubFolder) folders.

Guidelines
Microsoft recommends that you only share folders on the network that remote users on other computers must access. Microsoft recommends that you do not share the root of your system drive. When you do this your computer is more vulnerable to malicious remote users. The Sharing tab of the drive's Properties dialog box contains a warning when you try to share a root folder (for example, C:\). To continue, you must click the If you understand the risk but still want to share the root of the drive, click here link. Only computer administrators can share the root of the drive.

Files on a read-only device such as a CD-ROM shared at Level 4 or 5 are only available if the CD-ROM is in the CD-ROM drive. Any CD-ROM that is in the CD-ROM drive is available to all users on the network.

A file's permission may differ from the containing folder if one of the following conditions is true: • You use the move command at a command prompt to move a file into the folder from a folder on the same drive that has different permissions.
• You use a script to move the file into the folder from a folder on the same drive that has different permissions.
• You run Cacls.exe at a command prompt or a script to change file permissions.
• Files existed on the hard disk before you installed Windows XP.
• You changed a file's permissions while Simple File Sharing was turned off on Windows XP Professional.
Note NTFS permissions are not maintained on file move operations when you use Windows Explorer with Simple File Sharing turned on.

If you turn on and turn off Simple File Sharing, the permissions on files are not changed. The NTFS and share permissions do not change until you change the permissions in the interface. If you set the permissions with Simple File Sharing enabled, only Access Control Entries (ACEs) on files that are used for Simple File Sharing are affected. The following ACEs in the Access Control List (ACL) of the files or folders are affected by the Simple File Sharing interface: • Owner
• Administrators
• Everyone
• System

Troubleshooting file sharing in Windows XP
Expected upgrade behavior
A Windows 2000 Professional-based or a Windows NT 4.0-based computer that is joined to a domain or a workgroup that is upgraded to Windows XP Professional maintains its domain or workgroup membership respectively and has the classic file sharing and security UI turned on. NTFS and share permissions are not changed with the upgrade.

By default, if you upgrade a computer that is running Microsoft Windows 98, Windows 98 Second Edition, or Windows Millennium Edition that has "per share" sharing permissions to Windows XP, Simple File Sharing is always turned on. Shares that have passwords assigned to them are removed, and shares that have blank passwords remain shared after the upgrade.

If you upgrade a computer that is running Windows 98, Windows 98 Second Edition, or Windows Millennium Edition to Windows XP Professional and that computer is logged on to a domain, if that computer has share level access turned on and joins the domain while the Setup program is running, the computer starts with Simple File Sharing turned off.

By default, a Windows 98, Windows 98 Second Edition, or Windows Millennium Edition-based computer that is upgraded to Windows XP Home has Simple File Sharing turned on.
Known issues
For remote users to access files from the network (Levels 4 and 5), the Internet Connection Firewall (ICF) must be disabled on the network interface that the remote users connect through.

When Simple File Sharing is turned on, remote administration and remote registry editing does not work as expected from a remote computer, and connections to administrative shares (such as C$) do not work because all remote users authenticate as Guest. Guest accounts do not have administrative rights. When Simple File Sharing is turned on, if you configure specific user ACEs, remote users are not affected when Simple File Sharing is turned on because all remote users authenticate as Guest when Simple File Sharing is turned on.

Remote users may receive an "Access Denied" message on a share that they had connected to successfully before. This behavior occurs after the hard disk is converted to NTFS. This behavior occurs on Windows XP-based computers that have Simple File Sharing turned on that were upgraded from Windows 98, Windows 98 Second Edition, or Windows Millennium Edition. This behavior occurs because the default permissions of a hard disk that is converted to NTFS do not contain the Everyone group. The Everyone group is required for remote users who are using the Guest account to access the files To reset the permissions, unshare and reshare the affected folders.

Behavior that is affected when Simple File Sharing is turned on
• The Simple File Sharing UI in the properties of a folder configures both share and file permissions.
• Remote users always authenticate as the Guest account.

• Windows Explorer does not retain permissions on files that are moved in the same NTFS drive. The permissions are always inherited from the parent folder.
• On Windows XP Professional-based computers that have Simple File Sharing turned on and Windows XP Home Edition-based computers, the Shared Folders (Fsmgmt.msc) and Computer Management (Compmgmt.msc) tools reflect a simpler sharing and security UI.
• In the Computer Management and Shared Folders consoles, the New File Share command is unavailable when you right-click the Shares icon. Also, if you right-click any listed share, the Properties and Stop Share commands are unavailable.

Behavior that is not caused by turning on Simple File Sharing
• In Windows XP Home Edition, the Computer Management snap-in does not display the Local Users and Groups node. The Local Users and Groups snap-in cannot be added to a custom snap-in. This behavior is a limitation of Windows XP Home Edition. It is not caused by Simple File Sharing.
• If you turn off the Guest account in the User Accounts Control Panel tool, only the guest's ability to log on locally is affected. The account is not disabled.
• Remote users cannot authenticate by using an account that has a blank password. This authentication is configured separately.
• Windows XP Home Edition cannot join a domain. It can only be configured as a member of a workgroup.

Top

CAN LOG ON WITHOUT PASSWORD BY USING GUEST ACCOUNT AFTER UPGRADE FROM WIN 2000
SYMPTOMS
When you upgrade your computer from Windows 2000 to Windows XP and the Guest account is enabled for local logon, the Guest option is available when you run the Out of Box Experience (OOBE). You are able to log on as a Guest without using a password.
CAUSE
This behavior can occur because the sharing and security model does not change during the upgrade. The status of the Guest account (enabled or disabled) is not affected, and the Guest account is neither added nor removed from "interactive logon" or "deny interactive logon."
MORE INFORMATION
OOBE is the wizard that usually runs after Setup and performs the following functions: • Product activation
• Registration
• Mouse tutorial
• User creation

Top