Access Based Enumeration on Windows 7
Access Based Enumeration (ABE) is a well-hidden feature even in Windows Server, where it can be configured per share, but only in the Share and Storage Management MMC and not when right-clicking a folder in Explorer. Thanks to the shared code base ABE is available in Windows 7, too, although hidden even better. Let’s find out how to enable it anyway.
First we need a share to play around with. I set up a shared folder with three subfolders. When I access it over then network, everything looks as expected:
Next we remove permissions on one of the subfolders so that users do not have read access any more. We do that with SetACL Studio, of course!
Then we download the free tool ShrFlgs and issue the following command in an elevated prompt:
D:\>ShrFlgs.exe \\localhost\test /abe true /forreal ShrFlgs V01.00.01cpp Joe Richards ([email protected]) February 2005 Share: test Path : R:\ Remark : Max Use : Unlimited Current Use: 1 SDDL : Flags Manual Client Side Caching Exclusive Opens Allowed Force Delete NOT Allowed Namespace Caching NOT Allowed Access Based Enumeration The command completed successfully.
Finally we check again in Explorer, and voilà, the directory sub2 is gone:
JESUS!!! Thank you soooo much for this post!!! Trying to solve this problem on win 7 for several days already with no success. I **cking knew this has a solution, because windows HIDES subfolders under users! It DOES that……..
I’m sorry for too emotional reply) Thank you very much! This was *really* helpful for me!
Is there a GUI way to do this on client? On Server there is the MMC.
I removed the OS check from the Access Based Enumeration GUI MSI file for Server 2003 and it works nicely on Windows 7/Vista/Server 2008/R2 as well.
FTM, I used shrflgs.exe on Windows Server 2012 Shares and it worked.
How do I create a hidden directory but visible for specified users/groups?
Is that possible with this tool without using the $ sign on share level?
does not work with windows 7 64bit. Wondering if another version/release of ShrFlgs support it.
Strange, worked for me on Windows 7 64bit, ShrFlgs V01.00.01!
And thank you for the guide, pretty OP
Ran as instructed and it worked on Windows 7 Ultimate 64-bit system.
So now my users who do have access to certain folders under the share can’t view them which is what I wanted.
Problem – Even if I grant a user read/write access, the user is unable to create files in the sub directory of the share. Also, when I try assign rights by right clicking ——> Share with ——> Specific people, once I select the rights and click share I get prompted by Windows that “You cannot share this folder”?
Any ideas on how to get around this?
Okay so I got this figured out.
The problem was that when I created the network share, I gave “Everyone” access but limited the access to read-only. I had to change that to give “Everyone” full control to the share only. From there the actual NTFS permissions I granted to each individual folder controlled the level of access I required.
My users can now perform work on their individual folders while not seeing any folders on the share to which they do not have access to.
Many thanks for this!
I could run shrflgs successfully on Windows 7 64bit. It stopped working when it reached my “Music” directory. Is it possible that many subfolders mess it up (e.g. maybe there is a counter up to 1000 subfolders, let’s say, and if you have 1,001 it hits an exception?).
Thanks a lot! This worked on Win7 SP1 64-bit. It prevents Offline File Sync showing an error message when trying to sync the $RECYCLE.BIN folder, since this folder is not visible anymore on the clients.
Can this work for windows 10?
I realize the last comment here is 2 years old, nearly to the day, but I wanted to note that this does work on Windows 10 shares.
This page is essentially the only useful hit on a Google search for “access based enumeration windows 10” and that’s only because of the above comment. The tool’s page doesn’t mention it and it appears unlikely to be updated but I can assure anyone this works on Windows 10 shares. Thank you!
Hello, it worked on windows 10 pro
To apply the changes successfully, it was necessary to log out of all users using the share.
run cmd as administrator to have no permission issues.