Windows Tips

Troubleshooting Permission Problems

NTFS permissions are straightforward and uncomplicated when the Simple File Sharing interface is enabled. In this configuration, users do not have the ability to manipulate file and folder access controls directly. You can select one or more folders within your user profile and make those locations private, but no other security settings are available for customization. With Simple File Sharing enabled, when you move or copy files or folders from a folder you've made private into any other location on an NTFS volume, the moved or copied objects take on the security attributes of the destination folder-in most cases, that means they're freely available to all other users. When you drag a file out of your private My Documents folder and drop it in the Shared Documents folder, for instance, that file is accessible by all other users of the local computer. Conversely, when you move a file from the Shared Documents folder into your private My Documents folder, it becomes a private file accessible only to you.

But if you disable Simple File Sharing and work directly with NTFS permissions, ordinary file management tasks can have unintended and confusing consequences. In fact, even when a user has been granted Full Control permissions for a given folder, he or she may encounter an "access denied" error message when trying to open, rename, delete, or copy a file or folder.

To understand why this problem occurs, you need to understand what happens when you move or copy files or folders from one location to another. During the move, the permissions for the files or folders may change. With Simple File Sharing disabled, Windows XP follows a strict set of rules when applying permissions during a move or copy operation. Note the different results that apply depending on whether you're moving or copying the object and whether the destination is on the same drive or on a different drive:

When you copy a file or folder to an NTFS drive...
The newly created folder or file takes on the permissions of the destination folder, and the original object retains its permissions. This is true regardless of whether the destination is on the same NTFS drive as the original file or on a separate NTFS drive. You become the Creator Owner of the new file or folder, which means you can change its permissions.

When you move a file or folder within a single NTFS drive... The moved folder or file retains its original permissions and you become the Creator Owner.

When you move a file or folder from one NTFS drive to another...
The moved folder or file picks up the permissions of the destination folder and you become the Creator Owner.

When you copy or move a file or folder from a FAT32 drive to an NTFS drive...
The newly created folder or file picks up the permissions of the destination folder and you become the Creator Owner.
When you copy or move a file or folder from an NTFS drive to a FAT32 drive...
The moved or copied folder or file in the new destination loses all permission settings, because the FAT32 file system is incapable of storing these details.

When Simple File Sharing is disabled, you may discover, after dragging a file from your My Documents folder into the Shared Documents folder, that other users are unable to access that file. This result will occur if the following conditions apply:

The drive that contains the Documents And Settings folder is formatted using the NTFS file system.
You've made your entire user profile private (as you were prompted to do when you added a password to your account).

You've disabled Simple File Sharing.

You've created a group of files (or a subfolder) in your My Documents, My Music, or My Pictures folder, and you want to share those files with other users by dragging them to the Shared Documents folder.

Because both locations are on the same NTFS-formatted drive, dragging any file or folder from your user profile to the Shared Documents folder moves the selected object without making any changes to its access control list. As a result, other users can see the icon for the file or folder but are greeted with an "access denied" error message when they double-click it. Frustrating, isn't it? The solution to this dilemma is simple. If you've disabled Simple File Sharing, never move a file from your personal profile to a shared location. Instead, get in the habit of copying the file. The new copy inherits the permissions from the destination folder (Shared Documents), and is therefore available to every user. After copying the file or folder, you can safely delete the original from your private folder.

Another common cause of permission problems has an equally simple solution. After you add a user account to a group that has been assigned permissions for a file or folder, the user must log off and log back on to have access to the files.

tip - Don't overlook inherited permissions

When trying to sort out why a user is having problems accessing a given file or folder, look first in the Advanced Security Settings dialog box. Pay particular attention to the Inherited From column in the Permission Entries list. The data here will often show you the exact source of an unexpected permission problem.

Securing Files and Folders

When two or more people use the same computer, how do you keep each user from snooping in files and folders that should be private? How do you allow easy access to files that should be shared? And how do you keep untrained users from accidentally wiping out important files? Out of the box, anyone with a user account on a Microsoft Windows XP computer has virtually unlimited access to files and folders. In either edition of Windows XP, you can lock up your personal files and folders by selecting a single check box, even if you know nothing about security. Or, with Windows XP Professional and some advanced access control options, you can exercise precise control over who gets to access any file or folder on any drive.

If the bulk of your previous computing experience is with Windows 95, Windows 98, or Windows Me, the entire notion of file and folder security is probably an alien concept. Those consumer-based operating systems offer only the most rudimentary security. On the other hand, if you’re a seasoned Windows NT or Windows 2000 user, you probably already understand the basics of access control; your challenge with Windows XP is understanding its new and radically different Simple File Sharing interface.


How Setup Decisions Dictate Your Security Options

Three factors dictate how much control you have over access to shared files and folders on a computer running Windows XP:

Disk format.
Access controls, which determine whether a given user can open a folder, read a file, create new files, and perform other file operations, are available only on NTFS-formatted drives. On drives formatted with FAT32, most local security options are unavailable. Any user can access any file without restriction.

Windows XP edition.
By default, Windows XP Home Edition and Windows XP Professional share a simplified security interface that allows you to set a limited number of access controls based on built-in group memberships. If you use Windows XP Professional, you can configure your system to use more complex security options that closely resemble those found in Windows 2000. We discuss the differences between these options fully in this section.

User account settings.
During setup, Windows XP creates a group of shared folders specifically designed to hold files for all users of that computer. (If your computer is joined to a Windows domain, these shared locations are unavailable.) In addition, each user with an account on the machine can designate certain folders as private.

NTFS vs. FAT32

When it comes to security, the single most important factor is the file system you’ve chosen for the drive containing the Windows system files and user profiles. If the drive is formatted using the FAT32 file system, none of the options discussed in this section apply to you. The only way to enable file system permissions is to convert the drive to NTFS format.


Simple File Sharing vs. Advanced Permissions

On a clean installation or an upgrade over Windows 98/Me, Windows XP assigns default security settings that work like on/off switches. This Simple File Sharing interface initially makes all the files in your user profile (including your My Documents folder, desktop, Start menu, and Favorites) visible to anyone who has an admini-strator’s account on your computer (users with limited accounts are restricted from viewing files in other profiles). As Figure 13-1 shows, opening the My Computer window displays a separate icon for the folder that holds each user’s personal documents, along with an icon for a Shared Documents folder. (See the following section for a full discussion of how the Shared Documents folder works.)

This low-security configuration is similar to the standard setup on a machine running Windows 95/98/Me. In an environment where all users trust each other completely, it makes collaborating easy: If you and a coworker share a computer, you can each keep your personal files organized in your My Documents folder for convenience; if you need to look at a file that your coworker created, you open his or her My Documents folder. Likewise, at home, you and your spouse can browse each other’s files.

But some environments demand less trust and more protection. On a home computer, for example, parents might want to keep financial data and other private files locked out of the reach of children—not just to ensure privacy, but also to protect them from accidental changes or deletion. By selecting a check box on the Sharing tab of a folder’s properties dialog box, you can designate as private all or part of your user profile. After you’ve selected that option, your files are visible only when you log on using your account.

It’s certainly easy to make a folder private—all you do is right-click a folder, choose Sharing And Security, and select the Make This Folder Private check box—but this Simple File Sharing option suffers from some significant limitations:

The Make This Folder Private option is available only within your user profile. If you use a program that stores its user data in any other location, you cannot protect that folder from unauthorized access. Likewise, if you’ve created a second partition on which you store digital images, media files, or other space-gobbling data, you have no way to protect those files from unauthorized access or accidental deletion.

Protection applies to all files and subfolders within a folder where you select this option. You cannot protect an individual file, nor can you single out files or subfolders within a protected folder and make them available to others.

The "private" setting is an all-or-nothing proposition. When you select the Make This Folder Private check box, Windows sets permissions on that folder so that you and only you can access files stored in that location. Clear the check box, and any user who logs on to the computer can view the files stored there.

When Simple File Sharing is enabled and you move or copy files or folders between a private folder and a shared location, the moved or copied objects always take on the security attributes of the destination folder. This behavior changes if you disable Simple File Sharing.



Keeping Your Own Files Private

If you create a new account during setup, or if the Windows Setup program automatically creates your user account when you upgrade from Windows 98 or Windows Me, your account starts out with no password. As the final step when you add a password to your own account from User Accounts in Control Panel, Windows displays the dialog box , which offers to help you make your files and folders private. (This option does not appear if your user profile is stored on a FAT32 drive.)

Using this option to make your files private is convenient, but it’s not the only way to exercise your right to privacy. Regardless of which choice you make when presented with this dialog box, you can change your mind later. You can add or remove protection from your entire profile, or apply the Make This Folder Private option to selected subfolders in your profile.

If you choose this option, Windows resets the permissions on your user profile so that only you can view or open your files and folders.

To protect your entire profile, follow these steps:
In the Run box or from any command prompt, type %systemdrive%\documents and settings.
Right-click the icon labeled with your user name and choose Sharing And Security.
Under Local Sharing And Security, select the Make This Folder Private check box.

Select the Make This Folder Private check box to prevent other users from accessing files in your user profile.

Click OK to close the dialog box and apply your changes.

Other users who log on to the same computer and open the My Computer window can no longer see the folder icon that represents your My Documents folder if you’ve made your user profile private. Other users who try to access your profile by opening the Documents And Settings folder will receive an "access denied" error message when they double-click the folder that contains your profile. The result is the same if another user tries to open a subfolder that you’ve made private.

You can apply protection to selected subfolders within your user profile. For instance, you might want other users to be able to work with some files in your My Documents folder while keeping other files protected. To set up this sort of partial protection, create a subfolder and give it a descriptive name like Private. Then move the files andfolders you want to protect into that subfolder, and select the Make This Folder Private option for that folder only.

Using Windows Explorer's Command-Line Syntax

Cascading folder menus, as described earlier in this chapter, are one way to open Windows Explorer with a particular folder in view. But they might not be the ideal way. Compare the two views of the System32 folder. The one on the left was generated by a Start menu item; the one on the right was produced by means of Windows Explorer's command-line syntax.

The view on the right, produced by a command string, restricts the Folders bar to a particular branch of the file structure.

The difference between the two is all in the Folders bar. The command-line string in this case puts the selected folder (System32) at the top of the folder hierarchy, eliminating all folders at higher levels and letting you focus your attention on System32.

This is one example of the usefulness of the Windows Explorer command-line syntax. You can probably find others in your own work. You can use Windows Explorer command strings in shortcuts, with the Start menu's Run command, at the command prompt, or in batch programs or scripts. The syntax is as follows: explorer [/n /e][,/root,object][[,/select],subobject]
The switches, all of which are optional, have the following effects:

Switch Effect
/N Opens without displaying the Folders bar.
/E Opens with the Folders bar displayed.
/Root,object Restricts Windows Explorer to object and all folders contained within object.
/Select,subobject Gives the initial focus to the parent folder of subobject and selects subobject. If /Select is omitted, subobject specifies the folder that gets the initial focus.

Let's look at some examples. To begin, explorer /e,/root,%systemroot%\system32
opens Windows Explorer and displays the Folders bar, restricting the namespace to %SystemRoot%\System32 and its subfolders.
To open %SystemRoot%\Cursors in Windows Explorer, with the Folders bar displayed and the file Appstart.ini selected, you must include the file name and extension in the command string, as follows: explorer /e, /select,%systemroot%\cursors\appstart.ani

Typing the following opens %SystemRoot% without the Folders bar: explorer %systemroot%
The folder is loaded as the subobject focus, not as the root folder-which means that you can navigate upward from %SystemRoot% in the folder hierarchy.

The string

explorer /n

opens the drive on which Windows XP is installed without displaying the Folders bar, whereas explorer /e,.

opens %UserProfile% and displays the Folders bar.

Automating Windows XP
If you use your computer very much—and if you’re reading this book you probably do—you probably find yourself repeatedly performing the same steps to accomplish a number of ordinary tasks. The task might be a routine maintenance activity, such as backing up your data or cleaning detritus from your hard disk, or it might be a job that requires many steps. Computers excel at repetitive actions, and Microsoft Windows XP provides several ways to automate such tasks:

Task Scheduler.

This service launches programs on a regular schedule or upon certain events, such as logging on to your computer.

Batch programs.

These programs, a throwback to the earliest days of MS-DOS, still provide an easy, reliable way to run a sequence of programs and commands. Most programs can be started from a command prompt, which means they can be started from a batch program.

Windows Script Host.

This feature allows you to run scripts written in VBScript, JScript, and other languages. Although learning how to use Windows Script Host is more difficult than learning how to create batch programs, scripts can interact with the operating system and with other programs in much more powerful ways.

Advanced Account Setup Options

Windows XP includes no fewer than four different interfaces for managing users and groups:

User Accounts.
Located in Control Panel, User Accounts provides the simplest method to perform common tasks.

User Accounts (Windows 2000 style).
If your computer is joined to a domain, opening User Accounts in Control Panel displays a different version. If your computer is not joined to a domain, you can open this version by typing control userpasswords2 at a command prompt.

The capabilities of this version of User Accounts are few (you can add or remove local user accounts, set passwords, and place a user account in a single security group), but it has a handful of unique features that you might find compelling. With this version, you can
Change an account's user name

Configure automatic logon
Eliminate the Ctrl+Alt+Delete requirement if you're not using the Welcome screen

Introducing Windows XP Security
The Windows XP approach to security is discretionary. That is, each securable system resource-each file or printer, for example-has an owner, who has discretion over who can and cannot access the resource. Usually, a resource is owned by the user who created it. If you create a file, for example, you are the file's owner under ordinary circumstances. (Computer administrators, however, can take ownership of resources they didn't create.)

To determine which users have access to a resource, Windows assigns a security ID (SID) to each user account. Your SID (a gigantic number guaranteed to be unique) follows you around wherever you go in Windows. When you log on, the operating system first validates your user name and password. Then it creates a security access token. You can think of this as the electronic equivalent of an ID badge. It includes your user name and SID, plus information about any security groups to which your account belongs. (Security groups are described later in this chapter.) Any program you start gets a copy of your security access token.

Whenever you attempt to walk through a controlled "door" in Windows (for example, when you connect to a shared printer), or any time a program attempts to do that on your behalf, the operating system examines your security access token and decides whether to let you pass. If access is permitted, you notice nothing. If access is denied, you see an unavailable menu or dialog box control or, in some cases, you get to hear a beep and read a refusal message.

In determining whom to pass and whom to block, Windows consults the resource's access control list (ACL). This is simply a list of SIDs and the access privileges associated with each one.
Every resource subject to access control has an ACL.


Permissions and Rights
Windows distinguishes two types of access privileges: permissions and rights. A permission is the ability to access a particular object in some defined manner-for example, to write to an NTFS file or to modify a printer queue. A right is the ability to perform a particular systemwide action, such as logging on or resetting the clock.

The owner of a resource (or an administrator) assigns permissions to the resource via its properties dialog box. For example, if you are the printer owner or have administrative privileges, you can restrict someone from using a particular printer by visiting the properties dialog box for that printer. Administrators set rights via the Local Security Policy console in the Administrative Tools folder. If you have an administrative account, you can use Local Security Policy to grant someone the right to load a device driver.


In Depth: Security Identifiers

Windows XP security relies on the use of a security identifier (SID) to identify a user. When you create a user account, Windows assigns a unique SID to that account. The SID remains uniquely associated with that user account until the account is deleted, whereupon the SID is never used again-for that user or any other user. Even if you re-create an account with identical information, a new SID is created.

A SID is a variable-length value that contains a revision level, a 48-bit Identifier Authority value, and a number of 32-bit subauthority values. The SID takes the form S-1-x-y1-y2-.. S-1 identifies it as a revision 1 SID; x is the value for the IdentifierAuthority; and y1, y2, and so on are values for subauthorities.

You'll sometimes see the SID in a security dialog box (for example, on the Security tab of a file's properties dialog box while Simple File Sharing is not enabled) before Windows has had time to look up the user account name. If a SID on a Security tab doesn't change to a name, it's because it's a SID for an account that has been deleted; you can safely delete it from the permissions list because it'll never be used again. You'll also see SIDs in the hidden \Recycler folder (each SID you see in this folder represents the Recycle Bin for a particular user), in the registry (the HKEY_USERS hive contains a key, identified by SID, for each user account on the computer), and deep in the %UserProfile%\Application Data\Microsoft folder structure, among other places.

Not all SIDs are unique. A number of commonly used SIDs are constant among all Windows XP installations. For example, S-1-5-18 is the SID for the built-in System account, a hidden member of the Administrators group that is used by the operating system and by services that log on using the System account. Microsoft Windows XP Professional Resource Kit Documentation (Microsoft Press, 2001) contains a complete list of such SIDs, called well-known SIDs.



User Accounts

The backbone of Windows XP security is the ability to uniquely identify each user. During setup-or at any time later-a computer administrator creates a user account for each user.The user account is identified by a user nameand (optionally) a password,which the user provides when logging on to the system. Windows then controls, monitors, and restricts access to system resources based on the permissions and rights associated with each user account by the resource owners and the system administrator.
In addition to such "normal" user accounts, Windows provides two special accounts that have predefined sets of permissions and rights associated with them: the Administrator account and the Guest account.

Administrator account.
Every computer running Windows XP has a special account named Administrator. This account has full rights over the entire computer. It can create other user accounts and is generally responsible for managing the computer. Many system features and rights are off limits to accounts other than Administrator (or another account that belongs to the Administrators group).

Guest account.
The Guest account resides at the other end of the privilege spectrum. It is designed to allow an infrequent or temporary user such as a visitor to log on to the system without providing a password and use the system in a restricted manner. (By default, the Guest account is disabled on a clean install of Windows XP; no one can use an account that's disabled.) The Guest account is also used for access to shared network resources on your computer when Simple File Sharing is enabled.

Account Types

Account type is a simplified way-new in Windows XP-of describing membership in a security group, a collection of user accounts. Groups allow a system administrator to create classes of users who share common privileges. For example, if everyone in the accounting department needs access to the Payables folder, the administrator can create a group called Accounting and grant the entire group access to that folder. If the administrator then adds all user accounts belonging to employees in the accounting department to the Accounting group, these users will automatically have access to the Payables folder. A user account can belong to one group, more than one group, or no group at all.

Groups are a valuable administrative tool. They simplify the job of ensuring that all members with common access needs have an identical set of privileges. Although youcan grant privileges to each user account individually, doing so is tedious and prone to errors-and usually considered poor practice. You're better off assigning permissions and rights to groups, and then adding user accounts to the group with the appropriate privileges.
Permissions and rights for group members are cumulative. That means that if a user account belongs to more than one group, the user enjoys all the privileges accorded to all groups of which the user account is a member.

Windows XP classifies each user account as one of four account types:
Computer administrator. Members of the Administrators group are classified as computer administrator accounts. The Administrators group, which by default includes the Administrator account and all accounts you create during Windows XP setup, has more control over the system than any other group. Computer administrators can
Create, change, and delete user accounts and groups
Install programs
Share folders
Set permissions
Access all files
Take ownership of files
Grant rights to other user accounts and to themselves
Install or remove hardware devices
Log on in Safe Mode
Limited. Members of the Users group are classified as limited accounts. By default, limited accounts can
Change the password, picture, and associated .NET Passport for their own user account
Use programs that have been installed on the computer
View permissions (if Simple File Sharing is disabled)
Create, change, and delete files in their document folders
View files in shared document folders

Guest.
Members of the Guests group are shown as guest accounts. Guest accounts have privileges similar to limited accounts. A user logged on with the Guest account (but not any other account that is a member of the Guests group) cannot create a password for the account.

Unknown.
The account type for a user account that is not a member of the Administrators, Users, or Guests group is shown as Unknown. Because accounts you create with User Accounts in Control Panel are automatically assigned to the Administrators group or the Users group, you'll see the Unknown account type only if you upgraded your computer from an earlier version of Windows (for example, new users in Windows 2000 are assigned by default to the Power Users group) or if you use the Local Users And Groups console or the Net Localgroup command to manage group membership.




Backup Operators.
Members of the Backup Operators group have the right to back up and restore folders and files-even ones that they don't otherwise have permission to access. Backup operators also have access to the Backup Utility program.

HelpServicesGroup.
This group is used by Microsoft and computer manufacturers for Remote Assistance, enabling technical support personnel to connect to your computer.

Network Configuration Operators.
Members of this group have administrative privileges in areas that relate to setting up and configuring networking components.

Power Users.
The Power Users group is intended for those who need many, but not all, of the privileges of the Administrators group. Power Users can't take ownership of files, back up or restore files, load or unload device drivers, or manage the security and auditing logs. Unlike ordinary users, however, Power Users can share folders; create, manage, delete, and share local printers; and create local users and groups.

Remote Desktop Users.
Users in this group can connect to the computer via the Remote Desktop feature, if it is enabled.

Replicator.
Members of the Replicator group can manage the replication of files on the domain, workstation, or server. (File replication, a feature of Windows .NET Server and its predecessors, Windows 2000 Server and Windows NT Server, is beyond the scope of this book.)

Configuring System Restore Options

When a rogue program or buggy driver causes your computer to crash, the System Restore feature can be a lifesaver. (For details on how you can use System Restore, If you accept its default settings this feature will gobble up a hefty chunk of disk space and can have unexpected (and unpleasant) side effects, including the deletion of recently downloaded files with no warning. Before you need to use System Restore, familiarize yourself with its workings and learn how to customize it so it doesn’t take you by surprise. You can take charge of System Restore in several ways.
To access the full set of System Restore options, open System in Control Panel and click the System Restore tab.

By default, System Restore monitors changes to every drive on your system and sets aside up to 12 percent of each drive for storing its data.

Using this dialog box, you can adjust any of the following settings:

Drive space used
By default, System Restore reserves 12 percent of available disk space on every drive. On a 30-GB drive, that adds up to an excessive 3.6 GB of storage space. To rein in space usage for a specific drive, click the Settings button to the right of that drive and move the slider control to the left.

note

The default location for System Restore data is d:\System Volume Information, where d is the letter of each drive. Each restore point is stored in its own subfolder, under the name _restoreGUID, where GUID is a unique 32-character alphanumeric identifier. This location cannot be changed. On an NTFS drive, these files are not accessible to users, even those in the Administrators group; the default NTFS permissions grant access only to the System account.


Drives to be monitored.
By design, System Restore keeps tabs on every drive on your system. If you’ve set aside one or more drives exclusively for data, you can safely turn off System Restore monitoring on those drives. This action has the effect of reclaiming the space used for restore points; it also prevents System Restore from inadvertently wiping out files on those drives. To exclude a drive from monitoring, open the System Properties dialog box and click the System Restore tab. Select the drive to exclude, click the Settingsbutton, and select Turn Off System Restore On This Drive. Note that this option is not available on the drive that contains your system files.

Use this slider to reduce the appetite of System Restore. The setting shown here is one-third the normal 12 percent allocation, but should be sufficient for most uses.

caution
System Restore is a powerful tool, and you shouldn’t disable it without a good reason. If you’re extremely low on disk space and a hard disk upgrade is impractical or impossible (as on some notebook computers), you might choose to do so. Otherwise, let it run.

Files and folders to be monitored.
By default, System Restore maintains a strict hands-off policy on all files stored in your My Documents folder and in the %SystemRoot%\Downloaded Program Files folder. Every other folder on your system is fair game, however, and the results can be disconcerting. After you use System Restore to roll back your system to a previous configuration, you may discover that the utility wiped out executable files, scripts, dynamic link libraries (DLLs), TrueType fonts, and Adobe Acrobat Portable Document Format (PDF) files that were stored outside of your My Documents folder and that had been downloaded after the date of the restore point you selected. If you routinely download programs or create PDF files in a non-protected location, you may want to specifically declare that location to be exempt from System Restore monitoring. To do so, you must add a value to the registry. Follow these steps:
Open Registry Editor (Regedit.exe) and select the following key:

HKLM\System\CurrentControlSet\Control\BackupRestore\FilesNotToBackup
Choose Edit, New, Multi-String Value.

Give the new value a name that describes the location you’re about to specify: My Downloads, for instance.

Double-click the newly created value. Enter the full path of the folder you want to protect from monitoring and then click OK.

Note that the change you just made will not go into effect until after you set your next restore point manually or Windows creates a system checkpoint. Therefore, it’s good practice to set a fresh restore point after making changes.

If you ever receive a "low disk space" warning for any drive, check your System Restore settings immediately. The utility will shut down on its own if free disk space drops below 200 MB on any single partition. When this happens, you receive no warning. The only indication appears when you open the System Restore properties dialog box, where each drive letter’s status is listed as Suspended.

Windows will not turn System Restore back on automatically. To do so manually, try the following workaround:
From Control Panel, open the System tool and click the System Restore tab.
Select the Turn Off System Restore On All Drives option and click Apply. This completely shuts down System Restore.

Clear the Turn Off System Restore On All Drives option and click Apply. The Status column for each drive changes to Monitoring, an indication that System Restore is working again.

From the Available Drives list, select the entry for any drive that you want to exclude from System Restore protection and click the Settings button.

Select the Turn Off System Restore On This Drive option, and click OK. Repeat for other drives you want to exclude from System Restore.
Click OK to close the System Restore dialog box.
If the drive that produced the "low disk space" warning is normally full (as might be the case on a drive used to store a large archive of media files that never change), be sure to exclude that drive so that it doesn’t continually disable System Restore.