Windows 2000 Un-attended install - Change the path of the "program files" directory

[Peter]

Hello all,

A nice hard question.

I would like to change the path to the "program files" directory during
install.

I know that there is a section that allows you to change the path for the
"Documents and Settings" folder. Is there something similar for the
"program files"?

Reference Material:

KB236621 - "Cannot Move or Rename the Documents and Settings Folder" : This
will allow you to specify the "Documents and Settings" folder path during
setup.
http://www.rdisruption.com/2000/2k0019.htm : This link tells you about a
registry key you can change for the program files path.

Background:

During the installation process we have scripted Diskpart to partition and
setup partitions on a single hard drive (C,D and X drives).
* C Drive - This will be the main system drive and locked down
approriatly.
* D Drive - This will be the Program Files drive.
* X Drive - We would like all the Temp files and users information to go
here.

Any ideas?

Thanks in advance for any help you can provide.


PS: To reply directly to me remove the SPAM stuff from my email address.

 

[Gerry Hickman]

Hi,

I can't think of a good reason to do this? Today's hard drives are massive.

 

[Peter]

It is more for added security.

Much easier to lock drives and applications down. I cannot remember which
Best Practices guide I read it in but even Microsoft recommend that you dont
install applications on the system drive.

 

[Peter]

,

Thats an interesting thing to say "full of holes".

Windows 2000 may be full of holes but there are things that you can do as an
administrator (or system developer) to reduce and even mitigate these risks.

By using ACL's on the file system, in the registry and else where you can
provide a fairly solid system (I admit there are other issues that you have
a much harder time protecting against), also using GPO to lock down drives
is another thing but if you dont even try to make these changes then you are
just opening yourself up for all these problems.

For example there are still a lot of applications that dont respect the fact
that you have hidden the C drive (let alone locked the drive from users) all
that you have to to do to by pass security is open an application that
doesnt respect this setting then browse to the C drive and open any files
they want (and possibly save the changes depending on the file ACL for the
user).

There are a lot of usefull documents all over the net making recommendations
and specifications (both from Microsoft and third party organisations and
individuals) which will help close some of these "holes".

This question is simply trying to implement one of these recommendations in
an easy to do way. As I originally stated there is an officially supported
way by Microsoft to change the path for the Documents and Settings folder
during System install. What I am asking is if there is an equivialant way
to do this for the program files folder.

Lets ignore for the sake of a solution that this may or may not reduce the
"full of holes" argument. This question was just trying to work out if
there is a "known" way to do this during install.

Any answers?

Hi Peter,

Well, maybe not IIS but I fail to see the logic for other apps. Windows
is full of holes, and this is the least of your worries IMO.

 

[Gerry Hickman]

Windows 2000 may be full of holes

Personally, I'd be much more concerned about a buffer over-run in one of
the MDAC DLLs, JVM or HTML converter.

By using ACL's on the file system, in the registry and else where you can
provide a fairly solid system

I agree.

For example there are still a lot of applications that dont respect the fact
that you have hidden the C drive (let alone locked the drive from users)

I guess it depends on your business need, and what you're trying to
achieve? Personally, I don't care if they can "see" the C drive - what
are they going to do with it? If they're ordinary users they'll have
better things to do, and won't know what to do anyway, and if they abuse
it they'll be fired. If they're hackers they'll just laugh and bypass
the security anyway. Maybe students would come into the category you
describe (they want to spend all day trying to "break-in", but can't be
sacked due to bleeding heart liberals spouting political correctness?).

I actually moved my apps directory at home a couple of years ago because
hard drives were small then, but it was such a mess (some apps hard code
"c:\program files" and so on), I'd never do it now; same with local
profiles - there's just no need. If one of our users messes up their C
drive I just send a memo to the boss about wasted time and nuke their
machine (it's never happened though).

I believe "program files" is a "special folder" and that it can be coded
to a path (probably in the reg), but I'd think long and hard before
going down this route. It used to be more appropriate in the days of
dual boot where you had an "apps" drive.

One things for sure though; Windows 2000 is the best O/S ever released
by Microsoft and probably will remain so for some time.