Can any user access the %APPDATA% folder

Question

Can any user access the %APPDATA% folder? Or can only administrators read & access that directory? Also, do the permissions to access this directory differ over different Windows platforms from 2k to Windows 7?

Answer 1

You can see the permissions on %APPDATA% by using the icacls tool at the command prompt. Here's what it looks like on my machine:

C:\Users\davidp>icacls %APPDATA%
C:\Users\davidp\AppData\Roaming NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
                                BUILTIN\Administrators:(I)(OI)(CI)(F)
                                MACHINE09\davidp:(I)(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

What this means is that only I, administrators, and the system itself can see the folder. If you run this on a folder where other users can see it, you'll see something like this:

C:\Users\davidp>icacls c:\
c:\ BUILTIN\Administrators:(F)
    BUILTIN\Administrators:(OI)(CI)(IO)(F)
    NT AUTHORITY\SYSTEM:(F)
    NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
    BUILTIN\Users:(OI)(CI)(RX)
    NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
    NT AUTHORITY\Authenticated Users:(AD)
    Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)

Successfully processed 1 files; Failed processing 0 files

You can see that the BUILTIN\Users group can see the c:\ folder (as you would expect).

EDIT

I'm not sure how far back the %APPDATA% variable itself goes back in Windows history. I recommend checking directly. On older systems the cacls command was the predecessor to icacls. Regardless, in Windows NT-based OSes there has always been a profile area visible only to the user and administrators.

Answer 2

%AppData% is a user-specific path. Yes, any user can access %appdata%, but it will go to a different directory for each user. Only an administrator can read the appdata of another user.

Do the effort of actually going to %appdata% on your machine, and looking at the path it gets converted into. Do you see what I mean?