Windows explorer restrictions bypasses - filesystem access

It often happens while pentesting to encounter restrictions on various parameters on Windows systems. Constrained environments such as remote desktops, “kiosks” etc. are usual starting points for security professionals. Hence, bypassing restrictions on these machines is a skill that proves useful during penetration tests.

One of the first mechanisms on Windows explorer we will see exists to prevent users from accessing the filesystem of the different plugged-in disks. Mostly the purpose of it is to hide drives (especially the system drive) from regular, non-administrator, users, giving a feeling of protection to organisations deploying such mechanisms.

We will see in what consist these protections, how it is configured and how to bypass it.

Unconstrained environment

In an unrestricted environment, users can access the different drives of the machine using file explorer, explorer.exe:

Normal C drive

Double-clicking on the drive icon will then give access to file and folders stored on it:

Normal C drive

It is also possible for them to type it in the upper bar of explorer to access it:

Normal C drive

Note that Windows tries to autocomplete paths automatically.

There are many other ways for a user to access the drive, using the explorer “save as” feature, by printing a document, with browsers etc.


According to Microsoft,NoDrives :

Removes the icons representing selected drives from My Computer and from Windows Explorer. Also, the drive letters representing the selected drives do not appear in the standard Open dialog box. This entry stores the setting of the Hide these specified drives in My Computer Group Policy.

The NoDrives parameter is controlled via local policies and is technically declined via a registry key:


The key can take several values which is a sort of bitmask of what drive can be seen from a user perspective:

Value Meaning
0x0 Do not restrict drives. All drives appear.
0x3 Restrict A and B drives only.
0x4 Restrict C drive only.
0x7 Restrict A, B, and C drives only.
0x8 Restrict D drive only.
0xF Restrict A, B, C, and D drives only.
0x03FFFFFF Restrict all drives. has a nice calculator for mapping values to drives.

If we create the corresponding key on a machine with the value 0x4 for the C: drive for example:

We can see that the C: drive disappear from explorer for the user:


As NoDrives is mostly a visual restriction, accessing the drives using explicit path still works. In our C: example, you can just type in the upper bar C: and then ENTER:

Normal C drive

Autocompletion also still works with NoDrives so you can partially list the drive using the explorer upper bar for example:

If you have no access to the file explorer, the Windows Run box can be used:

Or Microsoft Edge:


In conjunction with NoDrives, the NoViewOnDrive restriction can be enabled. According to Microsoft it:

Prevents users from using My Computer to access the content of selected drives.

When a drive is represented in the value of this entry, users cannot view the contents of the selected drives in My Computer or in Windows Explorer. Also, they cannot use the Run dialog box, the Map Network Drive dialog box, or the Dir command to view the directories on these drives.

It is also controlled via local policies and has an associated registry key:


Values of the above key follow the same table than NoDrives.

We set it to the value 0x4 corresponding to the C: drive on our test sytem:

Users are now restricted in what they can see from explorer by typing C: in the upper bar for example:

Trying to access it via Run will provoke the same message than above to be displayed.


Using Edge still allows users to view the forbidden drive:

If you have access to a CLI such as cmd.exe or powershell.exe, it is also a bypass:

You can also map a network drive to the local C::

And access it afterwards using explorer:

Basically, any program other than explorer.exe or other native Windows GUI programs will bypass the restriction.


To restrict the above network map bypass on NoViewOnDrive, another parameter named NoNetConnectDisconnect exists. According to Microsoft it:

Prevents users from using Windows Explorer or My Network Places to either map or disconnect network drives.

It is also controlled via the local policies and has an associated registry key:


Value can be set to 0 for no restriction or 1 to enable it. Once it is enabled, unprivileged users can no longer map network drives via explorer, which may be an issue depending on one organisation’s needs.

We set it on our environment:

Users can no longer map network drives from explorer:


Access the local C: drive from the loopback without creating a mapping:

Create a mapping from the CLI as NoNetConnectDisconnect is a visual restriction with net use <drive> <net_path>:

Or use Microsoft Edge.


Knowing how to bypass Windows explorer restrictions is useful, especially when this type of restriction is the first step to be able to do anything else as an attacker.

Through the above example of filesystem, you saw that Microsoft’s restrictions are far away from being bulletproof and that many ways exists to bypass it.

Many other parameters are used by Microsoft to restrict explorer and other GUI components. I plan to post on other restrictions soon, so stay tuned.

In the meantime, you can read a good article on command-line restrictions evasions by Martin Sohn Christensen: The command prompt has been disabled by your administrator. Press any key to continue… or use these weird tricks to bypass – admins will hate you! — Improsec | improving security.