Deny application access to hard drive or volume in Windows 7+











up vote
12
down vote

favorite
4












I want to deny some of the applications on my computer to access certain drives or logical volumes, but couldn't find a solution so far.



Background: My PC has an SSD as system drive and a 15TB Raid-6 w/ five harddrives. The controller is configured to spin down the drives after ~10-15 minutes. This is fine since sometimes I don't need to access anything on the Raid for a couple of hours or even longer. Some applications such as Adobe Reader access all logical volumes when starting for some reason I cannot comprehend. My assumption is that all volumes with a drive letter assigned are affected. Removing the letters and re-assigning them isn't an option at all ;)



How can I restrict Adobe Reader or other applications from accessing these volumes my Raid hosts?










share|improve this question






















  • I do not know how to disable access for certain application. But I suspect, if there is a tool to deny access to SSD for some application, you will lose the ability to open files from that volumes. So in this case it is better to try to find out what function makes Adobe Reader to read/write something from/to SSD. Look at the "recent files" feature. Maybe it checks their availability each time.
    – VIK
    Nov 17 '13 at 16:45










  • I want to restrict access to the Raid, not to the SSD. In fact, there is nothing on any volume on the Raid, that is of any use to Adobe Reader on my computer. So, yes, in my case I explicitely want to lose the ability to access anything from within Adobe Reader what is not on the SSD. You might be correct about the "recent files"-feature though (although in this case there aren't any recent files coming from those volumes).
    – user654123
    Nov 17 '13 at 16:57






  • 1




    What about a radical solution such as using another PDF viewer? This does not solve problems with other apps but as I understand the Adobe Reader is most annoying thing for you. en.wikipedia.org/wiki/List_of_PDF_software
    – VIK
    Nov 17 '13 at 17:06










  • Yes, it's the most annoying application :) I was hoping there might be a built-in solution to that problem since denying internet access via the Windows firewall works fine for other programs.
    – user654123
    Nov 17 '13 at 17:12






  • 1




    Have you considered running Reader as a separate user which doesn't have access to those volumes?
    – TWiStErRob
    Dec 21 '14 at 15:15















up vote
12
down vote

favorite
4












I want to deny some of the applications on my computer to access certain drives or logical volumes, but couldn't find a solution so far.



Background: My PC has an SSD as system drive and a 15TB Raid-6 w/ five harddrives. The controller is configured to spin down the drives after ~10-15 minutes. This is fine since sometimes I don't need to access anything on the Raid for a couple of hours or even longer. Some applications such as Adobe Reader access all logical volumes when starting for some reason I cannot comprehend. My assumption is that all volumes with a drive letter assigned are affected. Removing the letters and re-assigning them isn't an option at all ;)



How can I restrict Adobe Reader or other applications from accessing these volumes my Raid hosts?










share|improve this question






















  • I do not know how to disable access for certain application. But I suspect, if there is a tool to deny access to SSD for some application, you will lose the ability to open files from that volumes. So in this case it is better to try to find out what function makes Adobe Reader to read/write something from/to SSD. Look at the "recent files" feature. Maybe it checks their availability each time.
    – VIK
    Nov 17 '13 at 16:45










  • I want to restrict access to the Raid, not to the SSD. In fact, there is nothing on any volume on the Raid, that is of any use to Adobe Reader on my computer. So, yes, in my case I explicitely want to lose the ability to access anything from within Adobe Reader what is not on the SSD. You might be correct about the "recent files"-feature though (although in this case there aren't any recent files coming from those volumes).
    – user654123
    Nov 17 '13 at 16:57






  • 1




    What about a radical solution such as using another PDF viewer? This does not solve problems with other apps but as I understand the Adobe Reader is most annoying thing for you. en.wikipedia.org/wiki/List_of_PDF_software
    – VIK
    Nov 17 '13 at 17:06










  • Yes, it's the most annoying application :) I was hoping there might be a built-in solution to that problem since denying internet access via the Windows firewall works fine for other programs.
    – user654123
    Nov 17 '13 at 17:12






  • 1




    Have you considered running Reader as a separate user which doesn't have access to those volumes?
    – TWiStErRob
    Dec 21 '14 at 15:15













up vote
12
down vote

favorite
4









up vote
12
down vote

favorite
4






4





I want to deny some of the applications on my computer to access certain drives or logical volumes, but couldn't find a solution so far.



Background: My PC has an SSD as system drive and a 15TB Raid-6 w/ five harddrives. The controller is configured to spin down the drives after ~10-15 minutes. This is fine since sometimes I don't need to access anything on the Raid for a couple of hours or even longer. Some applications such as Adobe Reader access all logical volumes when starting for some reason I cannot comprehend. My assumption is that all volumes with a drive letter assigned are affected. Removing the letters and re-assigning them isn't an option at all ;)



How can I restrict Adobe Reader or other applications from accessing these volumes my Raid hosts?










share|improve this question













I want to deny some of the applications on my computer to access certain drives or logical volumes, but couldn't find a solution so far.



Background: My PC has an SSD as system drive and a 15TB Raid-6 w/ five harddrives. The controller is configured to spin down the drives after ~10-15 minutes. This is fine since sometimes I don't need to access anything on the Raid for a couple of hours or even longer. Some applications such as Adobe Reader access all logical volumes when starting for some reason I cannot comprehend. My assumption is that all volumes with a drive letter assigned are affected. Removing the letters and re-assigning them isn't an option at all ;)



How can I restrict Adobe Reader or other applications from accessing these volumes my Raid hosts?







windows-7 windows windows-8






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Nov 17 '13 at 16:14









user654123

839




839












  • I do not know how to disable access for certain application. But I suspect, if there is a tool to deny access to SSD for some application, you will lose the ability to open files from that volumes. So in this case it is better to try to find out what function makes Adobe Reader to read/write something from/to SSD. Look at the "recent files" feature. Maybe it checks their availability each time.
    – VIK
    Nov 17 '13 at 16:45










  • I want to restrict access to the Raid, not to the SSD. In fact, there is nothing on any volume on the Raid, that is of any use to Adobe Reader on my computer. So, yes, in my case I explicitely want to lose the ability to access anything from within Adobe Reader what is not on the SSD. You might be correct about the "recent files"-feature though (although in this case there aren't any recent files coming from those volumes).
    – user654123
    Nov 17 '13 at 16:57






  • 1




    What about a radical solution such as using another PDF viewer? This does not solve problems with other apps but as I understand the Adobe Reader is most annoying thing for you. en.wikipedia.org/wiki/List_of_PDF_software
    – VIK
    Nov 17 '13 at 17:06










  • Yes, it's the most annoying application :) I was hoping there might be a built-in solution to that problem since denying internet access via the Windows firewall works fine for other programs.
    – user654123
    Nov 17 '13 at 17:12






  • 1




    Have you considered running Reader as a separate user which doesn't have access to those volumes?
    – TWiStErRob
    Dec 21 '14 at 15:15


















  • I do not know how to disable access for certain application. But I suspect, if there is a tool to deny access to SSD for some application, you will lose the ability to open files from that volumes. So in this case it is better to try to find out what function makes Adobe Reader to read/write something from/to SSD. Look at the "recent files" feature. Maybe it checks their availability each time.
    – VIK
    Nov 17 '13 at 16:45










  • I want to restrict access to the Raid, not to the SSD. In fact, there is nothing on any volume on the Raid, that is of any use to Adobe Reader on my computer. So, yes, in my case I explicitely want to lose the ability to access anything from within Adobe Reader what is not on the SSD. You might be correct about the "recent files"-feature though (although in this case there aren't any recent files coming from those volumes).
    – user654123
    Nov 17 '13 at 16:57






  • 1




    What about a radical solution such as using another PDF viewer? This does not solve problems with other apps but as I understand the Adobe Reader is most annoying thing for you. en.wikipedia.org/wiki/List_of_PDF_software
    – VIK
    Nov 17 '13 at 17:06










  • Yes, it's the most annoying application :) I was hoping there might be a built-in solution to that problem since denying internet access via the Windows firewall works fine for other programs.
    – user654123
    Nov 17 '13 at 17:12






  • 1




    Have you considered running Reader as a separate user which doesn't have access to those volumes?
    – TWiStErRob
    Dec 21 '14 at 15:15
















I do not know how to disable access for certain application. But I suspect, if there is a tool to deny access to SSD for some application, you will lose the ability to open files from that volumes. So in this case it is better to try to find out what function makes Adobe Reader to read/write something from/to SSD. Look at the "recent files" feature. Maybe it checks their availability each time.
– VIK
Nov 17 '13 at 16:45




I do not know how to disable access for certain application. But I suspect, if there is a tool to deny access to SSD for some application, you will lose the ability to open files from that volumes. So in this case it is better to try to find out what function makes Adobe Reader to read/write something from/to SSD. Look at the "recent files" feature. Maybe it checks their availability each time.
– VIK
Nov 17 '13 at 16:45












I want to restrict access to the Raid, not to the SSD. In fact, there is nothing on any volume on the Raid, that is of any use to Adobe Reader on my computer. So, yes, in my case I explicitely want to lose the ability to access anything from within Adobe Reader what is not on the SSD. You might be correct about the "recent files"-feature though (although in this case there aren't any recent files coming from those volumes).
– user654123
Nov 17 '13 at 16:57




I want to restrict access to the Raid, not to the SSD. In fact, there is nothing on any volume on the Raid, that is of any use to Adobe Reader on my computer. So, yes, in my case I explicitely want to lose the ability to access anything from within Adobe Reader what is not on the SSD. You might be correct about the "recent files"-feature though (although in this case there aren't any recent files coming from those volumes).
– user654123
Nov 17 '13 at 16:57




1




1




What about a radical solution such as using another PDF viewer? This does not solve problems with other apps but as I understand the Adobe Reader is most annoying thing for you. en.wikipedia.org/wiki/List_of_PDF_software
– VIK
Nov 17 '13 at 17:06




What about a radical solution such as using another PDF viewer? This does not solve problems with other apps but as I understand the Adobe Reader is most annoying thing for you. en.wikipedia.org/wiki/List_of_PDF_software
– VIK
Nov 17 '13 at 17:06












Yes, it's the most annoying application :) I was hoping there might be a built-in solution to that problem since denying internet access via the Windows firewall works fine for other programs.
– user654123
Nov 17 '13 at 17:12




Yes, it's the most annoying application :) I was hoping there might be a built-in solution to that problem since denying internet access via the Windows firewall works fine for other programs.
– user654123
Nov 17 '13 at 17:12




1




1




Have you considered running Reader as a separate user which doesn't have access to those volumes?
– TWiStErRob
Dec 21 '14 at 15:15




Have you considered running Reader as a separate user which doesn't have access to those volumes?
– TWiStErRob
Dec 21 '14 at 15:15










2 Answers
2






active

oldest

votes

















up vote
6
down vote



+175










In Windows, there is no native supported way to block certain processes from accessing certain drives, that goes "against the current nature" how the operating system handles drive access.



The right for access is determined by the logged on user's rights who starts the application. So if the software developer decided his software should search all accessible drives and does not give you the option to turn that off... well, that's bad programming which does not consider your particular use case. But there are a few workarounds.



The only "sure" solution is 2, since the hardware virtualization layer (from the virtual machine) can block any applications to attempt to access the "real hardware" completely. Although I haven't had the case where solution 1 doesn't work, but theoretically I think it could be bypassed.



Option "1" - Disabling the drives at a "low level" - No additional software needed



Option 1a



It's possible to disable the volumes on a lower layer by disabling the drives altogether, but this will disable all volumes on the drive. Manually, you can do it by starting diskmgmt.msc, then right click on the drive and mark it "offline".



enter image description here



If needed, you should be able to do that using a command line script as well. It would be applied a similar way as Option 3a/b. You can do that, for example, via cmd as described here or via PowerShell, as it is described here.



Option 1b



You can deactivate the drive's driver altogether. To do in manually: start diskmgmt.msc, then right click, choose "options". Then go to the "Driver"-Tab and select "Deactivate". The drive will "disappear" in the disk manager and won't be accessible through the operating system anymore. Unless the software doesn't execute machine code commands to communicate directly with the hardware, there should be no way for the application to access the drives. At least as far as my knowledge of the ins and outs for operating systems goes.



enter image description here



If needed, you should be able to do that using a command line script as well. It would be applied a similar way as Option 3a/b using, for example, Devcon.exe. You can find a detailed description here.



Option 2 - Using a virtual environment (mostly with 3rd party software)



If running the application within a virtual environment is an option at all, there are plenty of solutions out there:




  • depending on your Windows version (Win7 and up required) and license ("Professional" required, "Home" won't do), you can just use Hyper-V to set up a virtual environment without any third party software.


  • you can use a third party software to set up a virtual system like VMplayer, Virtual Box, etc. There are many freeware and payware alternatives. By using this solution, you will need a second licence for Windows (or you leave it unlicensed, but then you will get an overlay in the lower right corner of the screen that will tell you to register Windows). This will definitely prevent the software from accessing the drive.


  • you could use a "sandbox"-application. But it will depend on the level of virualization the sandbox-application offers. In some cases, it can solve the problem; in other cases, it doesn't. Sandboxie, for example (the one harrymc describes in his answer), doesn't solve the problem with the configuration harrymc described in his (original) answer. Although the software might block the access, the drive will still spine up. An alternative would be to use a different sandbox application like Cameyo, etc.



By the way, here's a good article for the main difference between the different virtualization software, especially the difference between a "whole" virtual machine (like Virtual Box) or "semi virtual" applications (like Sandboxie).



Option 3 - Unmounting just volumes (leaving the drive "intact") - No additional software needed, BUT it might not work in your case



Option 3a



Instead of starting the application via its regular shortcut, you could write a batch file using the command mountvol that first unmounts the unused volume, then starts the application, and then remounts the volume once the application doesn't access the drive anymore. The mounting/unmounting process via command line is described here and here. You can also use diskpart as described here and here.



Option 3b



Alternatively, you could just leave the drive unmounted in general and mount it via a batch file that mounts the drive which you start manually when needed. After you're done using it, you can manually unmount it using a second batch file. You could automatize that by monitoring file system access requests and mount/unmount the drive as required following certain rules e.g. that certain applications won't have access. But I'm not sure automation is worth the extra effort involved.



Option 4 - Restricting access to a drive-letter (volume). Simple to do, but two small tools from Microsoft needed - BUT it might not work in your case



If you want to do it without 3rd party software but don't mind to use two small tools from Microsoft (if you don't use it already). I prefer this solution because it gets the problem "by the root" (differentiation between the user's and the application's rights) and it's fairly simple and no "big" third party software is needed.



Basically, you add a user with no access to the drive and then you start the program with those limited rights (you will still log on as your regular user, you won't use the restricted account to log on).




  • Add a user account.


  • Restrict the new user account's access to the drive by using Windows Access Control for the file system. Here's a good How-To including screenshots.


  • Then, start the software with those rights. You can, for example, use PsExec.exe to do that or Process Explorer, here's how. One of those two you will have to download from the Microsoft website, if you don't have them already.







share|improve this answer






























    up vote
    4
    down vote













    I propose a solution that uses
    Sandboxie.
    I don't have your environment, so I have tested running Acrobat.exe in
    a sandbox where its access to D: was blocked.
    When opening in Acrobat the menu File > Open, I get this :



    image



    Notice that Acrobat can't even find the label of disk D:, so is forced to display
    it in a lame way, and how it is blocked when I click on "Local Disk (D:)".



    The steps I used were :




    • Installed Sandboxie

    • In Sandboxie Control, right-click the default sandbox and choose Sandbox Settings

    • Open the branch of Resource Access > File Access, and click on Blocked Access

    • Click Add Program and add Acrobat (mine was C:Program Files (x86)AdobeAcrobat DCAcrobatAcrobat.exe)

    • Click Add and add disk D:

    • Click OK

    • In Sandboxie Control, open the branch of Program Start > Forced Folders

    • Click Add Folder

    • Add the folder where resides Acrobat (mine was C:Program Files (x86)AdobeAcrobat DCAcrobat)

    • Click OK


    From now on, all programs launching from the Acrobat folder are forced to
    execute sandboxed, and specifically Acrobat.exe is blocked from
    accessing the disk D:.
    You might need to open up some other sandbox restrictions if Acrobat
    will have some difficulties executing inside the sandbox.



    I don't know if this will also block the specific Windows API call that Acrobat
    uses to cause the wakeup of the disk, but might be worth trying.



    Sandboxie is a great and versatile product that I recommend,
    free for one default sandbox.
    For multiple sandboxes it's payware, but life-time license price is very reasonable (I paid).
    For example, I install products I test in a sandbox and can then wipe them
    out with one click, and no need for an uninstaller.





    Another isolation solution is by using Adobe Reader inside a
    Docker container.
    Docker containers are small and work like a virtual machines, but without needing to create the machine, since ready-made containers are downloaded from the Docker gallery.



    You may use
    Chocolatey
    as package manager.



    Chocolatey has many available pre-built packages with Adobe Reader at
    Adobe Acrobat Reader DC 2018.011.20063.



    With Docker, absolute isolation is possible as regarding resources,
    and on the other hand one is able to share resources such as folders
    in a completely native way.






    share|improve this answer



















    • 2




      @WackGet: Any comment ?
      – harrymc
      Sep 22 at 15:37










    • He says it doesn't work, the drive still does spin up, at least in his use case. I'm wondering, does Sandboxie give you the option to hide resources at the hardware layer? I haven't installed it yet.
      – Albin
      Sep 26 at 21:20












    • @WackGet: Sandboxie has more settings available in its config files. But first: Do the disks wake up the moment Adobe is launched, or only when using the menu File > Open?
      – harrymc
      Sep 27 at 6:34










    • Besides the above question, I added another light-weight isolation option, by using Docker. Docker containers are small and work like a virtual machines, but without needing to create it, since containers are ready-made and are downloaded from the Docker gallery.
      – harrymc
      Sep 27 at 7:00










    • Interesting choice. Which Docker Application are you referring to since it is rather a developer/enterprise solution. Unfortunately the docker products I looked at aren't free to use (just trialware possible)... but maybe I overlooked s.th.
      – Albin
      Sep 27 at 9:56











    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "3"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














     

    draft saved


    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f677114%2fdeny-application-access-to-hard-drive-or-volume-in-windows-7%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    6
    down vote



    +175










    In Windows, there is no native supported way to block certain processes from accessing certain drives, that goes "against the current nature" how the operating system handles drive access.



    The right for access is determined by the logged on user's rights who starts the application. So if the software developer decided his software should search all accessible drives and does not give you the option to turn that off... well, that's bad programming which does not consider your particular use case. But there are a few workarounds.



    The only "sure" solution is 2, since the hardware virtualization layer (from the virtual machine) can block any applications to attempt to access the "real hardware" completely. Although I haven't had the case where solution 1 doesn't work, but theoretically I think it could be bypassed.



    Option "1" - Disabling the drives at a "low level" - No additional software needed



    Option 1a



    It's possible to disable the volumes on a lower layer by disabling the drives altogether, but this will disable all volumes on the drive. Manually, you can do it by starting diskmgmt.msc, then right click on the drive and mark it "offline".



    enter image description here



    If needed, you should be able to do that using a command line script as well. It would be applied a similar way as Option 3a/b. You can do that, for example, via cmd as described here or via PowerShell, as it is described here.



    Option 1b



    You can deactivate the drive's driver altogether. To do in manually: start diskmgmt.msc, then right click, choose "options". Then go to the "Driver"-Tab and select "Deactivate". The drive will "disappear" in the disk manager and won't be accessible through the operating system anymore. Unless the software doesn't execute machine code commands to communicate directly with the hardware, there should be no way for the application to access the drives. At least as far as my knowledge of the ins and outs for operating systems goes.



    enter image description here



    If needed, you should be able to do that using a command line script as well. It would be applied a similar way as Option 3a/b using, for example, Devcon.exe. You can find a detailed description here.



    Option 2 - Using a virtual environment (mostly with 3rd party software)



    If running the application within a virtual environment is an option at all, there are plenty of solutions out there:




    • depending on your Windows version (Win7 and up required) and license ("Professional" required, "Home" won't do), you can just use Hyper-V to set up a virtual environment without any third party software.


    • you can use a third party software to set up a virtual system like VMplayer, Virtual Box, etc. There are many freeware and payware alternatives. By using this solution, you will need a second licence for Windows (or you leave it unlicensed, but then you will get an overlay in the lower right corner of the screen that will tell you to register Windows). This will definitely prevent the software from accessing the drive.


    • you could use a "sandbox"-application. But it will depend on the level of virualization the sandbox-application offers. In some cases, it can solve the problem; in other cases, it doesn't. Sandboxie, for example (the one harrymc describes in his answer), doesn't solve the problem with the configuration harrymc described in his (original) answer. Although the software might block the access, the drive will still spine up. An alternative would be to use a different sandbox application like Cameyo, etc.



    By the way, here's a good article for the main difference between the different virtualization software, especially the difference between a "whole" virtual machine (like Virtual Box) or "semi virtual" applications (like Sandboxie).



    Option 3 - Unmounting just volumes (leaving the drive "intact") - No additional software needed, BUT it might not work in your case



    Option 3a



    Instead of starting the application via its regular shortcut, you could write a batch file using the command mountvol that first unmounts the unused volume, then starts the application, and then remounts the volume once the application doesn't access the drive anymore. The mounting/unmounting process via command line is described here and here. You can also use diskpart as described here and here.



    Option 3b



    Alternatively, you could just leave the drive unmounted in general and mount it via a batch file that mounts the drive which you start manually when needed. After you're done using it, you can manually unmount it using a second batch file. You could automatize that by monitoring file system access requests and mount/unmount the drive as required following certain rules e.g. that certain applications won't have access. But I'm not sure automation is worth the extra effort involved.



    Option 4 - Restricting access to a drive-letter (volume). Simple to do, but two small tools from Microsoft needed - BUT it might not work in your case



    If you want to do it without 3rd party software but don't mind to use two small tools from Microsoft (if you don't use it already). I prefer this solution because it gets the problem "by the root" (differentiation between the user's and the application's rights) and it's fairly simple and no "big" third party software is needed.



    Basically, you add a user with no access to the drive and then you start the program with those limited rights (you will still log on as your regular user, you won't use the restricted account to log on).




    • Add a user account.


    • Restrict the new user account's access to the drive by using Windows Access Control for the file system. Here's a good How-To including screenshots.


    • Then, start the software with those rights. You can, for example, use PsExec.exe to do that or Process Explorer, here's how. One of those two you will have to download from the Microsoft website, if you don't have them already.







    share|improve this answer



























      up vote
      6
      down vote



      +175










      In Windows, there is no native supported way to block certain processes from accessing certain drives, that goes "against the current nature" how the operating system handles drive access.



      The right for access is determined by the logged on user's rights who starts the application. So if the software developer decided his software should search all accessible drives and does not give you the option to turn that off... well, that's bad programming which does not consider your particular use case. But there are a few workarounds.



      The only "sure" solution is 2, since the hardware virtualization layer (from the virtual machine) can block any applications to attempt to access the "real hardware" completely. Although I haven't had the case where solution 1 doesn't work, but theoretically I think it could be bypassed.



      Option "1" - Disabling the drives at a "low level" - No additional software needed



      Option 1a



      It's possible to disable the volumes on a lower layer by disabling the drives altogether, but this will disable all volumes on the drive. Manually, you can do it by starting diskmgmt.msc, then right click on the drive and mark it "offline".



      enter image description here



      If needed, you should be able to do that using a command line script as well. It would be applied a similar way as Option 3a/b. You can do that, for example, via cmd as described here or via PowerShell, as it is described here.



      Option 1b



      You can deactivate the drive's driver altogether. To do in manually: start diskmgmt.msc, then right click, choose "options". Then go to the "Driver"-Tab and select "Deactivate". The drive will "disappear" in the disk manager and won't be accessible through the operating system anymore. Unless the software doesn't execute machine code commands to communicate directly with the hardware, there should be no way for the application to access the drives. At least as far as my knowledge of the ins and outs for operating systems goes.



      enter image description here



      If needed, you should be able to do that using a command line script as well. It would be applied a similar way as Option 3a/b using, for example, Devcon.exe. You can find a detailed description here.



      Option 2 - Using a virtual environment (mostly with 3rd party software)



      If running the application within a virtual environment is an option at all, there are plenty of solutions out there:




      • depending on your Windows version (Win7 and up required) and license ("Professional" required, "Home" won't do), you can just use Hyper-V to set up a virtual environment without any third party software.


      • you can use a third party software to set up a virtual system like VMplayer, Virtual Box, etc. There are many freeware and payware alternatives. By using this solution, you will need a second licence for Windows (or you leave it unlicensed, but then you will get an overlay in the lower right corner of the screen that will tell you to register Windows). This will definitely prevent the software from accessing the drive.


      • you could use a "sandbox"-application. But it will depend on the level of virualization the sandbox-application offers. In some cases, it can solve the problem; in other cases, it doesn't. Sandboxie, for example (the one harrymc describes in his answer), doesn't solve the problem with the configuration harrymc described in his (original) answer. Although the software might block the access, the drive will still spine up. An alternative would be to use a different sandbox application like Cameyo, etc.



      By the way, here's a good article for the main difference between the different virtualization software, especially the difference between a "whole" virtual machine (like Virtual Box) or "semi virtual" applications (like Sandboxie).



      Option 3 - Unmounting just volumes (leaving the drive "intact") - No additional software needed, BUT it might not work in your case



      Option 3a



      Instead of starting the application via its regular shortcut, you could write a batch file using the command mountvol that first unmounts the unused volume, then starts the application, and then remounts the volume once the application doesn't access the drive anymore. The mounting/unmounting process via command line is described here and here. You can also use diskpart as described here and here.



      Option 3b



      Alternatively, you could just leave the drive unmounted in general and mount it via a batch file that mounts the drive which you start manually when needed. After you're done using it, you can manually unmount it using a second batch file. You could automatize that by monitoring file system access requests and mount/unmount the drive as required following certain rules e.g. that certain applications won't have access. But I'm not sure automation is worth the extra effort involved.



      Option 4 - Restricting access to a drive-letter (volume). Simple to do, but two small tools from Microsoft needed - BUT it might not work in your case



      If you want to do it without 3rd party software but don't mind to use two small tools from Microsoft (if you don't use it already). I prefer this solution because it gets the problem "by the root" (differentiation between the user's and the application's rights) and it's fairly simple and no "big" third party software is needed.



      Basically, you add a user with no access to the drive and then you start the program with those limited rights (you will still log on as your regular user, you won't use the restricted account to log on).




      • Add a user account.


      • Restrict the new user account's access to the drive by using Windows Access Control for the file system. Here's a good How-To including screenshots.


      • Then, start the software with those rights. You can, for example, use PsExec.exe to do that or Process Explorer, here's how. One of those two you will have to download from the Microsoft website, if you don't have them already.







      share|improve this answer

























        up vote
        6
        down vote



        +175







        up vote
        6
        down vote



        +175




        +175




        In Windows, there is no native supported way to block certain processes from accessing certain drives, that goes "against the current nature" how the operating system handles drive access.



        The right for access is determined by the logged on user's rights who starts the application. So if the software developer decided his software should search all accessible drives and does not give you the option to turn that off... well, that's bad programming which does not consider your particular use case. But there are a few workarounds.



        The only "sure" solution is 2, since the hardware virtualization layer (from the virtual machine) can block any applications to attempt to access the "real hardware" completely. Although I haven't had the case where solution 1 doesn't work, but theoretically I think it could be bypassed.



        Option "1" - Disabling the drives at a "low level" - No additional software needed



        Option 1a



        It's possible to disable the volumes on a lower layer by disabling the drives altogether, but this will disable all volumes on the drive. Manually, you can do it by starting diskmgmt.msc, then right click on the drive and mark it "offline".



        enter image description here



        If needed, you should be able to do that using a command line script as well. It would be applied a similar way as Option 3a/b. You can do that, for example, via cmd as described here or via PowerShell, as it is described here.



        Option 1b



        You can deactivate the drive's driver altogether. To do in manually: start diskmgmt.msc, then right click, choose "options". Then go to the "Driver"-Tab and select "Deactivate". The drive will "disappear" in the disk manager and won't be accessible through the operating system anymore. Unless the software doesn't execute machine code commands to communicate directly with the hardware, there should be no way for the application to access the drives. At least as far as my knowledge of the ins and outs for operating systems goes.



        enter image description here



        If needed, you should be able to do that using a command line script as well. It would be applied a similar way as Option 3a/b using, for example, Devcon.exe. You can find a detailed description here.



        Option 2 - Using a virtual environment (mostly with 3rd party software)



        If running the application within a virtual environment is an option at all, there are plenty of solutions out there:




        • depending on your Windows version (Win7 and up required) and license ("Professional" required, "Home" won't do), you can just use Hyper-V to set up a virtual environment without any third party software.


        • you can use a third party software to set up a virtual system like VMplayer, Virtual Box, etc. There are many freeware and payware alternatives. By using this solution, you will need a second licence for Windows (or you leave it unlicensed, but then you will get an overlay in the lower right corner of the screen that will tell you to register Windows). This will definitely prevent the software from accessing the drive.


        • you could use a "sandbox"-application. But it will depend on the level of virualization the sandbox-application offers. In some cases, it can solve the problem; in other cases, it doesn't. Sandboxie, for example (the one harrymc describes in his answer), doesn't solve the problem with the configuration harrymc described in his (original) answer. Although the software might block the access, the drive will still spine up. An alternative would be to use a different sandbox application like Cameyo, etc.



        By the way, here's a good article for the main difference between the different virtualization software, especially the difference between a "whole" virtual machine (like Virtual Box) or "semi virtual" applications (like Sandboxie).



        Option 3 - Unmounting just volumes (leaving the drive "intact") - No additional software needed, BUT it might not work in your case



        Option 3a



        Instead of starting the application via its regular shortcut, you could write a batch file using the command mountvol that first unmounts the unused volume, then starts the application, and then remounts the volume once the application doesn't access the drive anymore. The mounting/unmounting process via command line is described here and here. You can also use diskpart as described here and here.



        Option 3b



        Alternatively, you could just leave the drive unmounted in general and mount it via a batch file that mounts the drive which you start manually when needed. After you're done using it, you can manually unmount it using a second batch file. You could automatize that by monitoring file system access requests and mount/unmount the drive as required following certain rules e.g. that certain applications won't have access. But I'm not sure automation is worth the extra effort involved.



        Option 4 - Restricting access to a drive-letter (volume). Simple to do, but two small tools from Microsoft needed - BUT it might not work in your case



        If you want to do it without 3rd party software but don't mind to use two small tools from Microsoft (if you don't use it already). I prefer this solution because it gets the problem "by the root" (differentiation between the user's and the application's rights) and it's fairly simple and no "big" third party software is needed.



        Basically, you add a user with no access to the drive and then you start the program with those limited rights (you will still log on as your regular user, you won't use the restricted account to log on).




        • Add a user account.


        • Restrict the new user account's access to the drive by using Windows Access Control for the file system. Here's a good How-To including screenshots.


        • Then, start the software with those rights. You can, for example, use PsExec.exe to do that or Process Explorer, here's how. One of those two you will have to download from the Microsoft website, if you don't have them already.







        share|improve this answer














        In Windows, there is no native supported way to block certain processes from accessing certain drives, that goes "against the current nature" how the operating system handles drive access.



        The right for access is determined by the logged on user's rights who starts the application. So if the software developer decided his software should search all accessible drives and does not give you the option to turn that off... well, that's bad programming which does not consider your particular use case. But there are a few workarounds.



        The only "sure" solution is 2, since the hardware virtualization layer (from the virtual machine) can block any applications to attempt to access the "real hardware" completely. Although I haven't had the case where solution 1 doesn't work, but theoretically I think it could be bypassed.



        Option "1" - Disabling the drives at a "low level" - No additional software needed



        Option 1a



        It's possible to disable the volumes on a lower layer by disabling the drives altogether, but this will disable all volumes on the drive. Manually, you can do it by starting diskmgmt.msc, then right click on the drive and mark it "offline".



        enter image description here



        If needed, you should be able to do that using a command line script as well. It would be applied a similar way as Option 3a/b. You can do that, for example, via cmd as described here or via PowerShell, as it is described here.



        Option 1b



        You can deactivate the drive's driver altogether. To do in manually: start diskmgmt.msc, then right click, choose "options". Then go to the "Driver"-Tab and select "Deactivate". The drive will "disappear" in the disk manager and won't be accessible through the operating system anymore. Unless the software doesn't execute machine code commands to communicate directly with the hardware, there should be no way for the application to access the drives. At least as far as my knowledge of the ins and outs for operating systems goes.



        enter image description here



        If needed, you should be able to do that using a command line script as well. It would be applied a similar way as Option 3a/b using, for example, Devcon.exe. You can find a detailed description here.



        Option 2 - Using a virtual environment (mostly with 3rd party software)



        If running the application within a virtual environment is an option at all, there are plenty of solutions out there:




        • depending on your Windows version (Win7 and up required) and license ("Professional" required, "Home" won't do), you can just use Hyper-V to set up a virtual environment without any third party software.


        • you can use a third party software to set up a virtual system like VMplayer, Virtual Box, etc. There are many freeware and payware alternatives. By using this solution, you will need a second licence for Windows (or you leave it unlicensed, but then you will get an overlay in the lower right corner of the screen that will tell you to register Windows). This will definitely prevent the software from accessing the drive.


        • you could use a "sandbox"-application. But it will depend on the level of virualization the sandbox-application offers. In some cases, it can solve the problem; in other cases, it doesn't. Sandboxie, for example (the one harrymc describes in his answer), doesn't solve the problem with the configuration harrymc described in his (original) answer. Although the software might block the access, the drive will still spine up. An alternative would be to use a different sandbox application like Cameyo, etc.



        By the way, here's a good article for the main difference between the different virtualization software, especially the difference between a "whole" virtual machine (like Virtual Box) or "semi virtual" applications (like Sandboxie).



        Option 3 - Unmounting just volumes (leaving the drive "intact") - No additional software needed, BUT it might not work in your case



        Option 3a



        Instead of starting the application via its regular shortcut, you could write a batch file using the command mountvol that first unmounts the unused volume, then starts the application, and then remounts the volume once the application doesn't access the drive anymore. The mounting/unmounting process via command line is described here and here. You can also use diskpart as described here and here.



        Option 3b



        Alternatively, you could just leave the drive unmounted in general and mount it via a batch file that mounts the drive which you start manually when needed. After you're done using it, you can manually unmount it using a second batch file. You could automatize that by monitoring file system access requests and mount/unmount the drive as required following certain rules e.g. that certain applications won't have access. But I'm not sure automation is worth the extra effort involved.



        Option 4 - Restricting access to a drive-letter (volume). Simple to do, but two small tools from Microsoft needed - BUT it might not work in your case



        If you want to do it without 3rd party software but don't mind to use two small tools from Microsoft (if you don't use it already). I prefer this solution because it gets the problem "by the root" (differentiation between the user's and the application's rights) and it's fairly simple and no "big" third party software is needed.



        Basically, you add a user with no access to the drive and then you start the program with those limited rights (you will still log on as your regular user, you won't use the restricted account to log on).




        • Add a user account.


        • Restrict the new user account's access to the drive by using Windows Access Control for the file system. Here's a good How-To including screenshots.


        • Then, start the software with those rights. You can, for example, use PsExec.exe to do that or Process Explorer, here's how. One of those two you will have to download from the Microsoft website, if you don't have them already.








        share|improve this answer














        share|improve this answer



        share|improve this answer








        edited Nov 21 at 4:02









        Pang

        535610




        535610










        answered Sep 25 at 11:12









        Albin

        2,2951029




        2,2951029
























            up vote
            4
            down vote













            I propose a solution that uses
            Sandboxie.
            I don't have your environment, so I have tested running Acrobat.exe in
            a sandbox where its access to D: was blocked.
            When opening in Acrobat the menu File > Open, I get this :



            image



            Notice that Acrobat can't even find the label of disk D:, so is forced to display
            it in a lame way, and how it is blocked when I click on "Local Disk (D:)".



            The steps I used were :




            • Installed Sandboxie

            • In Sandboxie Control, right-click the default sandbox and choose Sandbox Settings

            • Open the branch of Resource Access > File Access, and click on Blocked Access

            • Click Add Program and add Acrobat (mine was C:Program Files (x86)AdobeAcrobat DCAcrobatAcrobat.exe)

            • Click Add and add disk D:

            • Click OK

            • In Sandboxie Control, open the branch of Program Start > Forced Folders

            • Click Add Folder

            • Add the folder where resides Acrobat (mine was C:Program Files (x86)AdobeAcrobat DCAcrobat)

            • Click OK


            From now on, all programs launching from the Acrobat folder are forced to
            execute sandboxed, and specifically Acrobat.exe is blocked from
            accessing the disk D:.
            You might need to open up some other sandbox restrictions if Acrobat
            will have some difficulties executing inside the sandbox.



            I don't know if this will also block the specific Windows API call that Acrobat
            uses to cause the wakeup of the disk, but might be worth trying.



            Sandboxie is a great and versatile product that I recommend,
            free for one default sandbox.
            For multiple sandboxes it's payware, but life-time license price is very reasonable (I paid).
            For example, I install products I test in a sandbox and can then wipe them
            out with one click, and no need for an uninstaller.





            Another isolation solution is by using Adobe Reader inside a
            Docker container.
            Docker containers are small and work like a virtual machines, but without needing to create the machine, since ready-made containers are downloaded from the Docker gallery.



            You may use
            Chocolatey
            as package manager.



            Chocolatey has many available pre-built packages with Adobe Reader at
            Adobe Acrobat Reader DC 2018.011.20063.



            With Docker, absolute isolation is possible as regarding resources,
            and on the other hand one is able to share resources such as folders
            in a completely native way.






            share|improve this answer



















            • 2




              @WackGet: Any comment ?
              – harrymc
              Sep 22 at 15:37










            • He says it doesn't work, the drive still does spin up, at least in his use case. I'm wondering, does Sandboxie give you the option to hide resources at the hardware layer? I haven't installed it yet.
              – Albin
              Sep 26 at 21:20












            • @WackGet: Sandboxie has more settings available in its config files. But first: Do the disks wake up the moment Adobe is launched, or only when using the menu File > Open?
              – harrymc
              Sep 27 at 6:34










            • Besides the above question, I added another light-weight isolation option, by using Docker. Docker containers are small and work like a virtual machines, but without needing to create it, since containers are ready-made and are downloaded from the Docker gallery.
              – harrymc
              Sep 27 at 7:00










            • Interesting choice. Which Docker Application are you referring to since it is rather a developer/enterprise solution. Unfortunately the docker products I looked at aren't free to use (just trialware possible)... but maybe I overlooked s.th.
              – Albin
              Sep 27 at 9:56















            up vote
            4
            down vote













            I propose a solution that uses
            Sandboxie.
            I don't have your environment, so I have tested running Acrobat.exe in
            a sandbox where its access to D: was blocked.
            When opening in Acrobat the menu File > Open, I get this :



            image



            Notice that Acrobat can't even find the label of disk D:, so is forced to display
            it in a lame way, and how it is blocked when I click on "Local Disk (D:)".



            The steps I used were :




            • Installed Sandboxie

            • In Sandboxie Control, right-click the default sandbox and choose Sandbox Settings

            • Open the branch of Resource Access > File Access, and click on Blocked Access

            • Click Add Program and add Acrobat (mine was C:Program Files (x86)AdobeAcrobat DCAcrobatAcrobat.exe)

            • Click Add and add disk D:

            • Click OK

            • In Sandboxie Control, open the branch of Program Start > Forced Folders

            • Click Add Folder

            • Add the folder where resides Acrobat (mine was C:Program Files (x86)AdobeAcrobat DCAcrobat)

            • Click OK


            From now on, all programs launching from the Acrobat folder are forced to
            execute sandboxed, and specifically Acrobat.exe is blocked from
            accessing the disk D:.
            You might need to open up some other sandbox restrictions if Acrobat
            will have some difficulties executing inside the sandbox.



            I don't know if this will also block the specific Windows API call that Acrobat
            uses to cause the wakeup of the disk, but might be worth trying.



            Sandboxie is a great and versatile product that I recommend,
            free for one default sandbox.
            For multiple sandboxes it's payware, but life-time license price is very reasonable (I paid).
            For example, I install products I test in a sandbox and can then wipe them
            out with one click, and no need for an uninstaller.





            Another isolation solution is by using Adobe Reader inside a
            Docker container.
            Docker containers are small and work like a virtual machines, but without needing to create the machine, since ready-made containers are downloaded from the Docker gallery.



            You may use
            Chocolatey
            as package manager.



            Chocolatey has many available pre-built packages with Adobe Reader at
            Adobe Acrobat Reader DC 2018.011.20063.



            With Docker, absolute isolation is possible as regarding resources,
            and on the other hand one is able to share resources such as folders
            in a completely native way.






            share|improve this answer



















            • 2




              @WackGet: Any comment ?
              – harrymc
              Sep 22 at 15:37










            • He says it doesn't work, the drive still does spin up, at least in his use case. I'm wondering, does Sandboxie give you the option to hide resources at the hardware layer? I haven't installed it yet.
              – Albin
              Sep 26 at 21:20












            • @WackGet: Sandboxie has more settings available in its config files. But first: Do the disks wake up the moment Adobe is launched, or only when using the menu File > Open?
              – harrymc
              Sep 27 at 6:34










            • Besides the above question, I added another light-weight isolation option, by using Docker. Docker containers are small and work like a virtual machines, but without needing to create it, since containers are ready-made and are downloaded from the Docker gallery.
              – harrymc
              Sep 27 at 7:00










            • Interesting choice. Which Docker Application are you referring to since it is rather a developer/enterprise solution. Unfortunately the docker products I looked at aren't free to use (just trialware possible)... but maybe I overlooked s.th.
              – Albin
              Sep 27 at 9:56













            up vote
            4
            down vote










            up vote
            4
            down vote









            I propose a solution that uses
            Sandboxie.
            I don't have your environment, so I have tested running Acrobat.exe in
            a sandbox where its access to D: was blocked.
            When opening in Acrobat the menu File > Open, I get this :



            image



            Notice that Acrobat can't even find the label of disk D:, so is forced to display
            it in a lame way, and how it is blocked when I click on "Local Disk (D:)".



            The steps I used were :




            • Installed Sandboxie

            • In Sandboxie Control, right-click the default sandbox and choose Sandbox Settings

            • Open the branch of Resource Access > File Access, and click on Blocked Access

            • Click Add Program and add Acrobat (mine was C:Program Files (x86)AdobeAcrobat DCAcrobatAcrobat.exe)

            • Click Add and add disk D:

            • Click OK

            • In Sandboxie Control, open the branch of Program Start > Forced Folders

            • Click Add Folder

            • Add the folder where resides Acrobat (mine was C:Program Files (x86)AdobeAcrobat DCAcrobat)

            • Click OK


            From now on, all programs launching from the Acrobat folder are forced to
            execute sandboxed, and specifically Acrobat.exe is blocked from
            accessing the disk D:.
            You might need to open up some other sandbox restrictions if Acrobat
            will have some difficulties executing inside the sandbox.



            I don't know if this will also block the specific Windows API call that Acrobat
            uses to cause the wakeup of the disk, but might be worth trying.



            Sandboxie is a great and versatile product that I recommend,
            free for one default sandbox.
            For multiple sandboxes it's payware, but life-time license price is very reasonable (I paid).
            For example, I install products I test in a sandbox and can then wipe them
            out with one click, and no need for an uninstaller.





            Another isolation solution is by using Adobe Reader inside a
            Docker container.
            Docker containers are small and work like a virtual machines, but without needing to create the machine, since ready-made containers are downloaded from the Docker gallery.



            You may use
            Chocolatey
            as package manager.



            Chocolatey has many available pre-built packages with Adobe Reader at
            Adobe Acrobat Reader DC 2018.011.20063.



            With Docker, absolute isolation is possible as regarding resources,
            and on the other hand one is able to share resources such as folders
            in a completely native way.






            share|improve this answer














            I propose a solution that uses
            Sandboxie.
            I don't have your environment, so I have tested running Acrobat.exe in
            a sandbox where its access to D: was blocked.
            When opening in Acrobat the menu File > Open, I get this :



            image



            Notice that Acrobat can't even find the label of disk D:, so is forced to display
            it in a lame way, and how it is blocked when I click on "Local Disk (D:)".



            The steps I used were :




            • Installed Sandboxie

            • In Sandboxie Control, right-click the default sandbox and choose Sandbox Settings

            • Open the branch of Resource Access > File Access, and click on Blocked Access

            • Click Add Program and add Acrobat (mine was C:Program Files (x86)AdobeAcrobat DCAcrobatAcrobat.exe)

            • Click Add and add disk D:

            • Click OK

            • In Sandboxie Control, open the branch of Program Start > Forced Folders

            • Click Add Folder

            • Add the folder where resides Acrobat (mine was C:Program Files (x86)AdobeAcrobat DCAcrobat)

            • Click OK


            From now on, all programs launching from the Acrobat folder are forced to
            execute sandboxed, and specifically Acrobat.exe is blocked from
            accessing the disk D:.
            You might need to open up some other sandbox restrictions if Acrobat
            will have some difficulties executing inside the sandbox.



            I don't know if this will also block the specific Windows API call that Acrobat
            uses to cause the wakeup of the disk, but might be worth trying.



            Sandboxie is a great and versatile product that I recommend,
            free for one default sandbox.
            For multiple sandboxes it's payware, but life-time license price is very reasonable (I paid).
            For example, I install products I test in a sandbox and can then wipe them
            out with one click, and no need for an uninstaller.





            Another isolation solution is by using Adobe Reader inside a
            Docker container.
            Docker containers are small and work like a virtual machines, but without needing to create the machine, since ready-made containers are downloaded from the Docker gallery.



            You may use
            Chocolatey
            as package manager.



            Chocolatey has many available pre-built packages with Adobe Reader at
            Adobe Acrobat Reader DC 2018.011.20063.



            With Docker, absolute isolation is possible as regarding resources,
            and on the other hand one is able to share resources such as folders
            in a completely native way.







            share|improve this answer














            share|improve this answer



            share|improve this answer








            edited Sep 27 at 14:18

























            answered Sep 20 at 8:22









            harrymc

            248k10257546




            248k10257546








            • 2




              @WackGet: Any comment ?
              – harrymc
              Sep 22 at 15:37










            • He says it doesn't work, the drive still does spin up, at least in his use case. I'm wondering, does Sandboxie give you the option to hide resources at the hardware layer? I haven't installed it yet.
              – Albin
              Sep 26 at 21:20












            • @WackGet: Sandboxie has more settings available in its config files. But first: Do the disks wake up the moment Adobe is launched, or only when using the menu File > Open?
              – harrymc
              Sep 27 at 6:34










            • Besides the above question, I added another light-weight isolation option, by using Docker. Docker containers are small and work like a virtual machines, but without needing to create it, since containers are ready-made and are downloaded from the Docker gallery.
              – harrymc
              Sep 27 at 7:00










            • Interesting choice. Which Docker Application are you referring to since it is rather a developer/enterprise solution. Unfortunately the docker products I looked at aren't free to use (just trialware possible)... but maybe I overlooked s.th.
              – Albin
              Sep 27 at 9:56














            • 2




              @WackGet: Any comment ?
              – harrymc
              Sep 22 at 15:37










            • He says it doesn't work, the drive still does spin up, at least in his use case. I'm wondering, does Sandboxie give you the option to hide resources at the hardware layer? I haven't installed it yet.
              – Albin
              Sep 26 at 21:20












            • @WackGet: Sandboxie has more settings available in its config files. But first: Do the disks wake up the moment Adobe is launched, or only when using the menu File > Open?
              – harrymc
              Sep 27 at 6:34










            • Besides the above question, I added another light-weight isolation option, by using Docker. Docker containers are small and work like a virtual machines, but without needing to create it, since containers are ready-made and are downloaded from the Docker gallery.
              – harrymc
              Sep 27 at 7:00










            • Interesting choice. Which Docker Application are you referring to since it is rather a developer/enterprise solution. Unfortunately the docker products I looked at aren't free to use (just trialware possible)... but maybe I overlooked s.th.
              – Albin
              Sep 27 at 9:56








            2




            2




            @WackGet: Any comment ?
            – harrymc
            Sep 22 at 15:37




            @WackGet: Any comment ?
            – harrymc
            Sep 22 at 15:37












            He says it doesn't work, the drive still does spin up, at least in his use case. I'm wondering, does Sandboxie give you the option to hide resources at the hardware layer? I haven't installed it yet.
            – Albin
            Sep 26 at 21:20






            He says it doesn't work, the drive still does spin up, at least in his use case. I'm wondering, does Sandboxie give you the option to hide resources at the hardware layer? I haven't installed it yet.
            – Albin
            Sep 26 at 21:20














            @WackGet: Sandboxie has more settings available in its config files. But first: Do the disks wake up the moment Adobe is launched, or only when using the menu File > Open?
            – harrymc
            Sep 27 at 6:34




            @WackGet: Sandboxie has more settings available in its config files. But first: Do the disks wake up the moment Adobe is launched, or only when using the menu File > Open?
            – harrymc
            Sep 27 at 6:34












            Besides the above question, I added another light-weight isolation option, by using Docker. Docker containers are small and work like a virtual machines, but without needing to create it, since containers are ready-made and are downloaded from the Docker gallery.
            – harrymc
            Sep 27 at 7:00




            Besides the above question, I added another light-weight isolation option, by using Docker. Docker containers are small and work like a virtual machines, but without needing to create it, since containers are ready-made and are downloaded from the Docker gallery.
            – harrymc
            Sep 27 at 7:00












            Interesting choice. Which Docker Application are you referring to since it is rather a developer/enterprise solution. Unfortunately the docker products I looked at aren't free to use (just trialware possible)... but maybe I overlooked s.th.
            – Albin
            Sep 27 at 9:56




            Interesting choice. Which Docker Application are you referring to since it is rather a developer/enterprise solution. Unfortunately the docker products I looked at aren't free to use (just trialware possible)... but maybe I overlooked s.th.
            – Albin
            Sep 27 at 9:56


















             

            draft saved


            draft discarded



















































             


            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f677114%2fdeny-application-access-to-hard-drive-or-volume-in-windows-7%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

            Alcedinidae

            RAC Tourist Trophy