Allowing Non-Administrators To Install Fonts In Windows 7
Window 7 is far more secure than prior Windows operating systems. The Windows directory is secured down with permissions so even an Administrator cannot circumvent security. Some security features are good other not so much, the security on fonts is a good example. I will explain how to allow normal non-privileged users access to install their own fonts without the UAC prompt.
The Fonts directory is located in the Windows directory and if a normal user wants to install Fonts; they cannot. If a normal users tries to install a font they are prompted with the UAC (User Account Control) dialog box and Administrator credentials are required. If you work for a school or a print shop and do not want to give out Administrator credentials to install fonts read on.
The following steps will loosen up security in your operating system, so that normal users can install fonts without administrative credentials and the UAC prompt. This modification has been tested on Windows 7; however it should also work on Windows Vista as well. Please be careful when making changes that could open security holes. As of the writing of this article there are no security holes, but be vigilant and read Microsoft Security Bulletins in the future.
Log on as an administrator to make the following changes!
First we need to make the folder writable and make it a non-system folder.
attrib -r -s c:\Windows\Fonts
Next we need to take ownership. The /f directs it to the folder of c:\Windows\Fonts the /r directs it to recurse and the /d n is default answer is no or skip.
takeown /f c:\Windows\Fonts /r /d n
Now let’s give the users permission.
cacls c:\Windows\Fonts /e /t /g users:c
There is also a font cache that allows programs to display a preview of the fonts; this needs softened up as well for the user.
cacls c:\Windows\System32\FNTCACHE.DAT /e /t /g users:c Note: you will receive an Access is denied message, this is normal; just make sure users have change security permissions.
The last thing to do is give users permissions to register fonts with Windows 7 in the registry. Use regedit and give users modify permissions to the following key in the registry.
HKLM\Software\Microsoft\Windows NT\Current Version\Fonts
See diagram:
That’s it you done… Log out and test as a normal / non-administrator by right clicking the font and selecting “Install” from the context menu.
May 6th, 2011 at 3:59 pm
Great quick article…i’m trying to get this working in a GPO. I’ve got the file/folder/registry permissions, but the tricky part is having the attrib and take ownership commands in a batch file occur before the permissions get set. I was able to get everything pushed through, but file ownership bit was set last…so permissions could not be set for my domain users on the C:\Windows\Fonts directory. With an additional GPUpdate /force, it went through fine and users are able to add fonts to the Fonts folder.
Any ideas? I suppose I could throw a gpupdate /force command after the take ownership is done…but seems a bit sloppy.
May 6th, 2011 at 4:20 pm
You may have to put a logon script in place to attrib the file. However I think the details of what is going on is in the gpupdate /force working. My suggestion is to start with a clean reboot on a clean machine (untouched by the policy). Logon and inspect if the permissions are being applied; from my understanding the OS will override the read-only attrib. The article http://support.microsoft.com/?id=298444 explains that force is nothing more than re-applying the policy. In Windows XP there was a problem with background refresh of GPO. Which means that when the machine reboots if the policy was applied already it will not try to reapply until the refresh interval of 90 minutes in the background. Since permissions are only applied on boot, it sounds like the background refresh problem. See this article for GPO processing http://technet.microsoft.com/en-us/magazine/2008.01.gpperf.aspx there is USERENV debugging that could be turned on to validate the behavior. To force Synchronous processing of GPO see this article http://support.microsoft.com/kb/305293, Vista and XP Asynchronously process GPO (background refresh); so setting it should fix your problem…. Please let me know.
May 7th, 2011 at 10:37 am
Thanks for the info! Much appreciated.
Here’s what I’ve got…being the weekend, I don’t intend on setting anything up right yet. I’m having our techs work with me to test it. I haven’t yet run this complete batch file on the machine we tested yesterday. I had only the attrib and takeown commands in the batch file originally, and did run against the machine during startup. They did run successfully. Upon login with a regular user, I could see that SYSTEM was owner of the Fonts Directory. Just being able to see security on it told me it was no longer a system folder, so I know attrib ran ok.
The adding of permissions part was originally set in another area of the GPO (Computer Config>Policies>Windows Settings>Security Settings>File System/Registry), not via icacls as indicated in the batch file listed below.
#
# Makes Fonts Folder writable and make it a non-system folder
#
attrib -r -s %systemroot%\Fonts
#
# Takes ownership of the %systemroot%\Fonts folder. The /f directs it to the folder
# of c:\Windows\Fonts the /r directs it to recurse and the /d n is default answer is no or skip.
#
takeown /f “%systemroot%\fonts” /r /d n
#
#
# Give user(s) modify access to %systemroot%\Fonts
#
icacls “%systemroot%\fonts” /grant “domain.com\Domain Users”:M /t
#
#Give user(s) modify access to %systemroot%\system32\FNTCACHE.dat
#
icacls “%systemroot%\system32\FNTCACHE.dat” /grant “domain.com\Domain Users”:M /t
May 9th, 2011 at 12:19 pm
I made a different decision…i created an MSI with the fonts and deploy that to the systems needed. Hopefully that does it a bit easier. Thanks for the feedback and the information. This was a great article that got me going! Cheers!
August 3rd, 2011 at 10:12 am
I’ve tried this on Vista SP1 but non-privileged users are still caught by UAC.
Who is supposed to be taking ownership of C:\Windows\Fonts? It would appear to be the administrator, but why?
Can this be done by making a user a Power User?
November 15th, 2011 at 6:57 pm
Hello. So to start, I know next to nothing about batch files. 🙂 But a fellow student gave me a basic batch file to install my fonts on our school computers quickly.
The facts are as fallows:
– windows 7 (possibly 64 bit?)
– any changes made to the system are dumped when the computer is restarted, solutions must work without rebooting
– no administrative privileges, and yet if you manually open the font file and copy your fonts in it works fine
– my batch file works to copy the files into the font folder, but will not ‘install’ them
Question:
– Is there another command I can add to install the fonts after they are copied to the folder?
Reason:
– We have to log on to new computers everyday, installing fonts manually every day is tedious, but necessary. I really want this batch to work!
November 15th, 2011 at 7:31 pm
So the answer is: In order to install fonts in Windows Vista thru Windows 7 you now have to register the font in the registry, which right clicking on the font and selecting install does (as well as copies the font). You could try the following batch script:
You will probably still need to set permission on the directory and the reg key doing it this way.
December 6th, 2011 at 11:10 am
Good!!
March 12th, 2012 at 1:57 pm
I attempted this workaround, as I have some fonts that are causing me some trouble in Photoshop (hiding won’t remove them from the list, I can’t delete them since they came with Windows 7, and they make it impossible to quickly scroll through the fonts with the arrow key, as they don’t actually seem to be functional). However, I’m getting: Access denied – C:\Windows\Fonts on the very first step. I am signed in as the Administrator, which is the only User on this machine. The first time I tried this I typed the command, the second time I copied / pasted just in case.
So, what could be causing this error?
March 12th, 2012 at 2:33 pm
I think I might have gotten that error as well, but I know that I was satisfied with the results so i didn’t pursue it. My only thought is UAC? open the CMD prompt as administrator.
May 24th, 2012 at 11:33 am
Hi There,
I followed all the steps exactly, but when trying to install a font as a non-admin, i’m still getting the UAC pop up asking for the administrator password. Is there something i’m missing here?
June 26th, 2012 at 4:02 am
I too am getting the UAC pop up. My batch file is the same as Ytsejamer1’s. Did anyone manage to get around this?
June 26th, 2012 at 5:56 am
Submit your batch file, but if you run the batch file without elevating permissions (i.e. run as administrator) then it will not work. However let take a look at the batch file.
September 18th, 2012 at 12:34 pm
[…] If you decide to make this a startup script, remember that startup scripts are run under the local system security context and won’t be able to connect to remote servers. If you make this a login script the user will need rights to install the fonts. See this article if you choose the login script route: http://www.bohack.com/2011/04/allowing-non-administrators-to-install-fonts-in-windows-7/ […]