cacls.exe

[Defcon31]

hello
i want to set permissions for some applications using "cacls.exe",
but i don't find the component that contains "cacls.exe"
(yes my visibility is set to 100).

how can i include cacls.exe in my build?

(I see this file is in the embedded repository, so
i suppose anything has to use this file)

anyone has experience with this?

thanks in advance

 

[Slobodan Brcin]

You are right there is no component for this file.

Well then make component that will copy this file to your image, or complain
to MS.

Regads,
Slobodan

 

[Defcon31]

Hello Slobodan,
thanks very much for your help.

but like you described; the cacls.exe file works great for alle
applications,
except for explorer.exe (the system file and folders vieuw in tree)...
and denying users to explorer.exe is just what i need, so that they cannot
delete files and so on.

BUT when i set that users are denied for explorer.exe, they also don't see
their
desktop and start menu.

have you experience with this. (administrators still have to be able to run
explorer.exe)

thanks in advance

 

[Slobodan Brcin]

Well if you don't give execute access to users to explorer.exe then you
won't see desktop it is logical since explorer.exe can't run.

But you can make your custom shell, or use some application as shell insted
of explorer.exe.

We don't have explorer in our image, but it is working

Do you want to prevent users from deleting files, or from executing them?


Regards,
Slobodan

 

[Defcon31]

you asked "Do you want to prevent users from deleting files, or from
executing them?"
I want that users may execute some applications like my VB and C++ programs.
But I don't want that default users can watch what's on the system (files,
folders,...)
and also, of course they mustn't delete files.
and also, they mustn't change files (but the application itself must be able
to make continuously changes in some files)..

in brief: i want to prevent that the default users mess on the system, and i
'd like to accomplish this by
disabling them to explorer.exe (the system file and folders vieuw in
tree)...

thanks for help !

 

[Slobodan Brcin]

If you have application that is 24 hour active then, you can use my first
approach.

1. Set security so only admin can execute userinit.exe
2. Set security that only users can execute your app (not admins).
3. Put path to your app as I described already in registry.

When your user logon, only your app will be executed.
If you don't give user any option to run some third party exe file, then
they won't run anything (since they don't have any interface to run things,
taskmgr.exe, etc are all disabled by default)
If admin logon then userinit will be executed and admins will have normal
windows shell.

Simple, isn't it. It worked for us for more than two years. Currently all
new installations that our customers are making with our hardware, use this
approach on Windows XP Home/Professional.

We are switching to XPe so we can build fool proof installation so every end
user can put CD in, and install our app integrated with XPe. Also they can
use same technique to update software and XPe.
Currently we have trained few technicians from our distributors so they are
able to install Windows XP, drivers, etc and our software and hardware, but
general idea is that everyone can install our software part of product in
less than 10 minutes ( computer and card installation excluded ).
This should lower our customer expertise requirement to very basic
knowledge.


Regards,
Slobodan