remove access of a file with command prompt

[Vijay]

Please tell me, how can i remove access of a file with command file,

location of the file is:

c:\usbstor.inf

i want to deny everyone to access this file..


thanks ,

vijay

 

[thanatoid]

Please tell me, how can i remove access of a file with
command file,

location of the file is:

c:\usbstor.inf

What the hell is it doing THERE?

i want to deny everyone to access this file..

AFAIK, you can't, but I am new to XP and I may be wrong. If you
make that file hidden and read-only - which you can do even in
WinExplorer I believe - then, since your machine /probably/ has
"do not show hidden and system files" checked ON, that should be
enough.

If not, just in case, the command line syntax would be:

attrib +r +h c:\usbstor.inf

(I could be wrong, corrections welcome.)

And the system may not let you do it since the XP command line
is "inside" XP which may not allow this action to be performed -
in which case you would have to access the C drive with a DOS
boot floppy/CD and change the attributes in "actual" DOS with
the above line. (Change to the C: drive first, of course.)
Whether everything will work OK afterwards is /another/
question. And of course everyone still has access, if they know
how to "see" hidden files.

The bottom line is if someone who knows enough wants to get at
something on any machine, they will. Accept it.

I have a feeling you think that making that file "unavailable"
will do something it won't/can't. What are you trying to achieve
/exactly/?

 

[Bill in Co.]

What the hell is it doing THERE?


AFAIK, you can't, but I am new to XP and I may be wrong. If you
make that file hidden and read-only - which you can do even in
WinExplorer I believe - then, since your machine /probably/ has
"do not show hidden and system files" checked ON, that should be
enough.

If not, just in case, the command line syntax would be:

attrib +r +h c:\usbstor.inf

(I could be wrong, corrections welcome.)

And the system may not let you do it since the XP command line
is "inside" XP which may not allow this action to be performed -
in which case you would have to access the C drive with a DOS
boot floppy/CD and change the attributes in "actual" DOS with
the above line. (Change to the C: drive first, of course.)

Access the C: drive with a DOS boot disk? I don't think so. How can
DOS access the NTFS volume of C: (without some other special software)?
It's not a FAT volume (unless he's one of those rare exceptions that set up
XP on FAT32).

 

[Andrew McLaren]

Please tell me, how can i remove access of a file with command file,
location of the file is:
c:\usbstor.inf
i want to deny everyone to access this file..

Hi Vijay,

You probably don't want to remove access to this file for Everyone. That
would remove access for Administrator, Local System, and your own user
account.

What you probably want is to leave access for Everyone, but remove
access for the Group 'Users'. That way, the operating system itself, and
administrators, can still access the file; but ordinary users cannot.

Also, depending on the file's function, you may want to keep Read access
for Users, but remove their permissions to modify or delete the file.

By far the easiest way to edit permissions is to use the GUI ACL Editor,
which is reached via Explorer, <file> properties, Security.

But the command-line tool which does the same thing as the GUI, is the
CACLS command. This is a built-in command, part of the XP OS.

The exact syntax will depend on what permissions you want to set.
Frankly, while CACLS is a very powerful and flexible command, its syntax
can be a little hairy. So you'll want to read up on the syntax
carefully, before you run the command. Also, test it on a scratch file,
before you destroy, I mean, modify the real target file.

CACLS /? at a command prompt will get you started. Or see:

http://technet.microsoft.com/en-us/library/bb490872.aspx

Hope this helps,

Andrew

 

[Andrew McLaren]

AFAIK, you can't, but I am new to XP and I may be wrong. If you
(I could be wrong, corrections welcome.)
The bottom line is if someone who knows enough wants to get at
something on any machine, they will. Accept it.

Hi Thanatoid

(Hmmm - was your mother named Nyxoid? And your brother Hypnoid? But, I
digress ...

You did say "corrections welcome".

What you've written would be true for FAT and FAT32 file systems, like
you'd find on Windows 95, 98 and Me.

Windows XP was built on the Windows NT codebase (via Windows 2000); and
as such it uses NTFS as its native file system. FAT has no security
features at all. NTFS has support for strong (Orange Book, C2 style)
security built in from scratch, right from the beginning back in 1992.
NTFS allows both strong and very granular control over file security
using ACLs ("access control lists"). In fact, the use of ACLs has now
become pretty widespread in many versions of Unix as an adjunct to
native Unix-style permissions.

I wouldn't go so far as to say NTFS is utterly impregnable (physical
access can compromise most file systems). But a properly managed XP
workstation in a Windows domain, with appropriate physical security (ie
you can't take teh hard disk away for the night), will resist most
ordinary attempts by users - even "knowlegdeable" users - to access
protected files.

In addition, Vista and Windows 7 add support for Trusted Platform Module
("TPM") hardware via the Bitlocker feature, which will make a properly
secured hard disk highly resistant to compromise, even when an attacker
has unlimited physical access to the drive media.

I'm not sure it's possible for anyone to be "new" to Windows XP. XP was
released on 25 October 2001, so it is now over 9 years old!

Cheers,

Andrew

 

[John John - MVP]

Please tell me, how can i remove access of a file with command file,

location of the file is:

c:\usbstor.inf

i want to deny everyone to access this file..

Windows XP will reset the permission on the file if a user needs to use
it... like when he plugs in a USB device, so on Windows XP it's futile
to set permissions on this file. You could accomplish what you want by
renaming the file.

John

 

[Andrew McLaren]

BTW assuming you want to control whether users' can attach USB storage
devices, see this KB article for details:

http://support.microsoft.com/default.aspx?scid=kb;en-us;823732

 

[thanatoid]

Access the C: drive with a DOS boot disk? I don't think
so. How can DOS access the NTFS volume of C: (without
some other special software)? It's not a FAT volume (unless
he's one of those rare exceptions that set up XP on FAT32).

True, I forgot about NTFS... But wouldn't an NTFS boot disk/CD
(they DO exist???) do the job as well? Just guessing...

BTW, I have XP installed on a FAT32 partition - I don't trust
NTFS. I am sure I am not the only one in the world. Anyway,
there is more to this story than the simple question he posed.

 

[thanatoid]

Hi Thanatoid

(Hmmm - was your mother named Nyxoid? And your brother
Hypnoid? But, I digress ...

No, but I am thanatoid, all lower case ;-) And digressions are
always welcome as well... They are often more interesting than
the subject.

You did say "corrections welcome".

I sure as hell did. I know when I talk about what I know little
of.

What you've written would be true for FAT and FAT32 file
systems, like you'd find on Windows 95, 98 and Me.

And a FAT32 install of XP like mine.

Windows XP was built on the Windows NT codebase (via
Windows 2000); and as such it uses NTFS as its native file
system. FAT has no security features at all. NTFS has
support for strong (Orange Book, C2 style) security built
in from scratch, right from the beginning back in 1992.

Well, I didn't know that detail, but from what I read in NG's
and other places every day those security measures are not
working all that well. "Security" and "Microsoft" do not belong
to the same family of words. It takes a smart user to be secure.
Personally, in almost 20 years I have never had an infection -
ONE virus in an email from a clueless friend but since I had all
scripting disabled and I do not use a webmail client, just a
small POP/SMTP program, it couldn't DO anything.

NTFS allows both strong and very granular control over file
security using ACLs ("access control lists"). In fact, the
use of ACLs has now become pretty widespread in many
versions of Unix as an adjunct to native Unix-style
permissions.

Well, I have NEVER had a single problem with FAT32, and I did
once have to recover data from a 40GB HD which crashed (I DO
have problems with suicidal HD's). OTOH I once read an MVP (!)
refer to NTFS as a "fiasco". Of course, that's just one person's
opinion. But why complicate things? I have 9 FAT32 partitions
and XP went on one of them. It seems to like it just fine.

I wouldn't go so far as to say NTFS is utterly impregnable
(physical access can compromise most file systems). But a
properly managed XP workstation in a Windows domain, with
appropriate physical security (ie you can't take teh hard
disk away for the night), will resist most ordinary
attempts by users - even "knowlegdeable" users - to access
protected files.

I am the only person who ever touches this computer, and I am
not going online with XP, I installed it only to use a specific
program/hardware combo which will NOT work in 98SELite.

In addition, Vista and Windows 7 add support for Trusted
Platform Module ("TPM") hardware via the Bitlocker feature,
which will make a properly secured hard disk highly
resistant to compromise, even when an attacker has
unlimited physical access to the drive media.

Sorry, this sounds an AWFUL lot like MS-talk... Yes, everything
will be safer, better and faster... I know...

I'm not sure it's possible for anyone to be "new" to
Windows XP. XP was released on 25 October 2001, so it is
now over 9 years old!

I have used 95B on a 166MMX w/64MB RAM and a 33.6 modem from
1977 to about a year and a half ago . I could do EVERYTHING
except video and games (and I am not a gamer) and converting
music took 4 hours for a 3 minute file. So I bought a 2GHz
machine - now it takes 30 seconds. When my stupid ISP offered BB
for less than 2 phone lines and dial-up, I went for it, with
98SELite. About two months ago I started experimenting with XP
for the reason mentioned above.

See, anything is possible. (Except MS making a decent OS...)

 

[HeyBub]

I have used 95B on a 166MMX w/64MB RAM and a 33.6 modem from
1977 to about a year and a half ago . I could do EVERYTHING
except video and games (and I am not a gamer) and converting
music took 4 hours for a 3 minute file. So I bought a 2GHz
machine - now it takes 30 seconds. When my stupid ISP offered BB
for less than 2 phone lines and dial-up, I went for it, with
98SELite. About two months ago I started experimenting with XP
for the reason mentioned above.

See, anything is possible. (Except MS making a decent OS...)

Okay, try this: NTFS is self-healing (corrects most single and double-bit
errors), is much faster, (virtually) never needs defragging, can handle disk
capacities FAR larger than FAT32 (256 TB vs. 2TB), supports transactional
journaling and shadow copying, single instance storage (same content,
different names), larger file sizes (256TB vs 4GB), and, with NTSF, you get
fries.

 

[sgopus]

You don't trust NTFS??? Please elaborate! NTFS is a much more robust file
structure than FAT ever could be, self repairing, etc .

 

[Pegasus [MVP]]

Please tell me, how can i remove access of a file with command file,

location of the file is:

c:\usbstor.inf

i want to deny everyone to access this file..


thanks ,

vijay

Here you go:
- Log on as Administrator.
- Open a Command Prompt.
- Type these commands:
cacls c:\usbstor.inf /E /G system:F
cacls c:\usbstor.inf
- Make a note of the various users and/or groups that have access to this
file.
- Type this command for each user or group:
cacls c:\usbstor.inf /E /R "xxx"
where xxx is the name of the user or group. Do not delete the System
account!

Note this:
- Hiding the file or making it read-only is no protection because it can be
easily undone.
- Administrators can seize ownership of the file, then change permissions.
- If someone boots the machine with a suitable CD (e.g. DOS+NTFSDos.exe or
Bart PE) then he can read the file no matter what you do.

 

[thanatoid]

thanatoid wrote:


Okay, try this: NTFS is self-healing (corrects most single
and double-bit errors)

I don't trust things that "correct themselves", sorry. Nor do I
know what "single and double-bit errors" are and I am glad I
don't have to know.

is much faster

I was perfectly happy with my 166MHz machine, you don't need
3GHz quad-cores or NTFS to have speed, you need a user who is
not a moron and logical partitioning (I had 7 virt. drives on my
8.4GB drive under 95B and 16 virt. drives on my 40GB drive under
98SE, now I have only 8 or 9 on an 80GB drive and I miss the
others!

(virtually) never needs defragging

No virt. drive on either of the above mentioned configs ever
took longer than a minute to defrag. I am not lying.

can handle disk capacities FAR larger
than FAT32 (256 TB vs. 2TB)

When the day comes that I need more than a 2 TB HD, I will just
kill myself.

While I admit there ARE people who may need petabytes of
storage, they probably don't use NTFS either. Maybe something
called Unix, or a proprietary OS.

supports transactional journaling and shadow copying

I don't know what those are and I am glad I don't need to.

single instance storage (same content, different names)

Since you cannot possibly be talking about two identical files
with different names, see previous sentence.

larger file sizes (256TB vs 4GB)

The day I produce/DL/need/use a file larger than 4 GB I might as
well kill myself (I don't have a DVD drive, just a CD burner). I
don't think I ever had a file larger than 1.5 GB and that was an
uncompressed c: image.

and, with NTSF, you get fries.

I prefer McDonald's fries.

Peace and Love
t.

 

[thanatoid]

You don't trust NTFS??? Please elaborate! NTFS is a much
more robust file structure than FAT ever could be, self
repairing, etc .

Don't top-post.

It may be, but why mess with something that will be incompatible
with my other 8 partitions? (In the SIMPLEST sense, I know you
can convert and there are utils and NTFS may even "read" FAT32
[FAT16, FAT12] files by itself - I don't know and I don't want
to know.)

As for elaborating, I can't. All I can say is that I have seen
comments which made NTFS seem /not/ the garden of paradise most
of you think it is. And since I have had NO problems with FAT32
for about 13 or so years, why change? It won't me type any
faster, you know.

Also see previous reply to HeyBub.

 

[Andrew McLaren]

I am the only person who ever touches this computer, and I am
not going online with XP, I installed it only to use a specific
program/hardware combo which will NOT work in 98SELite.

Fair enough. The OP "Vijay" has posted several, uh, terse but similar
questions in the past, which make it sound like he is trying to lock
down XP machines in some kind of large-scale deployment; eg a business
or school. So the considerations he faces are likely somewhat different
to those of individual Windows users at home.

Sorry, this sounds an AWFUL lot like MS-talk... Yes, everything
will be safer, better and faster... I know...

Oh I can stand up and give a 3 hour lecture on the shortcoming of
Windows as an operating system; so please shoot me if I start to sound
like a marketeer But the TPM hardware is a cross-vendor effort
supported by many companies, not just Microsoft. And the builtin
"Bitlocker" facility in Windows Vista and 7 is only keeping pace with
equivalent features on other operating systems. The TPM cryptographic
hardware solves a lot of genuine security problems which have plagued
all general purpose PC OSs for a long time (mainframes have had built in
crypto support hardware for decades).

See http://en.wikipedia.org/wiki/Trusted_Platform_Module

See, anything is possible. (Except MS making a decent OS...)

The Windows NT Kernel is pretty secure, in the grand scheme of things.
The Windows user-mode subsystem (aka Win32) has some architectural
vulnerabilities which Microsoft know how to fix ... except it would
break every existing Windows application! In the kernel, every Windows
application runs in a protected memory space; and every kernel object
can be secured by ACLs. But the Win32 user mode objects, such as
Desktops and WinStations, are able to pass messages to each other, *by
design*, which provides (a) a very flexible and powerful user
environment, and (b) very porous (vulnerable) security boundaries.

Microsoft's response, since 2004, has been to develop major products
(especially Windows OS and SQL Server) using the Security Development
Lifecycle (SDL) methodology and tools. See:

http://blogs.msdn.com/sdl/

http://www.microsoft.com/downloads/...43-27f6-4aac-9883-f55ba5b01814&displaylang=en

This is one of the main reasons that Vista - for all its undoubted
problems - is significantly more secure than XP; and why Windows 7 is
significantly more secure again (and eliminates many Vista problems).

If older versions of Windows such as 98 meet your own specific needs
then that's fine; stick with them! But in the organisational context,
with large networks of Windows users needing to be both secure,
supported and productive, then the security features in current releases
of Windows are quite useful.

It is worth noting that most banks, government departments, security and
law enforcement agencies - all quite security-conscious organisations! -
run some version of Windows as their main desktop OS. A secure
deployment of Windows may require some work and planning; but it is not
a hopeless cause.

Cheers

Andrew

PS I guess you know already but Nyx was the mother of Thanatos, and
Hypnos was his brother - hence my opening quip )

 

[thanatoid]

Fair enough. The OP "Vijay" has posted several, uh, terse
but similar questions in the past, which make it sound like
he is trying to lock down XP machines in some kind of
large-scale deployment; eg a business or school. So the
considerations he faces are likely somewhat different to
those of individual Windows users at home.

Yes, or he has some things he wants to keep secret. That was
fairly clear.

BTW - after "sitting" on it for two months after physically
installing the card - I tried to install the SW yesterday. I
repeatedly got an installshield error/setup termination and
according to the company, I am the first person ever to report
it - which I fully believe - and they are dumfounded. I have had
stuff happen to me that you would NOT believe. Nice to get
another one.

See http://en.wikipedia.org/wiki/Trusted_Platform_Module

I appreciate the link but I am trying to keep my mind free of
things which do not directly concern me... I am getting older
and grey matter allocation tables are shrinking... ;-)

The Windows NT Kernel is pretty secure, in the grand scheme
of things. The Windows user-mode subsystem (aka Win32) has
some architectural vulnerabilities which Microsoft know how
to fix ... except it would break every existing Windows
application!

What a surprise...

In the kernel, every Windows application runs
in a protected memory space; and every kernel object can be
secured by ACLs. But the Win32 user mode objects, such as
Desktops and WinStations, are able to pass messages to each
other, *by design*, which provides (a) a very flexible and
powerful user environment, and (b) very porous (vulnerable)
security boundaries.

I can't understand most of that. My knowledge comes purely from
sitting in front of a total of maybe 15 Windows machines over
about 20 years. I have little formal computer education and a
lot of basics, sadly, are unknown to me.

Microsoft's response, since 2004, has been to develop major
products (especially Windows OS and SQL Server) using the
Security Development Lifecycle (SDL) methodology and tools.
See:

http://blogs.msdn.com/sdl/

http://www.microsoft.com/downloads/details.aspx?familyid=241
2c443-27f6-4aac-9883-f55ba5b01814&displaylang=en

Again, thanks, but no thanks. What I don't understand is why MS
doesn't just write a decent OS from scratch. Surely one of the
most profitable corporations in the world could afford to hire
the brainpower? And if the excuse is "awww, but then all our
customers would have to buy new software" is total BS since one
of the things MS is best at doing is FORCING everyone to buy new
software all the time anyway - either by making things
incompatible, changing formats, or just forcing the big world
corpo machine to upgrade since it "will fix all problems". It's
an inescapable chain reaction which works better than any
pyramid scheme ever conceived.

This is one of the main reasons that Vista - for all its
undoubted problems - is significantly more secure than XP;
and why Windows 7 is significantly more secure again (and
eliminates many Vista problems).

Possibly. I'll probably never know. After this XP test run, I'm
trying Linux - mostly because I have nothing better to do.

If older versions of Windows such as 98 meet your own
specific needs then that's fine; stick with them! But in
the organisational context, with large networks of Windows
users needing to be both secure, supported and productive,
then the security features in current releases of Windows
are quite useful.

I believe that, but I still think they should admit they have
been ****ing around with us long enough and start from scratch.

It is worth noting that most banks, government departments,
security and law enforcement agencies - all quite
security-conscious organisations! - run some version of
Windows as their main desktop OS. A secure deployment of
Windows may require some work and planning; but it is not
a hopeless cause.

I'm not sure I'd agree - again, I doubt any of those entities
would complain if MS issued a completely new totally secure
platform - they upgrade their HW and SW all the time anyway.

But like I said, MS prefer to throw good code after bad - I read
somewhere there's still 80's code in Vista, and I would not be
surprised if that were true. The fact there is not a single
person in the world who has read /ALL/ the Vista code and
therefore could answer that question
is another matter which proves how hopelessly tangled things
have gotten. When the garage is so full of crap you can barely
open the door 3 inches, it's time to do some MAJOR
housecleaning!

Cheers

I have enjoyed your posts, thanks.

PS I guess you know already but Nyx was the mother of
Thanatos, and Hypnos was his brother - hence my opening
quip )

While the names are familiar, I did not know the relationships,
BION. I have serious gaps in my knowledge. I chose thanatoid
because I have been obsessed with the idea of killing myself
since I was 10 years old - for a variety of unfortunate reasons
I am still here. Sigh...