A+ R A-

Protecting Files with Windows NTXP

By gloBal_enemy/Seremify

== Protecting Files with Windows NTXP   ==    gE Technologies      ====   CACLS:   A new look at new methods   == www.nuketutorials.com ==


= Last updated : 10th September 2002 by gloBal_enemy/Seremify   =

= Email : This e-mail address is being protected from spambots. You need JavaScript enabled to view it              ICQ : 7929694         =



Please do not mailbomb me or bombard me with **** as I do not

appreciate it. If you have a question; ask me. I'll try to help

but remember I'm doing this voluntarily and please give me some

credit for even trying to help spread some useful tricks to those

who don't know of them.


The same applies to viruses - I have antivirus running all the

time 24/7 but it doesn't mean that it'll stop me from having to

download **** on my 56kbps connection.


And I know I have mixed up the words "ATTRIBUTE" and "PARAMETER"

a million times here but I hope you can still understand it.


DOS ownz j00.





This document is provided 'as is' and is purely intended to be

used as a reference document. It may not be redistributed without

credit to the original owner -me under the alias "gloBal_enemy".

If you wish to publish this article somewhere, please ask me first

and I probably won't say NO, its just more of an interests sake.

I'm sure Da Vinci would've liked to know that his paintings and

work would be some of the most respected/valued works in the



You may not modify this document in any way and then reproduce it

and claim it as your own. You may quote it or use the whole article

but PLEASE provide credit and if possible email me (as I enjoy

reading emails from people who read my guides on various topics).

Make sure to use an accurate subject and speak in English (my

skills in Japanese, Malay and Chinese are very limited but I will

try my best).


If you want to publish this file on your site because you think it

is "THAT GOOD" please do; but do not change anything and of course

email me. I might even (one day) add a link to all the places that

host this file (assuming it ever spreads) onto my own site (which I

am yet to have besides NukeTuts).


I take NO RESPONSIBILITY for your actions.


If you cannot figure out how it works, you can email me and I'll

most likely respond (unless I'm away of course) but if you

suffer physical or mental problems, or encounter financial

difficulties, then it is not my fault. Fair enough? If not, then

stop reading.


This document does not provide any insight into 'hacking' computer

systems but rather how to protect them and what to do if someone

has used the technique against you.



I will admit I didn't come across this CACLS thing on my own, I

had the help of a friend who uses the alias "KKOT" so I thank him

for telling me about this.




Anyway I noticed on ASTALAVISTA there are many ways to protect

stuff in Windows 2000 when your on a shared area and so on; but

what if you don't have your own account and you access the generic

account (in our case it was "Student" and "Computing"). The tricks

of using special characters do not apply if you can still open the

folders through Windows Explorer, and the DOS commands for renaming

them using a password is too much trouble (not to mention if

someone has an ASCII chart they'll find it in not too much time).


This method of locking files/folders could be used in conjunction

with the ASCII locking but I'm too lazy to use that method.


This method is FAR from secure. The only reason why it is; is

because there are alot of people who don't even know of it (such as

myself) until recently. If you feel that you are in an environment

of people who do not know very very advanced (undocumented) things

in DOS/Win2k/XP then carry on.


This system is mainly for people who do not have much power or

priveliges (in our case it was the STUDENT account for the school)

and this allows you to protect your work from being deleted by

other more ignorant students.



** If you believe this could help you; carry on **



This method "CACLS" uses Windows inbuilt security systems also

known as ACLs (Access Control Lists) which determine who can and

can't access files. All admins have the power to control this via

Windows Explorer but lower level users are likely to not have

access to Windows Explorer or Right Mouse buttons, let alone

access to the Permissions tab on File Properties.


The concept is simple; since you are OWNER you have full permission

rights over files. OWNER and ADMINISTRATOR have same level of power

for each file; but usually the Administrator is the owner if it is

a system file (such as Windows) but if you make a Word Document or

a Powerpoint presentation; then this method would prevent other

foolish/stupid users from deleting it.


To do so, you (as owner) have to block all access to this file

(including yourself). This will work because it blocks USERNAMES

and not computers or domains. There are ways to block them but it

is pointless in my situation so I have yet to explore; feel free

to comment on it (and if suitable I can add it to this file).


The method of CACLS also shows an "ACCESS DENIED" error (how nice)

should one try to modify (that includes EDIT and RENAME), move,

delete, or open/run the file. In DOS it will result in an ACCESS

DENIED message but ALSO it will allow users into directories but

when they try to see whats inside it will be blank. A solution

around this is to use the /T switch (explained in ADVANCED section

of this file).



CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]

[/P user:perm [...]] [/D user [...]]


For more info try typing CACLS into Win2k/XP Dos/Command prompt

for more instructions; or just keep reading for more easy2read

instructions. Beware there may be alot of me sidetracking...




>From the above you can see there are multiple ways to do certain

things and many additional options you can use. The key commands

that you need to know (assuming you have DOS access) are;


(The example file will always be "happy.ppt" and the directory is

called "h:\gEtech"; the username is "Computing" and computername

is "C5-01")


CACLS h:\gEtech\

- This will result in DOS showing you what the current ACL of a

directory is.


H:\gEtech\ c5-01\Student:(OI)(CI)F


The first part is self-explanatory (that is the file in question)

but the latter can be different depending on situation. It says

"c5-01" but if you were on a domain it would be the domain name

and the second section is the username from either the local PC

or domain. In this example ADMINISTRATOR does not have access to

the file and they never will; unless they are smart enough to

either change the owner (not too difficult) or to login as you

and then change the ACL. Both are possible for a 'determined'


As another sidenote; the (OI)(CI) mean that all files and

subdirectories within will be covered by the ACE. The colon

(:) seperates the username from the permissions. More on ACE



CACLS h:\gEtech\happy.ppt

- This will result in DOS showing you what the current ACL of

the file(s) is.


CACLS h:\gEtech\ /d Everyone

- This command is saying DENY access to the folder to EVERYONE;

that is ALL USERS including yourself. It will prompt for a 'Y'

to confirm it.


The (d - DENY) attribute means exactly that. It does not allow

any user (when used with EVERYONE) to open the file, rename it,

delete it, modify it, or anything. The only user with enough

power to change it (besides Administrator) is the person who

created it. The person who created it (you I hope) can then

apply a permission to it and stop access.


CACLS h:\gEtech\happy.ppt /d Everyone

- Same as above except to the individual file only.


CACLS h:\gEtech\ /e /d MrSmith

- This uses the /e which adds/modifies the current ACL rather

than totally clear it out and replace it. This works well when

you want to give different users different permissions.


CACLS h:\gEtech\ /g Lark:R

- This uses the (g - GRANT) and the (R - Read Only) attributes.


By using this command you would be granting the user LARK to

READ ONLY. This means they cannot delete nor modify the file but

they have access to opening it and saving it elsewhere.


CACLS h:\gEtech\ /e /g Minat:F

- This uses (e - Edit) and (g - Grant) and (f - Full Access)

attributes. It will give the user MANIT full access to the folder

whilst retaining the previous settings for other users.


There are other ways of granting and denying as you can probably

already tell but those are the most simplified methods. And yes it

is possible to do more than one at a time but I prefer to keep it

simple and to ensure I don't make mistakes. With the problem of

having to try to convert 255character names into 8, making a mistake

on CACLS is something you don't want to have to go back to. You can

use wildcards to combine files and users but again I don't like

making mistakes but if you must, you use *.exe to make all EXEcutable

files selected, and Happy.* to make all files with the name Happy

but an unknown extension selected. The rest you can figure out..


Don't go locking the whole computer or you might get into trouble.

There are plenty of ethic guides to hacking on the net. Read them

if you think you may be a script kiddie or n00b of some sort.


If you must know more, continue reading; otherwise skip down a bit

and read more useful and somewhat relevant stuff.



More advanced but somewhat useless commands..


CACLS h:\gEtech\ /t /g Student:F

By using /T you are making it apply to all subdirectories.


CACLS h:\gEtech\*.exe /c /g Student:F

If there were files in that folder (gETech) that were not owned

by yourself; then they will not be granted access to. The /C will

make it continue processing files even if there is an error.


CACLS h:\gEtech\happy.ppt /e /r Computing

This uses /R to revoke any rights the user 'Computing' has. It

will only work with /E since it modifies the current ACL so all

other details/rights are left intact.


CACLS h:\gEtech\happy.ppt /p Computing:F

CACLS h:\gEtech\happy.ppt /p Computing:R

CACLS h:\gEtech\happy.ppt /p Computing:W

Above are some examples of /p (REPLACE USER RIGHTS) and I have

included a small ASCII (*gasp*) table of the different combos.


Rights - what goes after the colon :

Name - what its called

O - Can it be Opened (the file/folder ACL applies to)

Once opened it can be saved anywhere else.

R - Can it be renamed?

Even if file is READ ONLy you can still copy it elsewhere.

M - Can it be moved? (essentially the same as above)

W - Can it be written to? (ie. Adding text to a word document)

D - Can it be deleted?

Even if it can't be deleted, if they can write to it, one

user could clear out the whole file (making it empty) and

save it.

A - Can the ACLs be viewed?



= Rights = Name     = O = R = M = W = D = A = Used with       =


= N       = None     = N = N = N = N = N = N = /P              =

= R       = Read     = Y = N = N = N = N = Y = /G /P           =

= W       = Write    = Y = N = N = Y = N = Y = /G /P           =

= C       = Change   = Y = Y = Y = Y = N = Y = /G /P           =

= F       = FULL     = Y = Y = Y = Y = Y = Y = /G /P           =



CACLS h:\gETech\happy.ppt /e /r Computing

This will revoke the user Computing's rights. Also note (I just

remembered) that there is no mention of domain. You can specify

one if you wish but if you don't, then it applies to any user

trying to access the file/folder(s) from that account whether

they are local or roaming.

Revoke just removes any right (makes them a "N") the user has but

it must be used with /e as it does NOT change the ACL settings.



Want to make a batch file? Or go even further with VB?


If you want automation make note of the following;


If you wish to use something which does not contain "/E" there

will be a prompt. The prompts can be pressed automatically by

using the following line;


echo y|cacls h:\gETech /g Computing:F


Note there is no space between 'y' and | and 'cacls'. This will

automatically pipe the pressing of a Y into the cacls program.


If you wish to make it automatic but not use a Y, try using the

/E (edit) parameter. This does not have a prompt so it works

well with VB.


This brings me to my next point. I am yet to impliment CACLS

properly into Visual Basic - please email me if you do find a way

to automatically supress the "Y" without the use of a batch file.


If you want to call it; the file is located (CACLS) in;



..so by use of a Shell(c:\winnt\system32\cacls.exe /g computing:f)

you should get somewhere. Any further than that I cannot do as

I cannot supress the button automatically.



If your an administrator trying to fix the problem of someone

making your network full of CACLS's stuff then read on;


First you need to make yourself OWNER of the files. There are two

ways to do this.


One is by opening up Windows Explorer (Winkey + E), finding the

locked folder/files, right clicking them and then in the tab

"PERMISSIONS" or "ACCESS" make yourself OWNER of the file. There

are various ways of doing this, or just give yourself FULL ACCESS.

If it does not let you gain full access, you will have to make

yourself OWNER and that requires a bit of menu navigating but I'm

sure you will find it. In Windows XP it will prompt you that you

must be OWNER and ask if you wish to make yourself OWNER if you

attempt to change anything.


"The GUI in File Manager or Windows NT Explorer is currently

limited to replacing the ACLs."

-Taken from the Microsoft Article on CACLS listed below


The second method requires you to login as that user. Whether that

means you have to give him a blank password and then login as them

or you just get them to do it; this is the more obvious way to do it

and is a good way of punishing someone. To unlock the files from

here, you just use the above "GRANT" commands to allow access.


Note: You cannot remove an ACL as there is always one.



ACE - Access Control Entries

.. or known as "Container Access Inheritence Flags"


This is one of the smarter names used. If the container is locked,

you cannot open it. If the container is see through (Folder is

allowed to be opened but files inside are not - NP) you can still

see whats inside but you can't touch.


ACE's come about because certain files (such as files inside your

profile) only obtain their ACL or Access Rights because they are

located within another folder (or container in this analogy).



- means "Inherit Only" - it will not affect the current item but

it will travel within if other tags are used. This is a good

example of a clear container.



- means "Container Inherit" - if there are smaller containers

inside then they will have the same attributes as being set. If

used with the IO then of course the insides will be invisible

but the outside container will be see through.



- means "Object Inherit" - if there are any files within this

container they will share the same attributes as the file being

selected. If you use the IO then of course they will be invisible.



- means "Non-Propogate" - this means that whatever you set here will


Get email updates