== Protecting Files with Windows NTXP == gE Technologies ==== CACLS: A new look at new methods == www.nuketutorials.com ==
= Last updated : 10th September 2002 by gloBal_enemy/Seremify =
Please do not mailbomb me or bombard me with **** as I do not
appreciate it. If you have a question; ask me. I'll try to help
but remember I'm doing this voluntarily and please give me some
credit for even trying to help spread some useful tricks to those
who don't know of them.
The same applies to viruses - I have antivirus running all the
time 24/7 but it doesn't mean that it'll stop me from having to
download **** on my 56kbps connection.
And I know I have mixed up the words "ATTRIBUTE" and "PARAMETER"
a million times here but I hope you can still understand it.
DOS ownz j00.
This document is provided 'as is' and is purely intended to be
used as a reference document. It may not be redistributed without
credit to the original owner -me under the alias "gloBal_enemy".
If you wish to publish this article somewhere, please ask me first
and I probably won't say NO, its just more of an interests sake.
I'm sure Da Vinci would've liked to know that his paintings and
work would be some of the most respected/valued works in the
You may not modify this document in any way and then reproduce it
and claim it as your own. You may quote it or use the whole article
but PLEASE provide credit and if possible email me (as I enjoy
reading emails from people who read my guides on various topics).
Make sure to use an accurate subject and speak in English (my
skills in Japanese, Malay and Chinese are very limited but I will
try my best).
If you want to publish this file on your site because you think it
is "THAT GOOD" please do; but do not change anything and of course
email me. I might even (one day) add a link to all the places that
host this file (assuming it ever spreads) onto my own site (which I
am yet to have besides NukeTuts).
I take NO RESPONSIBILITY for your actions.
If you cannot figure out how it works, you can email me and I'll
most likely respond (unless I'm away of course) but if you
suffer physical or mental problems, or encounter financial
difficulties, then it is not my fault. Fair enough? If not, then
This document does not provide any insight into 'hacking' computer
systems but rather how to protect them and what to do if someone
has used the technique against you.
I will admit I didn't come across this CACLS thing on my own, I
had the help of a friend who uses the alias "KKOT" so I thank him
for telling me about this.
Anyway I noticed on ASTALAVISTA there are many ways to protect
stuff in Windows 2000 when your on a shared area and so on; but
what if you don't have your own account and you access the generic
account (in our case it was "Student" and "Computing"). The tricks
of using special characters do not apply if you can still open the
folders through Windows Explorer, and the DOS commands for renaming
them using a password is too much trouble (not to mention if
someone has an ASCII chart they'll find it in not too much time).
This method of locking files/folders could be used in conjunction
with the ASCII locking but I'm too lazy to use that method.
This method is FAR from secure. The only reason why it is; is
because there are alot of people who don't even know of it (such as
myself) until recently. If you feel that you are in an environment
of people who do not know very very advanced (undocumented) things
in DOS/Win2k/XP then carry on.
This system is mainly for people who do not have much power or
priveliges (in our case it was the STUDENT account for the school)
and this allows you to protect your work from being deleted by
other more ignorant students.
** If you believe this could help you; carry on **
This method "CACLS" uses Windows inbuilt security systems also
known as ACLs (Access Control Lists) which determine who can and
can't access files. All admins have the power to control this via
Windows Explorer but lower level users are likely to not have
access to Windows Explorer or Right Mouse buttons, let alone
access to the Permissions tab on File Properties.
The concept is simple; since you are OWNER you have full permission
rights over files. OWNER and ADMINISTRATOR have same level of power
for each file; but usually the Administrator is the owner if it is
a system file (such as Windows) but if you make a Word Document or
a Powerpoint presentation; then this method would prevent other
foolish/stupid users from deleting it.
To do so, you (as owner) have to block all access to this file
(including yourself). This will work because it blocks USERNAMES
and not computers or domains. There are ways to block them but it
is pointless in my situation so I have yet to explore; feel free
to comment on it (and if suitable I can add it to this file).
The method of CACLS also shows an "ACCESS DENIED" error (how nice)
should one try to modify (that includes EDIT and RENAME), move,
delete, or open/run the file. In DOS it will result in an ACCESS
DENIED message but ALSO it will allow users into directories but
when they try to see whats inside it will be blank. A solution
around this is to use the /T switch (explained in ADVANCED section
of this file).
CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]]
[/P user:perm [...]] [/D user [...]]
For more info try typing CACLS into Win2k/XP Dos/Command prompt
for more instructions; or just keep reading for more easy2read
instructions. Beware there may be alot of me sidetracking...
>From the above you can see there are multiple ways to do certain
things and many additional options you can use. The key commands
that you need to know (assuming you have DOS access) are;
(The example file will always be "happy.ppt" and the directory is
called "h:\gEtech"; the username is "Computing" and computername
- This will result in DOS showing you what the current ACL of a
The first part is self-explanatory (that is the file in question)
but the latter can be different depending on situation. It says
"c5-01" but if you were on a domain it would be the domain name
and the second section is the username from either the local PC
or domain. In this example ADMINISTRATOR does not have access to
the file and they never will; unless they are smart enough to
either change the owner (not too difficult) or to login as you
and then change the ACL. Both are possible for a 'determined'
As another sidenote; the (OI)(CI) mean that all files and
subdirectories within will be covered by the ACE. The colon
(:) seperates the username from the permissions. More on ACE
- This will result in DOS showing you what the current ACL of
the file(s) is.
CACLS h:\gEtech\ /d Everyone
- This command is saying DENY access to the folder to EVERYONE;
that is ALL USERS including yourself. It will prompt for a 'Y'
to confirm it.
The (d - DENY) attribute means exactly that. It does not allow
any user (when used with EVERYONE) to open the file, rename it,
delete it, modify it, or anything. The only user with enough
power to change it (besides Administrator) is the person who
created it. The person who created it (you I hope) can then
apply a permission to it and stop access.
CACLS h:\gEtech\happy.ppt /d Everyone
- Same as above except to the individual file only.
CACLS h:\gEtech\ /e /d MrSmith
- This uses the /e which adds/modifies the current ACL rather
than totally clear it out and replace it. This works well when
you want to give different users different permissions.
CACLS h:\gEtech\ /g Lark:R
- This uses the (g - GRANT) and the (R - Read Only) attributes.
By using this command you would be granting the user LARK to
READ ONLY. This means they cannot delete nor modify the file but
they have access to opening it and saving it elsewhere.
CACLS h:\gEtech\ /e /g Minat:F
- This uses (e - Edit) and (g - Grant) and (f - Full Access)
attributes. It will give the user MANIT full access to the folder
whilst retaining the previous settings for other users.
There are other ways of granting and denying as you can probably
already tell but those are the most simplified methods. And yes it
is possible to do more than one at a time but I prefer to keep it
simple and to ensure I don't make mistakes. With the problem of
having to try to convert 255character names into 8, making a mistake
on CACLS is something you don't want to have to go back to. You can
use wildcards to combine files and users but again I don't like
making mistakes but if you must, you use *.exe to make all EXEcutable
files selected, and Happy.* to make all files with the name Happy
but an unknown extension selected. The rest you can figure out..
Don't go locking the whole computer or you might get into trouble.
There are plenty of ethic guides to hacking on the net. Read them
if you think you may be a script kiddie or n00b of some sort.
If you must know more, continue reading; otherwise skip down a bit
and read more useful and somewhat relevant stuff.
More advanced but somewhat useless commands..
CACLS h:\gEtech\ /t /g Student:F
By using /T you are making it apply to all subdirectories.
CACLS h:\gEtech\*.exe /c /g Student:F
If there were files in that folder (gETech) that were not owned
by yourself; then they will not be granted access to. The /C will
make it continue processing files even if there is an error.
CACLS h:\gEtech\happy.ppt /e /r Computing
This uses /R to revoke any rights the user 'Computing' has. It
will only work with /E since it modifies the current ACL so all
other details/rights are left intact.
CACLS h:\gEtech\happy.ppt /p Computing:F
CACLS h:\gEtech\happy.ppt /p Computing:R
CACLS h:\gEtech\happy.ppt /p Computing:W
Above are some examples of /p (REPLACE USER RIGHTS) and I have
included a small ASCII (*gasp*) table of the different combos.
Rights - what goes after the colon :
Name - what its called
O - Can it be Opened (the file/folder ACL applies to)
Once opened it can be saved anywhere else.
R - Can it be renamed?
Even if file is READ ONLy you can still copy it elsewhere.
M - Can it be moved? (essentially the same as above)
W - Can it be written to? (ie. Adding text to a word document)
D - Can it be deleted?
Even if it can't be deleted, if they can write to it, one
user could clear out the whole file (making it empty) and
A - Can the ACLs be viewed?
= Rights = Name = O = R = M = W = D = A = Used with =
= N = None = N = N = N = N = N = N = /P =
= R = Read = Y = N = N = N = N = Y = /G /P =
= W = Write = Y = N = N = Y = N = Y = /G /P =
= C = Change = Y = Y = Y = Y = N = Y = /G /P =
= F = FULL = Y = Y = Y = Y = Y = Y = /G /P =
CACLS h:\gETech\happy.ppt /e /r Computing
This will revoke the user Computing's rights. Also note (I just
remembered) that there is no mention of domain. You can specify
one if you wish but if you don't, then it applies to any user
trying to access the file/folder(s) from that account whether
they are local or roaming.
Revoke just removes any right (makes them a "N") the user has but
it must be used with /e as it does NOT change the ACL settings.
Want to make a batch file? Or go even further with VB?
If you want automation make note of the following;
If you wish to use something which does not contain "/E" there
will be a prompt. The prompts can be pressed automatically by
using the following line;
echo y|cacls h:\gETech /g Computing:F
Note there is no space between 'y' and | and 'cacls'. This will
automatically pipe the pressing of a Y into the cacls program.
If you wish to make it automatic but not use a Y, try using the
/E (edit) parameter. This does not have a prompt so it works
well with VB.
This brings me to my next point. I am yet to impliment CACLS
properly into Visual Basic - please email me if you do find a way
to automatically supress the "Y" without the use of a batch file.
If you want to call it; the file is located (CACLS) in;
..so by use of a Shell(c:\winnt\system32\cacls.exe /g computing:f)
you should get somewhere. Any further than that I cannot do as
I cannot supress the button automatically.
If your an administrator trying to fix the problem of someone
making your network full of CACLS's stuff then read on;
First you need to make yourself OWNER of the files. There are two
ways to do this.
One is by opening up Windows Explorer (Winkey + E), finding the
locked folder/files, right clicking them and then in the tab
"PERMISSIONS" or "ACCESS" make yourself OWNER of the file. There
are various ways of doing this, or just give yourself FULL ACCESS.
If it does not let you gain full access, you will have to make
yourself OWNER and that requires a bit of menu navigating but I'm
sure you will find it. In Windows XP it will prompt you that you
must be OWNER and ask if you wish to make yourself OWNER if you
attempt to change anything.
"The GUI in File Manager or Windows NT Explorer is currently
limited to replacing the ACLs."
-Taken from the Microsoft Article on CACLS listed below
The second method requires you to login as that user. Whether that
means you have to give him a blank password and then login as them
or you just get them to do it; this is the more obvious way to do it
and is a good way of punishing someone. To unlock the files from
here, you just use the above "GRANT" commands to allow access.
Note: You cannot remove an ACL as there is always one.
ACE - Access Control Entries
.. or known as "Container Access Inheritence Flags"
This is one of the smarter names used. If the container is locked,
you cannot open it. If the container is see through (Folder is
allowed to be opened but files inside are not - NP) you can still
see whats inside but you can't touch.
ACE's come about because certain files (such as files inside your
profile) only obtain their ACL or Access Rights because they are
located within another folder (or container in this analogy).
- means "Inherit Only" - it will not affect the current item but
it will travel within if other tags are used. This is a good
example of a clear container.
- means "Container Inherit" - if there are smaller containers
inside then they will have the same attributes as being set. If
used with the IO then of course the insides will be invisible
but the outside container will be see through.
- means "Object Inherit" - if there are any files within this
container they will share the same attributes as the file being
selected. If you use the IO then of course they will be invisible.
- means "Non-Propogate" - this means that whatever you set here will