1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

remove access of a file with command prompt

Discussion in 'Windows XP' started by Vijay, Jan 3, 2010.

  1. Vijay

    Vijay Flightless Bird

    Please tell me, how can i remove access of a file with command file,

    location of the file is:

    c:/usbstor.inf

    i want to deny everyone to access this file..


    thanks ,

    vijay
     
  2. thanatoid

    thanatoid Flightless Bird

    =?Utf-8?B?VmlqYXk=?= <Vijay@discussions.microsoft.com> wrote
    in news:1D945210-ABB3-474C-A5C4-EBAF6E94CEE8@microsoft.com:

    > Please tell me, how can i remove access of a file with
    > command file,
    >
    > location of the file is:
    >
    > c:/usbstor.inf


    What the hell is it doing THERE?

    > i want to deny everyone to access this file..


    AFAIK, you can't, but I am new to XP and I may be wrong. If you
    make that file hidden and read-only - which you can do even in
    WinExplorer I believe - then, since your machine /probably/ has
    "do not show hidden and system files" checked ON, that should be
    enough.

    If not, just in case, the command line syntax would be:

    attrib +r +h c:/usbstor.inf

    (I could be wrong, corrections welcome.)

    And the system may not let you do it since the XP command line
    is "inside" XP which may not allow this action to be performed -
    in which case you would have to access the C drive with a DOS
    boot floppy/CD and change the attributes in "actual" DOS with
    the above line. (Change to the C: drive first, of course.)
    Whether everything will work OK afterwards is /another/
    question. And of course everyone still has access, if they know
    how to "see" hidden files.

    The bottom line is if someone who knows enough wants to get at
    something on any machine, they will. Accept it.

    I have a feeling you think that making that file "unavailable"
    will do something it won't/can't. What are you trying to achieve
    /exactly/?
     
  3. Bill in Co.

    Bill in Co. Flightless Bird

    thanatoid wrote:
    > =?Utf-8?B?VmlqYXk=?= <Vijay@discussions.microsoft.com> wrote
    > in news:1D945210-ABB3-474C-A5C4-EBAF6E94CEE8@microsoft.com:
    >
    >> Please tell me, how can i remove access of a file with
    >> command file,
    >>
    >> location of the file is:
    >>
    >> c:/usbstor.inf

    >
    > What the hell is it doing THERE?
    >
    >> i want to deny everyone to access this file..

    >
    > AFAIK, you can't, but I am new to XP and I may be wrong. If you
    > make that file hidden and read-only - which you can do even in
    > WinExplorer I believe - then, since your machine /probably/ has
    > "do not show hidden and system files" checked ON, that should be
    > enough.
    >
    > If not, just in case, the command line syntax would be:
    >
    > attrib +r +h c:/usbstor.inf
    >
    > (I could be wrong, corrections welcome.)
    >
    > And the system may not let you do it since the XP command line
    > is "inside" XP which may not allow this action to be performed -
    > in which case you would have to access the C drive with a DOS
    > boot floppy/CD and change the attributes in "actual" DOS with
    > the above line. (Change to the C: drive first, of course.)


    Access the C: drive with a DOS boot disk? I don't think so. How can
    DOS access the NTFS volume of C: (without some other special software)?
    It's not a FAT volume (unless he's one of those rare exceptions that set up
    XP on FAT32).

    > Whether everything will work OK afterwards is /another/
    > question. And of course everyone still has access, if they know
    > how to "see" hidden files.
    >
    > The bottom line is if someone who knows enough wants to get at
    > something on any machine, they will. Accept it.
    >
    > I have a feeling you think that making that file "unavailable"
    > will do something it won't/can't. What are you trying to achieve
    > /exactly/?
     
  4. Andrew McLaren

    Andrew McLaren Flightless Bird

    Vijay wrote:
    > Please tell me, how can i remove access of a file with command file,
    > location of the file is:
    > c:/usbstor.inf
    > i want to deny everyone to access this file..


    Hi Vijay,

    You probably don't want to remove access to this file for Everyone. That
    would remove access for Administrator, Local System, and your own user
    account.

    What you probably want is to leave access for Everyone, but remove
    access for the Group 'Users'. That way, the operating system itself, and
    administrators, can still access the file; but ordinary users cannot.

    Also, depending on the file's function, you may want to keep Read access
    for Users, but remove their permissions to modify or delete the file.

    By far the easiest way to edit permissions is to use the GUI ACL Editor,
    which is reached via Explorer, <file> properties, Security.

    But the command-line tool which does the same thing as the GUI, is the
    CACLS command. This is a built-in command, part of the XP OS.

    The exact syntax will depend on what permissions you want to set.
    Frankly, while CACLS is a very powerful and flexible command, its syntax
    can be a little hairy. So you'll want to read up on the syntax
    carefully, before you run the command. Also, test it on a scratch file,
    before you destroy, I mean, modify the real target file.

    CACLS /? at a command prompt will get you started. Or see:

    http://technet.microsoft.com/en-us/library/bb490872.aspx

    Hope this helps,

    Andrew

    --
    amclar at optusnet dot com dot au
     
  5. Andrew McLaren

    Andrew McLaren Flightless Bird

    thanatoid wrote:
    > AFAIK, you can't, but I am new to XP and I may be wrong. If you
    > (I could be wrong, corrections welcome.)
    > The bottom line is if someone who knows enough wants to get at
    > something on any machine, they will. Accept it.


    Hi Thanatoid

    (Hmmm - was your mother named Nyxoid? And your brother Hypnoid? But, I
    digress ... :)

    You did say "corrections welcome".

    What you've written would be true for FAT and FAT32 file systems, like
    you'd find on Windows 95, 98 and Me.

    Windows XP was built on the Windows NT codebase (via Windows 2000); and
    as such it uses NTFS as its native file system. FAT has no security
    features at all. NTFS has support for strong (Orange Book, C2 style)
    security built in from scratch, right from the beginning back in 1992.
    NTFS allows both strong and very granular control over file security
    using ACLs ("access control lists"). In fact, the use of ACLs has now
    become pretty widespread in many versions of Unix as an adjunct to
    native Unix-style permissions.

    I wouldn't go so far as to say NTFS is utterly impregnable (physical
    access can compromise most file systems). But a properly managed XP
    workstation in a Windows domain, with appropriate physical security (ie
    you can't take teh hard disk away for the night), will resist most
    ordinary attempts by users - even "knowlegdeable" users - to access
    protected files.

    In addition, Vista and Windows 7 add support for Trusted Platform Module
    ("TPM") hardware via the Bitlocker feature, which will make a properly
    secured hard disk highly resistant to compromise, even when an attacker
    has unlimited physical access to the drive media.

    I'm not sure it's possible for anyone to be "new" to Windows XP. XP was
    released on 25 October 2001, so it is now over 9 years old!

    Cheers,

    Andrew

    --
    amclar at optusnet dot com dot au
     
  6. John John - MVP

    John John - MVP Flightless Bird

    Vijay wrote:
    > Please tell me, how can i remove access of a file with command file,
    >
    > location of the file is:
    >
    > c:/usbstor.inf
    >
    > i want to deny everyone to access this file..


    Windows XP will reset the permission on the file if a user needs to use
    it... like when he plugs in a USB device, so on Windows XP it's futile
    to set permissions on this file. You could accomplish what you want by
    renaming the file.

    John
     
  7. Andrew McLaren

    Andrew McLaren Flightless Bird

    Vijay wrote:
    >> Please tell me, how can i remove access of a file with command file,
    >> location of the file is: c:/usbstor.inf
    >> i want to deny everyone to access this file..


    BTW assuming you want to control whether users' can attach USB storage
    devices, see this KB article for details:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
     
  8. thanatoid

    thanatoid Flightless Bird

    "Bill in Co." <not_really_here@earthlink.net> wrote in
    news:eYaELcPjKHA.6096@TK2MSFTNGP02.phx.gbl:

    > Access the C: drive with a DOS boot disk? I don't think
    > so. How can DOS access the NTFS volume of C: (without
    > some other special software)? It's not a FAT volume (unless
    > he's one of those rare exceptions that set up XP on FAT32).


    True, I forgot about NTFS... But wouldn't an NTFS boot disk/CD
    (they DO exist???) do the job as well? Just guessing...

    BTW, I have XP installed on a FAT32 partition - I don't trust
    NTFS. I am sure I am not the only one in the world. Anyway,
    there is more to this story than the simple question he posed.
     
  9. thanatoid

    thanatoid Flightless Bird

    Andrew McLaren <me@somewhere.com> wrote in
    news:eaTM4RQjKHA.4672@TK2MSFTNGP06.phx.gbl:

    > thanatoid wrote:
    >> AFAIK, you can't, but I am new to XP and I may be wrong.
    >> If you (I could be wrong, corrections welcome.)
    >> The bottom line is if someone who knows enough wants to
    >> get at something on any machine, they will. Accept it.

    >
    > Hi Thanatoid
    >
    > (Hmmm - was your mother named Nyxoid? And your brother
    > Hypnoid? But, I digress ... :)


    No, but I am thanatoid, all lower case ;-) And digressions are
    always welcome as well... They are often more interesting than
    the subject.

    > You did say "corrections welcome".


    I sure as hell did. I know when I talk about what I know little
    of.

    > What you've written would be true for FAT and FAT32 file
    > systems, like you'd find on Windows 95, 98 and Me.


    And a FAT32 install of XP like mine.

    > Windows XP was built on the Windows NT codebase (via
    > Windows 2000); and as such it uses NTFS as its native file
    > system. FAT has no security features at all. NTFS has
    > support for strong (Orange Book, C2 style) security built
    > in from scratch, right from the beginning back in 1992.


    Well, I didn't know that detail, but from what I read in NG's
    and other places every day those security measures are not
    working all that well. "Security" and "Microsoft" do not belong
    to the same family of words. It takes a smart user to be secure.
    Personally, in almost 20 years I have never had an infection -
    ONE virus in an email from a clueless friend but since I had all
    scripting disabled and I do not use a webmail client, just a
    small POP/SMTP program, it couldn't DO anything.

    > NTFS allows both strong and very granular control over file
    > security using ACLs ("access control lists"). In fact, the
    > use of ACLs has now become pretty widespread in many
    > versions of Unix as an adjunct to native Unix-style
    > permissions.


    Well, I have NEVER had a single problem with FAT32, and I did
    once have to recover data from a 40GB HD which crashed (I DO
    have problems with suicidal HD's). OTOH I once read an MVP (!)
    refer to NTFS as a "fiasco". Of course, that's just one person's
    opinion. But why complicate things? I have 9 FAT32 partitions
    and XP went on one of them. It seems to like it just fine.

    > I wouldn't go so far as to say NTFS is utterly impregnable
    > (physical access can compromise most file systems). But a
    > properly managed XP workstation in a Windows domain, with
    > appropriate physical security (ie you can't take teh hard
    > disk away for the night), will resist most ordinary
    > attempts by users - even "knowlegdeable" users - to access
    > protected files.


    I am the only person who ever touches this computer, and I am
    not going online with XP, I installed it only to use a specific
    program/hardware combo which will NOT work in 98SELite.

    > In addition, Vista and Windows 7 add support for Trusted
    > Platform Module ("TPM") hardware via the Bitlocker feature,
    > which will make a properly secured hard disk highly
    > resistant to compromise, even when an attacker has
    > unlimited physical access to the drive media.


    Sorry, this sounds an AWFUL lot like MS-talk... Yes, everything
    will be safer, better and faster... I know...

    > I'm not sure it's possible for anyone to be "new" to
    > Windows XP. XP was released on 25 October 2001, so it is
    > now over 9 years old!


    I have used 95B on a 166MMX w/64MB RAM and a 33.6 modem from
    1977 to about a year and a half ago . I could do EVERYTHING
    except video and games (and I am not a gamer) and converting
    music took 4 hours for a 3 minute file. So I bought a 2GHz
    machine - now it takes 30 seconds. When my stupid ISP offered BB
    for less than 2 phone lines and dial-up, I went for it, with
    98SELite. About two months ago I started experimenting with XP
    for the reason mentioned above.

    See, anything is possible. (Except MS making a decent OS...)
     
  10. HeyBub

    HeyBub Flightless Bird

    thanatoid wrote:
    >
    > I have used 95B on a 166MMX w/64MB RAM and a 33.6 modem from
    > 1977 to about a year and a half ago . I could do EVERYTHING
    > except video and games (and I am not a gamer) and converting
    > music took 4 hours for a 3 minute file. So I bought a 2GHz
    > machine - now it takes 30 seconds. When my stupid ISP offered BB
    > for less than 2 phone lines and dial-up, I went for it, with
    > 98SELite. About two months ago I started experimenting with XP
    > for the reason mentioned above.
    >
    > See, anything is possible. (Except MS making a decent OS...)


    Okay, try this: NTFS is self-healing (corrects most single and double-bit
    errors), is much faster, (virtually) never needs defragging, can handle disk
    capacities FAR larger than FAT32 (256 TB vs. 2T8), supports transactional
    journaling and shadow copying, single instance storage (same content,
    different names), larger file sizes (256TB vs 4G8), and, with NTSF, you get
    fries.
     
  11. sgopus

    sgopus Flightless Bird

    You don't trust NTFS??? Please elaborate! NTFS is a much more robust file
    structure than FAT ever could be, self repairing, etc .

    "thanatoid" wrote:

    > "Bill in Co." <not_really_here@earthlink.net> wrote in
    > news:eYaELcPjKHA.6096@TK2MSFTNGP02.phx.gbl:
    >
    > > Access the C: drive with a DOS boot disk? I don't think
    > > so. How can DOS access the NTFS volume of C: (without
    > > some other special software)? It's not a FAT volume (unless
    > > he's one of those rare exceptions that set up XP on FAT32).

    >
    > True, I forgot about NTFS... But wouldn't an NTFS boot disk/CD
    > (they DO exist???) do the job as well? Just guessing...
    >
    > BTW, I have XP installed on a FAT32 partition - I don't trust
    > NTFS. I am sure I am not the only one in the world. Anyway,
    > there is more to this story than the simple question he posed.
    >
    > .
    >
     
  12. Pegasus [MVP]

    Pegasus [MVP] Flightless Bird

    "Vijay" <Vijay@discussions.microsoft.com> said this in news item
    news:1D945210-ABB3-474C-A5C4-EBAF6E94CEE8@microsoft.com...
    > Please tell me, how can i remove access of a file with command file,
    >
    > location of the file is:
    >
    > c:/usbstor.inf
    >
    > i want to deny everyone to access this file..
    >
    >
    > thanks ,
    >
    > vijay


    Here you go:
    - Log on as Administrator.
    - Open a Command Prompt.
    - Type these commands:
    cacls c:/usbstor.inf /E /G system:F
    cacls c:/usbstor.inf
    - Make a note of the various users and/or groups that have access to this
    file.
    - Type this command for each user or group:
    cacls c:/usbstor.inf /E /R "xxx"
    where xxx is the name of the user or group. Do not delete the System
    account!

    Note this:
    - Hiding the file or making it read-only is no protection because it can be
    easily undone.
    - Administrators can seize ownership of the file, then change permissions.
    - If someone boots the machine with a suitable CD (e.g. DOS+NTFSDos.exe or
    Bart PE) then he can read the file no matter what you do.
     
  13. thanatoid

    thanatoid Flightless Bird

    "HeyBub" <heybub@gmail.com> wrote in
    news:uxB28NZjKHA.5608@TK2MSFTNGP05.phx.gbl:

    > thanatoid wrote:


    <SNIP>

    >> See, anything is possible. (Except MS making a decent
    >> OS...)

    >
    > Okay, try this: NTFS is self-healing (corrects most single
    > and double-bit errors)


    I don't trust things that "correct themselves", sorry. Nor do I
    know what "single and double-bit errors" are and I am glad I
    don't have to know.

    > is much faster


    I was perfectly happy with my 166MHz machine, you don't need
    3GHz quad-cores or NTFS to have speed, you need a user who is
    not a moron and logical partitioning (I had 7 virt. drives on my
    8.4GB drive under 95B and 16 virt. drives on my 40GB drive under
    98SE, now I have only 8 or 9 on an 80GB drive and I miss the
    others!

    > (virtually) never needs defragging


    No virt. drive on either of the above mentioned configs ever
    took longer than a minute to defrag. I am not lying.

    > can handle disk capacities FAR larger
    > than FAT32 (256 TB vs. 2T8)


    When the day comes that I need more than a 2 TB HD, I will just
    kill myself.

    While I admit there ARE people who may need petabytes of
    storage, they probably don't use NTFS either. Maybe something
    called Unix, or a proprietary OS.

    > supports transactional journaling and shadow copying


    I don't know what those are and I am glad I don't need to.

    > single instance storage (same content, different names)


    Since you cannot possibly be talking about two identical files
    with different names, see previous sentence.

    > larger file sizes (256TB vs 4G8)


    The day I produce/DL/need/use a file larger than 4 GB I might as
    well kill myself (I don't have a DVD drive, just a CD burner). I
    don't think I ever had a file larger than 1.5 GB and that was an
    uncompressed c: image.

    > and, with NTSF, you get fries.


    I prefer McDonald's fries.

    Peace and Love
    t.
     
  14. thanatoid

    thanatoid Flightless Bird

    =?Utf-8?B?c2dvcHVz?= <sgopus@discussions.microsoft.com> wrote
    in news:2D9FB50D-BE46-492D-8655-2B178155F200@microsoft.com:

    > You don't trust NTFS??? Please elaborate! NTFS is a much
    > more robust file structure than FAT ever could be, self
    > repairing, etc .


    Don't top-post.

    It may be, but why mess with something that will be incompatible
    with my other 8 partitions? (In the SIMPLEST sense, I know you
    can convert and there are utils and NTFS may even "read" FAT32
    [FAT16, FAT12] files by itself - I don't know and I don't want
    to know.)

    As for elaborating, I can't. All I can say is that I have seen
    comments which made NTFS seem /not/ the garden of paradise most
    of you think it is. And since I have had NO problems with FAT32
    for about 13 or so years, why change? It won't me type any
    faster, you know.

    Also see previous reply to HeyBub.
     
  15. Andrew McLaren

    Andrew McLaren Flightless Bird

    thanatoid wrote:

    > I am the only person who ever touches this computer, and I am
    > not going online with XP, I installed it only to use a specific
    > program/hardware combo which will NOT work in 98SELite.


    Fair enough. The OP "Vijay" has posted several, uh, terse but similar
    questions in the past, which make it sound like he is trying to lock
    down XP machines in some kind of large-scale deployment; eg a business
    or school. So the considerations he faces are likely somewhat different
    to those of individual Windows users at home.

    >> In addition, Vista and Windows 7 add support for Trusted
    >> Platform Module ("TPM") hardware via the Bitlocker feature,

    >
    > Sorry, this sounds an AWFUL lot like MS-talk... Yes, everything
    > will be safer, better and faster... I know...


    Oh I can stand up and give a 3 hour lecture on the shortcoming of
    Windows as an operating system; so please shoot me if I start to sound
    like a marketeer :) But the TPM hardware is a cross-vendor effort
    supported by many companies, not just Microsoft. And the builtin
    "Bitlocker" facility in Windows Vista and 7 is only keeping pace with
    equivalent features on other operating systems. The TPM cryptographic
    hardware solves a lot of genuine security problems which have plagued
    all general purpose PC OSs for a long time (mainframes have had built in
    crypto support hardware for decades).

    See http://en.wikipedia.org/wiki/Trusted_Platform_Module

    > See, anything is possible. (Except MS making a decent OS...)


    The Windows NT Kernel is pretty secure, in the grand scheme of things.
    The Windows user-mode subsystem (aka Win32) has some architectural
    vulnerabilities which Microsoft know how to fix ... except it would
    break every existing Windows application! In the kernel, every Windows
    application runs in a protected memory space; and every kernel object
    can be secured by ACLs. But the Win32 user mode objects, such as
    Desktops and WinStations, are able to pass messages to each other, *by
    design*, which provides (a) a very flexible and powerful user
    environment, and (b) very porous (vulnerable) security boundaries.

    Microsoft's response, since 2004, has been to develop major products
    (especially Windows OS and SQL Server) using the Security Development
    Lifecycle (SDL) methodology and tools. See:

    http://blogs.msdn.com/sdl/

    http://www.microsoft.com/downloads/...43-27f6-4aac-9883-f55ba5b01814&displaylang=en

    This is one of the main reasons that Vista - for all its undoubted
    problems - is significantly more secure than XP; and why Windows 7 is
    significantly more secure again (and eliminates many Vista problems).

    If older versions of Windows such as 98 meet your own specific needs
    then that's fine; stick with them! But in the organisational context,
    with large networks of Windows users needing to be both secure,
    supported and productive, then the security features in current releases
    of Windows are quite useful.

    It is worth noting that most banks, government departments, security and
    law enforcement agencies - all quite security-conscious organisations! -
    run some version of Windows as their main desktop OS. A secure
    deployment of Windows may require some work and planning; but it is not
    a hopeless cause.

    Cheers

    Andrew

    PS I guess you know already but Nyx was the mother of Thanatos, and
    Hypnos was his brother - hence my opening quip :))

    --
    amclar at optusnet dot com dot au
     

Share This Page