• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

remove access of a file with command prompt

V

Vijay

Flightless Bird
Please tell me, how can i remove access of a file with command file,

location of the file is:

c:/usbstor.inf

i want to deny everyone to access this file..


thanks ,

vijay
 
T

thanatoid

Flightless Bird
=?Utf-8?B?VmlqYXk=?= <Vijay@discussions.microsoft.com> wrote
in news:1D945210-ABB3-474C-A5C4-EBAF6E94CEE8@microsoft.com:

> Please tell me, how can i remove access of a file with
> command file,
>
> location of the file is:
>
> c:/usbstor.inf


What the hell is it doing THERE?

> i want to deny everyone to access this file..


AFAIK, you can't, but I am new to XP and I may be wrong. If you
make that file hidden and read-only - which you can do even in
WinExplorer I believe - then, since your machine /probably/ has
"do not show hidden and system files" checked ON, that should be
enough.

If not, just in case, the command line syntax would be:

attrib +r +h c:/usbstor.inf

(I could be wrong, corrections welcome.)

And the system may not let you do it since the XP command line
is "inside" XP which may not allow this action to be performed -
in which case you would have to access the C drive with a DOS
boot floppy/CD and change the attributes in "actual" DOS with
the above line. (Change to the C: drive first, of course.)
Whether everything will work OK afterwards is /another/
question. And of course everyone still has access, if they know
how to "see" hidden files.

The bottom line is if someone who knows enough wants to get at
something on any machine, they will. Accept it.

I have a feeling you think that making that file "unavailable"
will do something it won't/can't. What are you trying to achieve
/exactly/?
 
B

Bill in Co.

Flightless Bird
thanatoid wrote:
> =?Utf-8?B?VmlqYXk=?= <Vijay@discussions.microsoft.com> wrote
> in news:1D945210-ABB3-474C-A5C4-EBAF6E94CEE8@microsoft.com:
>
>> Please tell me, how can i remove access of a file with
>> command file,
>>
>> location of the file is:
>>
>> c:/usbstor.inf

>
> What the hell is it doing THERE?
>
>> i want to deny everyone to access this file..

>
> AFAIK, you can't, but I am new to XP and I may be wrong. If you
> make that file hidden and read-only - which you can do even in
> WinExplorer I believe - then, since your machine /probably/ has
> "do not show hidden and system files" checked ON, that should be
> enough.
>
> If not, just in case, the command line syntax would be:
>
> attrib +r +h c:/usbstor.inf
>
> (I could be wrong, corrections welcome.)
>
> And the system may not let you do it since the XP command line
> is "inside" XP which may not allow this action to be performed -
> in which case you would have to access the C drive with a DOS
> boot floppy/CD and change the attributes in "actual" DOS with
> the above line. (Change to the C: drive first, of course.)


Access the C: drive with a DOS boot disk? I don't think so. How can
DOS access the NTFS volume of C: (without some other special software)?
It's not a FAT volume (unless he's one of those rare exceptions that set up
XP on FAT32).

> Whether everything will work OK afterwards is /another/
> question. And of course everyone still has access, if they know
> how to "see" hidden files.
>
> The bottom line is if someone who knows enough wants to get at
> something on any machine, they will. Accept it.
>
> I have a feeling you think that making that file "unavailable"
> will do something it won't/can't. What are you trying to achieve
> /exactly/?
 
A

Andrew McLaren

Flightless Bird
Vijay wrote:
> Please tell me, how can i remove access of a file with command file,
> location of the file is:
> c:/usbstor.inf
> i want to deny everyone to access this file..


Hi Vijay,

You probably don't want to remove access to this file for Everyone. That
would remove access for Administrator, Local System, and your own user
account.

What you probably want is to leave access for Everyone, but remove
access for the Group 'Users'. That way, the operating system itself, and
administrators, can still access the file; but ordinary users cannot.

Also, depending on the file's function, you may want to keep Read access
for Users, but remove their permissions to modify or delete the file.

By far the easiest way to edit permissions is to use the GUI ACL Editor,
which is reached via Explorer, <file> properties, Security.

But the command-line tool which does the same thing as the GUI, is the
CACLS command. This is a built-in command, part of the XP OS.

The exact syntax will depend on what permissions you want to set.
Frankly, while CACLS is a very powerful and flexible command, its syntax
can be a little hairy. So you'll want to read up on the syntax
carefully, before you run the command. Also, test it on a scratch file,
before you destroy, I mean, modify the real target file.

CACLS /? at a command prompt will get you started. Or see:

http://technet.microsoft.com/en-us/library/bb490872.aspx

Hope this helps,

Andrew

--
amclar at optusnet dot com dot au
 
A

Andrew McLaren

Flightless Bird
thanatoid wrote:
> AFAIK, you can't, but I am new to XP and I may be wrong. If you
> (I could be wrong, corrections welcome.)
> The bottom line is if someone who knows enough wants to get at
> something on any machine, they will. Accept it.


Hi Thanatoid

(Hmmm - was your mother named Nyxoid? And your brother Hypnoid? But, I
digress ... :)

You did say "corrections welcome".

What you've written would be true for FAT and FAT32 file systems, like
you'd find on Windows 95, 98 and Me.

Windows XP was built on the Windows NT codebase (via Windows 2000); and
as such it uses NTFS as its native file system. FAT has no security
features at all. NTFS has support for strong (Orange Book, C2 style)
security built in from scratch, right from the beginning back in 1992.
NTFS allows both strong and very granular control over file security
using ACLs ("access control lists"). In fact, the use of ACLs has now
become pretty widespread in many versions of Unix as an adjunct to
native Unix-style permissions.

I wouldn't go so far as to say NTFS is utterly impregnable (physical
access can compromise most file systems). But a properly managed XP
workstation in a Windows domain, with appropriate physical security (ie
you can't take teh hard disk away for the night), will resist most
ordinary attempts by users - even "knowlegdeable" users - to access
protected files.

In addition, Vista and Windows 7 add support for Trusted Platform Module
("TPM") hardware via the Bitlocker feature, which will make a properly
secured hard disk highly resistant to compromise, even when an attacker
has unlimited physical access to the drive media.

I'm not sure it's possible for anyone to be "new" to Windows XP. XP was
released on 25 October 2001, so it is now over 9 years old!

Cheers,

Andrew

--
amclar at optusnet dot com dot au
 
J

John John - MVP

Flightless Bird
Vijay wrote:
> Please tell me, how can i remove access of a file with command file,
>
> location of the file is:
>
> c:/usbstor.inf
>
> i want to deny everyone to access this file..


Windows XP will reset the permission on the file if a user needs to use
it... like when he plugs in a USB device, so on Windows XP it's futile
to set permissions on this file. You could accomplish what you want by
renaming the file.

John
 
A

Andrew McLaren

Flightless Bird
Vijay wrote:
>> Please tell me, how can i remove access of a file with command file,
>> location of the file is: c:/usbstor.inf
>> i want to deny everyone to access this file..


BTW assuming you want to control whether users' can attach USB storage
devices, see this KB article for details:

http://support.microsoft.com/default.aspx?scid=kb;en-us;823732
 
T

thanatoid

Flightless Bird
"Bill in Co." <not_really_here@earthlink.net> wrote in
news:eYaELcPjKHA.6096@TK2MSFTNGP02.phx.gbl:

> Access the C: drive with a DOS boot disk? I don't think
> so. How can DOS access the NTFS volume of C: (without
> some other special software)? It's not a FAT volume (unless
> he's one of those rare exceptions that set up XP on FAT32).


True, I forgot about NTFS... But wouldn't an NTFS boot disk/CD
(they DO exist???) do the job as well? Just guessing...

BTW, I have XP installed on a FAT32 partition - I don't trust
NTFS. I am sure I am not the only one in the world. Anyway,
there is more to this story than the simple question he posed.
 
T

thanatoid

Flightless Bird
Andrew McLaren <me@somewhere.com> wrote in
news:eaTM4RQjKHA.4672@TK2MSFTNGP06.phx.gbl:

> thanatoid wrote:
>> AFAIK, you can't, but I am new to XP and I may be wrong.
>> If you (I could be wrong, corrections welcome.)
>> The bottom line is if someone who knows enough wants to
>> get at something on any machine, they will. Accept it.

>
> Hi Thanatoid
>
> (Hmmm - was your mother named Nyxoid? And your brother
> Hypnoid? But, I digress ... :)


No, but I am thanatoid, all lower case ;-) And digressions are
always welcome as well... They are often more interesting than
the subject.

> You did say "corrections welcome".


I sure as hell did. I know when I talk about what I know little
of.

> What you've written would be true for FAT and FAT32 file
> systems, like you'd find on Windows 95, 98 and Me.


And a FAT32 install of XP like mine.

> Windows XP was built on the Windows NT codebase (via
> Windows 2000); and as such it uses NTFS as its native file
> system. FAT has no security features at all. NTFS has
> support for strong (Orange Book, C2 style) security built
> in from scratch, right from the beginning back in 1992.


Well, I didn't know that detail, but from what I read in NG's
and other places every day those security measures are not
working all that well. "Security" and "Microsoft" do not belong
to the same family of words. It takes a smart user to be secure.
Personally, in almost 20 years I have never had an infection -
ONE virus in an email from a clueless friend but since I had all
scripting disabled and I do not use a webmail client, just a
small POP/SMTP program, it couldn't DO anything.

> NTFS allows both strong and very granular control over file
> security using ACLs ("access control lists"). In fact, the
> use of ACLs has now become pretty widespread in many
> versions of Unix as an adjunct to native Unix-style
> permissions.


Well, I have NEVER had a single problem with FAT32, and I did
once have to recover data from a 40GB HD which crashed (I DO
have problems with suicidal HD's). OTOH I once read an MVP (!)
refer to NTFS as a "fiasco". Of course, that's just one person's
opinion. But why complicate things? I have 9 FAT32 partitions
and XP went on one of them. It seems to like it just fine.

> I wouldn't go so far as to say NTFS is utterly impregnable
> (physical access can compromise most file systems). But a
> properly managed XP workstation in a Windows domain, with
> appropriate physical security (ie you can't take teh hard
> disk away for the night), will resist most ordinary
> attempts by users - even "knowlegdeable" users - to access
> protected files.


I am the only person who ever touches this computer, and I am
not going online with XP, I installed it only to use a specific
program/hardware combo which will NOT work in 98SELite.

> In addition, Vista and Windows 7 add support for Trusted
> Platform Module ("TPM") hardware via the Bitlocker feature,
> which will make a properly secured hard disk highly
> resistant to compromise, even when an attacker has
> unlimited physical access to the drive media.


Sorry, this sounds an AWFUL lot like MS-talk... Yes, everything
will be safer, better and faster... I know...

> I'm not sure it's possible for anyone to be "new" to
> Windows XP. XP was released on 25 October 2001, so it is
> now over 9 years old!


I have used 95B on a 166MMX w/64MB RAM and a 33.6 modem from
1977 to about a year and a half ago . I could do EVERYTHING
except video and games (and I am not a gamer) and converting
music took 4 hours for a 3 minute file. So I bought a 2GHz
machine - now it takes 30 seconds. When my stupid ISP offered BB
for less than 2 phone lines and dial-up, I went for it, with
98SELite. About two months ago I started experimenting with XP
for the reason mentioned above.

See, anything is possible. (Except MS making a decent OS...)
 
H

HeyBub

Flightless Bird
thanatoid wrote:
>
> I have used 95B on a 166MMX w/64MB RAM and a 33.6 modem from
> 1977 to about a year and a half ago . I could do EVERYTHING
> except video and games (and I am not a gamer) and converting
> music took 4 hours for a 3 minute file. So I bought a 2GHz
> machine - now it takes 30 seconds. When my stupid ISP offered BB
> for less than 2 phone lines and dial-up, I went for it, with
> 98SELite. About two months ago I started experimenting with XP
> for the reason mentioned above.
>
> See, anything is possible. (Except MS making a decent OS...)


Okay, try this: NTFS is self-healing (corrects most single and double-bit
errors), is much faster, (virtually) never needs defragging, can handle disk
capacities FAR larger than FAT32 (256 TB vs. 2T8), supports transactional
journaling and shadow copying, single instance storage (same content,
different names), larger file sizes (256TB vs 4G8), and, with NTSF, you get
fries.
 
S

sgopus

Flightless Bird
You don't trust NTFS??? Please elaborate! NTFS is a much more robust file
structure than FAT ever could be, self repairing, etc .

"thanatoid" wrote:

> "Bill in Co." <not_really_here@earthlink.net> wrote in
> news:eYaELcPjKHA.6096@TK2MSFTNGP02.phx.gbl:
>
> > Access the C: drive with a DOS boot disk? I don't think
> > so. How can DOS access the NTFS volume of C: (without
> > some other special software)? It's not a FAT volume (unless
> > he's one of those rare exceptions that set up XP on FAT32).

>
> True, I forgot about NTFS... But wouldn't an NTFS boot disk/CD
> (they DO exist???) do the job as well? Just guessing...
>
> BTW, I have XP installed on a FAT32 partition - I don't trust
> NTFS. I am sure I am not the only one in the world. Anyway,
> there is more to this story than the simple question he posed.
>
> .
>
 
P

Pegasus [MVP]

Flightless Bird
"Vijay" <Vijay@discussions.microsoft.com> said this in news item
news:1D945210-ABB3-474C-A5C4-EBAF6E94CEE8@microsoft.com...
> Please tell me, how can i remove access of a file with command file,
>
> location of the file is:
>
> c:/usbstor.inf
>
> i want to deny everyone to access this file..
>
>
> thanks ,
>
> vijay


Here you go:
- Log on as Administrator.
- Open a Command Prompt.
- Type these commands:
cacls c:/usbstor.inf /E /G system:F
cacls c:/usbstor.inf
- Make a note of the various users and/or groups that have access to this
file.
- Type this command for each user or group:
cacls c:/usbstor.inf /E /R "xxx"
where xxx is the name of the user or group. Do not delete the System
account!

Note this:
- Hiding the file or making it read-only is no protection because it can be
easily undone.
- Administrators can seize ownership of the file, then change permissions.
- If someone boots the machine with a suitable CD (e.g. DOS+NTFSDos.exe or
Bart PE) then he can read the file no matter what you do.
 
T

thanatoid

Flightless Bird
"HeyBub" <heybub@gmail.com> wrote in
news:uxB28NZjKHA.5608@TK2MSFTNGP05.phx.gbl:

> thanatoid wrote:


<SNIP>

>> See, anything is possible. (Except MS making a decent
>> OS...)

>
> Okay, try this: NTFS is self-healing (corrects most single
> and double-bit errors)


I don't trust things that "correct themselves", sorry. Nor do I
know what "single and double-bit errors" are and I am glad I
don't have to know.

> is much faster


I was perfectly happy with my 166MHz machine, you don't need
3GHz quad-cores or NTFS to have speed, you need a user who is
not a moron and logical partitioning (I had 7 virt. drives on my
8.4GB drive under 95B and 16 virt. drives on my 40GB drive under
98SE, now I have only 8 or 9 on an 80GB drive and I miss the
others!

> (virtually) never needs defragging


No virt. drive on either of the above mentioned configs ever
took longer than a minute to defrag. I am not lying.

> can handle disk capacities FAR larger
> than FAT32 (256 TB vs. 2T8)


When the day comes that I need more than a 2 TB HD, I will just
kill myself.

While I admit there ARE people who may need petabytes of
storage, they probably don't use NTFS either. Maybe something
called Unix, or a proprietary OS.

> supports transactional journaling and shadow copying


I don't know what those are and I am glad I don't need to.

> single instance storage (same content, different names)


Since you cannot possibly be talking about two identical files
with different names, see previous sentence.

> larger file sizes (256TB vs 4G8)


The day I produce/DL/need/use a file larger than 4 GB I might as
well kill myself (I don't have a DVD drive, just a CD burner). I
don't think I ever had a file larger than 1.5 GB and that was an
uncompressed c: image.

> and, with NTSF, you get fries.


I prefer McDonald's fries.

Peace and Love
t.
 
T

thanatoid

Flightless Bird
=?Utf-8?B?c2dvcHVz?= <sgopus@discussions.microsoft.com> wrote
in news:2D9FB50D-BE46-492D-8655-2B178155F200@microsoft.com:

> You don't trust NTFS??? Please elaborate! NTFS is a much
> more robust file structure than FAT ever could be, self
> repairing, etc .


Don't top-post.

It may be, but why mess with something that will be incompatible
with my other 8 partitions? (In the SIMPLEST sense, I know you
can convert and there are utils and NTFS may even "read" FAT32
[FAT16, FAT12] files by itself - I don't know and I don't want
to know.)

As for elaborating, I can't. All I can say is that I have seen
comments which made NTFS seem /not/ the garden of paradise most
of you think it is. And since I have had NO problems with FAT32
for about 13 or so years, why change? It won't me type any
faster, you know.

Also see previous reply to HeyBub.
 
A

Andrew McLaren

Flightless Bird
thanatoid wrote:

> I am the only person who ever touches this computer, and I am
> not going online with XP, I installed it only to use a specific
> program/hardware combo which will NOT work in 98SELite.


Fair enough. The OP "Vijay" has posted several, uh, terse but similar
questions in the past, which make it sound like he is trying to lock
down XP machines in some kind of large-scale deployment; eg a business
or school. So the considerations he faces are likely somewhat different
to those of individual Windows users at home.

>> In addition, Vista and Windows 7 add support for Trusted
>> Platform Module ("TPM") hardware via the Bitlocker feature,

>
> Sorry, this sounds an AWFUL lot like MS-talk... Yes, everything
> will be safer, better and faster... I know...


Oh I can stand up and give a 3 hour lecture on the shortcoming of
Windows as an operating system; so please shoot me if I start to sound
like a marketeer :) But the TPM hardware is a cross-vendor effort
supported by many companies, not just Microsoft. And the builtin
"Bitlocker" facility in Windows Vista and 7 is only keeping pace with
equivalent features on other operating systems. The TPM cryptographic
hardware solves a lot of genuine security problems which have plagued
all general purpose PC OSs for a long time (mainframes have had built in
crypto support hardware for decades).

See http://en.wikipedia.org/wiki/Trusted_Platform_Module

> See, anything is possible. (Except MS making a decent OS...)


The Windows NT Kernel is pretty secure, in the grand scheme of things.
The Windows user-mode subsystem (aka Win32) has some architectural
vulnerabilities which Microsoft know how to fix ... except it would
break every existing Windows application! In the kernel, every Windows
application runs in a protected memory space; and every kernel object
can be secured by ACLs. But the Win32 user mode objects, such as
Desktops and WinStations, are able to pass messages to each other, *by
design*, which provides (a) a very flexible and powerful user
environment, and (b) very porous (vulnerable) security boundaries.

Microsoft's response, since 2004, has been to develop major products
(especially Windows OS and SQL Server) using the Security Development
Lifecycle (SDL) methodology and tools. See:

http://blogs.msdn.com/sdl/

http://www.microsoft.com/downloads/...43-27f6-4aac-9883-f55ba5b01814&displaylang=en

This is one of the main reasons that Vista - for all its undoubted
problems - is significantly more secure than XP; and why Windows 7 is
significantly more secure again (and eliminates many Vista problems).

If older versions of Windows such as 98 meet your own specific needs
then that's fine; stick with them! But in the organisational context,
with large networks of Windows users needing to be both secure,
supported and productive, then the security features in current releases
of Windows are quite useful.

It is worth noting that most banks, government departments, security and
law enforcement agencies - all quite security-conscious organisations! -
run some version of Windows as their main desktop OS. A secure
deployment of Windows may require some work and planning; but it is not
a hopeless cause.

Cheers

Andrew

PS I guess you know already but Nyx was the mother of Thanatos, and
Hypnos was his brother - hence my opening quip :))

--
amclar at optusnet dot com dot au
 
Top