PDA

View Full Version : Folder security trick.



b1naryb0y
15-12-2003, 12:36 PM
I've come across a nifty way of protecting folders on computers running Windows XP. This is not dependant on NTFS permissions or seperate user accounts. It is very handy when several people use the same account.

I've written a few very simple batchfiles that demonstrate how this works. Once downloaded please make sure you first read the readme file and have a look at the .bat files to see how it works.

The files can be found Here (http://homepages.slingshot.co.nz/~bflyger/files/protect.zip)

If you are super paranoid you should also deny access to the command prompt. You can do this by:

1) click start > run > and type gpedit.msc > then click ok
2) navigate to Local Computer Policy > User Configuration > Administrative
Templates > System
3) Under this tab there is a setting that can be used to prevent
access to cmd.exe, double click on "Prevent access to command prompt"
4) select "enabled" click ok.

Of course anyone with Admin rights can change this setting, so if you are sharing your computer with others, it is recommended that a "limited" account be used for everyday use.

somebody
15-12-2003, 02:47 PM
Cool.

dreamweaver
15-12-2003, 07:15 PM
Yes very cool, I can see this becoming very handy.

Greg S
15-12-2003, 11:22 PM
Thanks - it was something I was asking about recently. Look forward to trying it out.

b1naryb0y
16-12-2003, 12:23 AM
I've just uploaded a new version that also hides the protected folder from view. It remains hidden even if "show hidden files and folders" is enabled in the view tab of folder options.

Greg S
16-12-2003, 12:27 AM
Same download location?

http://homepages.slingshot.co.nz/~bflyger/files/protect.zip

b1naryb0y
16-12-2003, 12:29 AM
Yes, same location.

sam m
16-12-2003, 08:35 AM
Have no idea what to do with it, help please.

I dont really need this but I am curious as it may come in handy later (or may not) but I really want to learn about this sort of stuff.

Now that I have it on my computer in my downloads folder I have a folder called "terp stuff" that is on my desktop (this is going to be my business folder next year) that I want to practice this on.

What do I do now? (n00bie language please)

sam m

somebody
16-12-2003, 08:58 AM
b1naryb0y, hopefully you don't mind me explaining this.

Basically what happens is the script renames the name of the folder by using the DOS command:

ren folder folder.{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}

This is assuming that the name of the original folder is called "folder". In practice, what you could do is simply right click on the folder itself, select "rename", and add
.{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}
to the end of your foldername.
for example, your folder could be named: "terp stuff.{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}", and theoretically it'd be protected.

To unprotect the folder, you simply remove everything after and including the dot.

To hide the folder, the DOS attrib command is used, where the +r means to make the file read only, the +s means to make it a system file, and +h means to make it hidden from view. The command below (part of the .bat files in the protect.zip download) shows how it is done to the "folder" folder, after it's been protected by adding .{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} to it.

attrib +r +s +h folder.{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}


What I would do, is to right click and "Edit" "protect.bat", and change any instance of the word "folder" to "terp stuff" (will have to be in speech marks in the actual file). Do the same with the "unprotect.bat" file. Then move both the protect.bat and unprotect.bat files to your desktop, and double click the protect.bat file to protect and hide the folder, and double cli ck unprotect.bat to unhide and unprotect the folder. TRY THIS ON A FOLDER WHICH DOES NOT HAVE IMPORTANT STUFF first, in case something goes wrong.

Bear in mind that anyone who can access the protect.bat and unprotect.bat files will be able to unprotect your folder, so a good idea might be to copy the files to a floppy disk, and only copy them to the desktop to run them.

b1naryb0y
16-12-2003, 09:02 AM
Have a look at the readme file, that should give you some pointers.

Basically, all you have to do is extract the files to the desktop (the files must be in the same location as the folder you are wanting to protect). Then rename your "terp stuff" folder to "folder". Double click on protect.bat and voila.

Put the protect.bat and unprotect.bat files on a floppy so no one has access to them. Then delete those two files from the desktop.

When you want to unprotect your folder, just copy the unprotect.bat from the floppy to the desktop and double click it.

You can name the folder you are wanting to protect something other than "folder", but then you must also edit both of the .bat files. So it is easiest just to leave it as "folder".

sam m
16-12-2003, 09:54 AM
thanks guys,
Simple now that it works,
well done

sam m

-=JM=-
16-12-2003, 11:18 AM
So a regular user won't have the ability to change the name of the folder? I guess I'll have to try it out for myself I spose really.

hazza
16-12-2003, 11:23 AM
Thanks for that tip, B1nary B0y

somebody
16-12-2003, 11:27 AM
People who know what they're doing will be able to just manually change the folder name, but for those who are less computer-literate, it's an effective protection measure.

b1naryb0y
16-12-2003, 01:23 PM
If you rename the folder through windows, the folder remains protected. The only possible way of renaming it so it works as a normal folder, is to use the command prompt. To ensure security it is recommended to disable the command prompt. In the readme I have included instructions on how to do this.

Once you have protected a folder and the name includes the .{2559a....}, then it is not fully protected, and renaming it within windows will indeed unprotect it.

A correctly protected folder will not show the .{2559a....} in the folder name.

-=JM=-
16-12-2003, 02:06 PM
Haven't tried a different account but in my admin user account I can just rename the folders again. They get the padlock on them and I can't access the contents, but if I hit F2 and rename it's fine.

b1naryb0y
16-12-2003, 03:04 PM
is the ".{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}" visible in the folder name once you have protected it?

I have found that if this is the case then yes you can just F2 an rename it, and it will become unprotected. If it doesn't include ".{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}" in the folder name then everything should be ok.

Windows sometimes tends to forget what the extension .{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0} is and therefore displays it. So I rename the folder, reboot, run protect.bat again and everything is fine.

-=JM=-
16-12-2003, 03:09 PM
Yeah, the icon changes and I can't get inside but it shows as the new folder name. I can delete the protected folder as well.

b1naryb0y
16-12-2003, 03:25 PM
I'm not aware of any way, apart from using NTFS permissions, to stop it being deleted. But it is a good way to hide sensitive data away from prying eyes.

As you are aware the folder is only visable if "Hide protected operating system files" is unchecked in folder options. Not many people have this unchecked so it should stop most people from being able to see or delete the folder.

If your folder still shows the leading .{2559..} after the name, you can try this. Open up folder options and on the view tab click "restore defaults". Now try protecting the folder again, the leading .{2559..} should no longer be there. Once you have done this you can restore your original folder options to the way they were and the folder name should stay as it is without the .{2559..}

Does that makes sense? :)

b1naryb0y
16-12-2003, 04:56 PM
Updated version.

It now prompts you if you wish to hide the folder or not.
The .bat files have been re-written to allow for easier editing of the folder name. Instead of having to enter the name 3 or 4 times, it only needs to be entered once. This is achieved by using the SET command.