Discussion:
Access protected folders using system account
(too old to reply)
Juan
2009-03-11 13:55:49 UTC
Permalink
Hi,

I'm developing a vbscript. The vbscript needs to access every file, or
folder, in the local hard disks. I only need to access the name of the
file. I'm using Windows XP and a NTFS partition, so it's possible to
restrict access to a folder so only for the owner is able to access
the folder.

To avoid this situation, It's suppose that the NT AUTHORITY/system
account is able to access every file in the system. To execute the
vbscript I'm using the Scheduled Tasks, using the system account. But,
when the script tries to access a protected folder a "Permission
denied" error is returned.

Does anybody have any idea what can be happening?.

Thank you very much.

Regards.

Juan.
Pegasus
2009-03-11 15:17:44 UTC
Permalink
Post by Juan
Hi,
I'm developing a vbscript. The vbscript needs to access every file, or
folder, in the local hard disks. I only need to access the name of the
file. I'm using Windows XP and a NTFS partition, so it's possible to
restrict access to a folder so only for the owner is able to access
the folder.
To avoid this situation, It's suppose that the NT AUTHORITY/system
account is able to access every file in the system. To execute the
vbscript I'm using the Scheduled Tasks, using the system account. But,
when the script tries to access a protected folder a "Permission
denied" error is returned.
Does anybody have any idea what can be happening?.
Thank you very much.
Regards.
Juan.
Run the batch file c:\Juan.bat (see below) in three modes:
a) When logged on as Administrator
b) As a scheduled task in the same way as you do with your script.
c) As a scheduled task, invoked like so:
at 16:45 c:\Juan.bat
(Make sure the time is 5 minutes in the future)

@echo off
set folder=d:\Some Folder
echo %date% %time% %UserName% >> c:\test.txt
cacls "%folder%" 1>>c:\test.txt 2>>&1
dir "%folder%" 1>>c:\test.txt 2>>&1
echo. 1>>c:\test.txt 2>>&1

When finished, post the contents of c:\test.txt.
Juan
2009-03-12 09:53:38 UTC
Permalink
Post by Pegasus
Post by Juan
Hi,
I'm developing a vbscript. The vbscript needs to access every file, or
folder, in the local hard disks. I only need to access the name of the
file. I'm using Windows XP and a NTFS partition, so it's possible to
restrict access to a folder so only for the owner is able to access
the folder.
To avoid this situation, It's suppose that the NT AUTHORITY/system
account is able to access every file in the system. To execute the
vbscript I'm using the Scheduled Tasks, using the system account. But,
when the script tries to access a protected folder a "Permission
denied" error is returned.
Does anybody have any idea what can be happening?.
Thank you very much.
Regards.
Juan.
a) When logged on as Administrator
b) As a scheduled task in the same way as you do with your script.
    at 16:45 c:\Juan.bat
    (Make sure the time is 5 minutes in the future)
@echo off
set folder=d:\Some Folder
echo %date% %time% %UserName% >> c:\test.txt
cacls "%folder%" 1>>c:\test.txt 2>>&1
dir  "%folder%" 1>>c:\test.txt 2>>&1
echo. 1>>c:\test.txt 2>>&1
When finished, post the contents of c:\test.txt.- Hide quoted text -
- Show quoted text -
Hi Pegasus,

First of all, thank you very much for your help.

I send the results of the batch file in the tree modes. It's extrange
that the user name in the cases b and c does not appear.

Test_administrator.txt
------------------------------------------------------------------
12/03/2009 10:38:04,35 Administrator
e:\HPAdmin
Access is denied.
Volume in drive E is Datos
Volume Serial Number is 4E37-C425

Directory of e:\HPAdmin

File Not Found

Test_sch.txt
------------------------------------------------------------------
12/03/2009 10:40:21,01
e:\HPAdmin
Access is denied.
Volume in drive E is Datos
Volume Serial Number is 4E37-C425

Directory of e:\HPAdmin

File Not Found

Test_at.txt
------------------------------------------------------------------
12/03/2009 10:39:00,07
e:\HPAdmin
Access is denied.
Volume in drive E is Datos
Volume Serial Number is 4E37-C425

Directory of e:\HPAdmin

File Not Found


I tried something similar, in my script I added a function to show the
username. And when the script was executed with Scheduled Task or at
command, the SYSTEM user was showed.

The function, that I used, was:

Function WhoAmI

Dim objNetwork
Dim strCurrentUserName, strCurrentDomainName, strFullUserName
Dim strComputerName

Set objNetwork = WScript.CreateObject("WScript.Network")

strCurrentUserName = objNetwork.UserName
strCurrentDomainName = objNetwork.UserDomain
strComputerName = objNetwork.ComputerName

strFullUserName = strCurrentUserName

WhoAmI = strFullUserName
' WScript.Echo "Current logged in user: " & strFullUserName & " on
" & strComputerName & VbCrLf

End Function

Again, thank you very much.

Regards.
Pegasus [MVP]
2009-03-12 10:08:08 UTC
Permalink
Post by Pegasus
Post by Juan
Hi,
I'm developing a vbscript. The vbscript needs to access every file, or
folder, in the local hard disks. I only need to access the name of the
file. I'm using Windows XP and a NTFS partition, so it's possible to
restrict access to a folder so only for the owner is able to access
the folder.
To avoid this situation, It's suppose that the NT AUTHORITY/system
account is able to access every file in the system. To execute the
vbscript I'm using the Scheduled Tasks, using the system account. But,
when the script tries to access a protected folder a "Permission
denied" error is returned.
Does anybody have any idea what can be happening?.
Thank you very much.
Regards.
Juan.
a) When logged on as Administrator
b) As a scheduled task in the same way as you do with your script.
at 16:45 c:\Juan.bat
(Make sure the time is 5 minutes in the future)
@echo off
set folder=d:\Some Folder
echo %date% %time% %UserName% >> c:\test.txt
cacls "%folder%" 1>>c:\test.txt 2>>&1
dir "%folder%" 1>>c:\test.txt 2>>&1
echo. 1>>c:\test.txt 2>>&1
When finished, post the contents of c:\test.txt.- Hide quoted text -
- Show quoted text -
Hi Pegasus,

First of all, thank you very much for your help.

I send the results of the batch file in the tree modes. It's extrange
that the user name in the cases b and c does not appear.

Test_administrator.txt
------------------------------------------------------------------
12/03/2009 10:38:04,35 Administrator
e:\HPAdmin
Access is denied.
Volume in drive E is Datos
Volume Serial Number is 4E37-C425

Directory of e:\HPAdmin

File Not Found

Test_sch.txt
------------------------------------------------------------------
12/03/2009 10:40:21,01
e:\HPAdmin
Access is denied.
Volume in drive E is Datos
Volume Serial Number is 4E37-C425

Directory of e:\HPAdmin

File Not Found

Test_at.txt
------------------------------------------------------------------
12/03/2009 10:39:00,07
e:\HPAdmin
Access is denied.
Volume in drive E is Datos
Volume Serial Number is 4E37-C425

Directory of e:\HPAdmin

File Not Found


I tried something similar, in my script I added a function to show the
username. And when the script was executed with Scheduled Task or at
command, the SYSTEM user was showed.

The function, that I used, was:

Function WhoAmI

Dim objNetwork
Dim strCurrentUserName, strCurrentDomainName, strFullUserName
Dim strComputerName

Set objNetwork = WScript.CreateObject("WScript.Network")

strCurrentUserName = objNetwork.UserName
strCurrentDomainName = objNetwork.UserDomain
strComputerName = objNetwork.ComputerName

strFullUserName = strCurrentUserName

WhoAmI = strFullUserName
' WScript.Echo "Current logged in user: " & strFullUserName & " on
" & strComputerName & VbCrLf

End Function

Again, thank you very much.

Regards.

================

I had forgotten that the System account does not show up when you run a
session under this account.

Toget back to your main issue: I would do this -
1. Seize ownership of the folder.
2. Set the permissions so that only the System and the user's account can
access the folder.
3. Use at.exe to run my batch file to recheck the permission structure.
Juan
2009-03-13 07:24:19 UTC
Permalink
Post by Juan
Post by Pegasus
Post by Juan
Hi,
I'm developing a vbscript. The vbscript needs to access every file, or
folder, in the local hard disks. I only need to access the name of the
file. I'm using Windows XP and a NTFS partition, so it's possible to
restrict access to a folder so only for the owner is able to access
the folder.
To avoid this situation, It's suppose that the NT AUTHORITY/system
account is able to access every file in the system. To execute the
vbscript I'm using the Scheduled Tasks, using the system account. But,
when the script tries to access a protected folder a "Permission
denied" error is returned.
Does anybody have any idea what can be happening?.
Thank you very much.
Regards.
Juan.
a) When logged on as Administrator
b) As a scheduled task in the same way as you do with your script.
at 16:45 c:\Juan.bat
(Make sure the time is 5 minutes in the future)
@echo off
set folder=d:\Some Folder
echo %date% %time% %UserName% >> c:\test.txt
cacls "%folder%" 1>>c:\test.txt 2>>&1
dir "%folder%" 1>>c:\test.txt 2>>&1
echo. 1>>c:\test.txt 2>>&1
When finished, post the contents of c:\test.txt.- Hide quoted text -
- Show quoted text -
Hi Pegasus,
First of all, thank you very much for your help.
I send the results of the batch file in the tree modes. It's extrange
that the user name in the cases b and c does not appear.
Test_administrator.txt
------------------------------------------------------------------
12/03/2009 10:38:04,35 Administrator
e:\HPAdmin
Access is denied.
 Volume in drive E is Datos
 Volume Serial Number is 4E37-C425
 Directory of e:\HPAdmin
File Not Found
Test_sch.txt
------------------------------------------------------------------
12/03/2009 10:40:21,01
e:\HPAdmin
Access is denied.
 Volume in drive E is Datos
 Volume Serial Number is 4E37-C425
 Directory of e:\HPAdmin
File Not Found
Test_at.txt
------------------------------------------------------------------
12/03/2009 10:39:00,07
e:\HPAdmin
Access is denied.
 Volume in drive E is Datos
 Volume Serial Number is 4E37-C425
 Directory of e:\HPAdmin
File Not Found
I tried something similar, in my script I added a function to show the
username. And when the script was executed with Scheduled Task or at
command, the SYSTEM user was showed.
Function WhoAmI
    Dim objNetwork
    Dim strCurrentUserName, strCurrentDomainName, strFullUserName
    Dim strComputerName
    Set objNetwork = WScript.CreateObject("WScript.Network")
    strCurrentUserName = objNetwork.UserName
    strCurrentDomainName = objNetwork.UserDomain
    strComputerName = objNetwork.ComputerName
    strFullUserName = strCurrentUserName
    WhoAmI = strFullUserName
    ' WScript.Echo "Current logged in user: " & strFullUserName & " on
" & strComputerName & VbCrLf
End Function
Again, thank you very much.
Regards.
================
I had forgotten that the System account does not show up when you run a
session under this account.
Toget back to your main issue: I would do this -
1. Seize ownership of the folder.
2. Set the permissions so that only the System and the user's account can
access the folder.
3. Use at.exe to run my batch file to recheck the permission structure.- Hide quoted text -
- Show quoted text -
Hi Pegasus,

I've made the steps you told me.

As you can see, It's possible to access the folder. But, the question
is. Would it be possible to access the folder, using a script executed
by the SYSTEM account, if I remove the permissions for the SYSTEM
user?.

The result is the following:

13/03/2009 8:11:00,04
e:\HPAdmin JVALERO1\hpadmin:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F

Volume in drive E is Datos
Volume Serial Number is 4E37-C425

Directory of e:\HPAdmin

10/03/2009 12:51 <DIR> .
10/03/2009 12:51 <DIR> ..
10/03/2009 12:51 <DIR> Trans CBR1000RR
0 File(s) 0 bytes
3 Dir(s) 22.195.945.472 bytes free

I really appreciate your help.

Thank you very much.

Juan
Pegasus [MVP]
2009-03-13 09:53:57 UTC
Permalink
"Juan" <***@gmail.com> wrote in message news:2e435b2e-8c77-4864-83a2-***@y13g2000yqn.googlegroups.com...

<snip>

Hi Pegasus,

I've made the steps you told me.

As you can see, It's possible to access the folder. But, the question
is. Would it be possible to access the folder, using a script executed
by the SYSTEM account, if I remove the permissions for the SYSTEM
user?.

==============

No, it isn't.
Juan
2009-03-13 17:03:21 UTC
Permalink
Post by Pegasus [MVP]
<snip>
Hi Pegasus,
I've made the steps you told me.
As you can see, It's possible to access the folder. But, the question
is. Would it be possible to access the folder, using a script executed
by the SYSTEM account, if I remove the permissions for the SYSTEM
user?.
==============
No, it isn't.
Pegasus,

Thank you very much for your help.

Only one thinking... I don't understand why some antivirus software (I
have installed Symantec) is able to access folders with kind of
permissions. I suppose, the antivirus software has a way to bypass
NTFS security.

Regards.
Pegasus
2009-03-13 17:12:11 UTC
Permalink
Post by Pegasus [MVP]
<snip>
Hi Pegasus,
I've made the steps you told me.
As you can see, It's possible to access the folder. But, the question
is. Would it be possible to access the folder, using a script executed
by the SYSTEM account, if I remove the permissions for the SYSTEM
user?.
==============
No, it isn't.
Pegasus,

Thank you very much for your help.

Only one thinking... I don't understand why some antivirus software (I
have installed Symantec) is able to access folders with kind of
permissions. I suppose, the antivirus software has a way to bypass
NTFS security.

Regards.

==================

What makes you think that AV software can access folders that are beyond the
reach of the System account?
Juan
2009-03-13 18:13:19 UTC
Permalink
Post by Juan
Post by Pegasus [MVP]
<snip>
Hi Pegasus,
I've made the steps you told me.
As you can see, It's possible to access the folder. But, the question
is. Would it be possible to access the folder, using a script executed
by the SYSTEM account, if I remove the permissions for the SYSTEM
user?.
==============
No, it isn't.
Pegasus,
Thank you very much for your help.
Only one thinking... I don't understand why some antivirus software (I
have installed Symantec) is able to access folders with kind of
permissions. I suppose, the antivirus software has a way to bypass
NTFS security.
Regards.
==================
What makes you think that AV software can access folders that are beyond the
reach of the System account?- Ocultar texto de la cita -
- Mostrar texto de la cita -
Because, If I scan for viruses in the "problematic" folder, the AV
software doesn't complain about "Access Denied" error and the AV
software says that certain number of files has beed scanned.
Pegasus
2009-03-13 22:28:25 UTC
Permalink
Post by Juan
Post by Juan
Post by Pegasus [MVP]
<snip>
Hi Pegasus,
I've made the steps you told me.
As you can see, It's possible to access the folder. But, the question
is. Would it be possible to access the folder, using a script executed
by the SYSTEM account, if I remove the permissions for the SYSTEM
user?.
==============
No, it isn't.
Pegasus,
Thank you very much for your help.
Only one thinking... I don't understand why some antivirus software (I
have installed Symantec) is able to access folders with kind of
permissions. I suppose, the antivirus software has a way to bypass
NTFS security.
Regards.
==================
What makes you think that AV software can access folders that are beyond the
reach of the System account?- Ocultar texto de la cita -
- Mostrar texto de la cita -
Because, If I scan for viruses in the "problematic" folder, the AV
software doesn't complain about "Access Denied" error and the AV
software says that certain number of files has beed scanned.
This is probably because it doesn't scan that folder! You can confirm this
easily by placing the industry-standard Eicar test virus file into your
folder. Read here how to create it:
http://www.eicar.org/anti_virus_test_file.htm

Loading...