Background
In an earlier post, Raimund Andrée – NTFSSecurity, Link, we spoke of having considered using Microsoft’s icacls to review NTFS permissions.
icacls
Let us try using Microsoft’s icacls.
Sample Script
Scenario
In our use case we will be using icacls to review NTFS Permissions on the C:\Windows\System32\Tasks\ folder.
Windows saves metadata on scheduled tasks in this folder.
Code Overview
- Issue “setlocal” to initiate localize environment settings
- Set environment variables
- set target folder to C:\Windows\System32\Tasks\
- set appPgm to icacls
- Set local variables to indicate entries that we will like to discard from showing in the output
- Issue forfiles
- /p
- /c
- Set command to invoke
- cmd /c
- if @ISDIR==FALSE
- Skip folders, work only actual files
- if @ext==\”\”
- Tasks are saved without extensions and so limit files we work on to those files that do not have extensions
- Issue “%_appPgm% @PATH /q”
- _appPgm is previously set to icacls
- Parameters
- @PATH
- Forfiles is asked to substitute the current full filename
- /q
- Tells icacls to suppress success when displaying messages
- @PATH
- Parameters
- _appPgm is previously set to icacls
- Set command to invoke
- Issue “endlocal” to revert localized environment settings
Code Actual
setlocal set _folder=C:\Windows\System32\Tasks\ set _appPgm=icacls set _skipInherited= set _skipSP= set _skipInherited=find /V "(I)" set _skipSP=find /V "Successfully processed" REM Added period (.) after folder name for /p argument forfiles /P "%_folder%." /c "cmd /c if @ISDIR==FALSE if @ext==\"\" echo @PATH | %_appPgm% @PATH /q" | %_skipInherited% | %_skipSP% endlocal
Output
Listening
Talking about traps and ‘ving to escape them.
Xscape – Who Can I Run To
Link
References
- Command Line Reference
- QandA
- Blogs