Icacls – Usage – Scheduled Tasks

Background

In an earlier post, Raimund Andrée – NTFSSecurity, Link, we spoke of having considered using Microsoft’s icacls to review NTFS permissions.

icacls

Let us try using Microsoft’s icacls.

 

Sample Script

Scenario

In our use case we will be using icacls to review NTFS Permissions on the C:\Windows\System32\Tasks\ folder.

Windows saves metadata on scheduled tasks in this folder.

 

 

Code Overview

  1. Issue “setlocal” to initiate localize environment settings
  2. Set environment variables
    • set target folder to C:\Windows\System32\Tasks\
    • set appPgm to icacls
    • Set local variables to indicate entries that we will like to discard from showing in the output
  3. Issue forfiles
    • /p
      • set Target folder
        • “%_folder%.”
          • Notice the period that prefixes the enclosing quotes
          • It is needed to handle Windows batch treating the ending backslash as an escape
    • /c
      • Set command to invoke
        • cmd /c
        • if @ISDIR==FALSE
          • Skip folders, work only actual files
        • if @ext==\”\”
          • Tasks are saved without extensions and so limit files we work on to those files that do not have extensions
        • Issue “%_appPgm% @PATH /q”
          • _appPgm is previously set to icacls
            • Parameters
              • @PATH
                • Forfiles is asked to substitute the current full filename
              • /q
                • Tells icacls to suppress success when displaying messages
  4. Issue “endlocal” to revert localized environment settings

Code Actual


setlocal

set _folder=C:\Windows\System32\Tasks\
set _appPgm=icacls

set _skipInherited=
set _skipSP=

set _skipInherited=find /V "(I)"
set _skipSP=find /V "Successfully processed"

REM Added period (.) after folder name for /p argument

forfiles /P "%_folder%." /c "cmd /c  if @ISDIR==FALSE  if @ext==\"\"  echo @PATH | %_appPgm% @PATH /q"  | %_skipInherited% | %_skipSP%

endlocal

Output

Listening

Talking about traps and ‘ving to escape them.

Xscape – Who Can I Run To
Link

 

References

  1. Command Line Reference
    • Icacls
      • Management and Tools > Command-Line Reference > Command-Line Reference
        Link
    • Setlocal
      • TechNet Archive > Windows XP > Command-line reference A-Z
        Link
  2. QandA
    • StackOverflow
      • Forfiles Batch Script (Escaping @ character)
        Link
      • How to use forfiles to delete files without extension
        Link
  3. Blogs
    • SS64
      • FORFILES.exe (Native command in Vista/Windows7/2008, via Resource Kit for XP)
        Link
    • Windows Command Line
      • Srini

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s