Is there a way to change system settings (like in my example, to show/hide hidden folders and files) via the command prompt? If so, how is this done?
To enable the option you mentioned, you can use REG ADD:
reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden /t REG_DWORD /d 0x1 /f
Settings such as "Show hidden files, folders and drives" in the Windows Explorer options are most commonly stored in the registry. This one, for example, looks like this:
User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
Value Name: Hidden
Data Type: REG_DWORD (DWORD Value)
Value Data: (1 = show hidden, 2 = do not show)
You can use the reg command to modify keys via command line. See more info here: https://ss64.com/nt/reg.html
To see if the "Show hidden files" setting is enabled, you can use reg query:
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v Hidden
More info on reg add:
REG ADD KeyName [/v ValueName | /ve] [/t type] [/s Separator] [/d Data] [/f]
KeyName [\\Machine\]FullKey
Machine Name of remote machine - omitting defaults to the current machine
Only HKLM and HKU are available on remote machines
FullKey ROOTKEY\SubKey ROOTKEY [ HKLM | HKCU | HKCR | HKU | HKCC ] SubKey
The full name of a registry key under the selected ROOTKEY
/v The value name, under the selected Key, to add
/ve adds an empty value name <no name> for the key
/t RegKey data types
[ REG_SZ | REG_MULTI_SZ | REG_DWORD_BIG_ENDIAN | REG_DWORD |
REG_BINARY | REG_DWORD_LITTLE_ENDIAN | REG_NONE | REG_EXPAND_SZ ]
If omitted, REG_SZ is assumed
/s Specify one character that you use as the separator in your data
string for REG_MULTI_SZ. If omitted, use "\0" as the separator
/d The data to assign to the registry ValueName being added
/f Force overwriting the existing registry entry without prompt
I am trying to run a registry file for each users when they first log in. I was looking at different options to add HKEY_CURRENT_USER but couldn't get a definitive answer. Need someone to direct me to the right direction.
So I have the following commands
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\foo.reg" /v "Version" /d "1" /t REG_SZ /f
add HKEY_CURRENT_USER\C:\mykit\foo.reg /v "EnableRPCEncryption" /d "1" /t REG_DWORD /f" /f
Ican execute them and but the reg_key doesn't run when I first login as a new user.
I am running windows 2012 server
Add the appropriate registry settings within HKU.Default using the same relative paths. Log in with a new user and check to see that the settings are present.
You can also create a Group Policy Object (GPO) that runs for all users and checks to see if the HKCU registry key is present and adds if necesary.
If you are not keen on GPO, you can write a batch file and place it in within the startup folder of the All Users Start Menu.
Why deleting an environment variable with reg delete HKCU\Environment /F /V TestVar in Windows 7 Professional removes it from the registry, but the variable still exists?
Here are the details: I created the following 3 .cmd files:
Check variable.cmd
echo TestVar = %TestVar%
pause
Set variable.cmd
setx TestVar 123
pause
Delete variable.cmd
reg delete HKCU\Environment /F /V TestVar
pause
Then I follow these steps (double clicking to make sure that I start a new session every time):
Double click on Check variable.cmd and I see that TestVar does not exist
Double click on Set variable.cmd and it says SUCCESS: Specified value was saved.
Double click on Check variable.cmd and it shows the variable value. Good!
Double click on Delete variable.cmd and it says The operation completed successfully.
Double click on Check variable.cmd and it still shows the variable value. Bad!
Click on the Start menu, type environment, click on Edit environment variables for your account to open the Environment Variables dialog box, click OK without changing anything
Double click on Check variable.cmd and the variable does not exist anymore
I can find the value in the registry after step 2, I cannot find it after step 4, but step 5 still finds it. And even if I don't change anything, step 6 really deletes the variable.
Here is the solution to my problem. I don't know if it is the correct solution, but it works for me:
Check variable.cmd
set TestVar
#pause
Set variable.cmd
setx TestVar 123
#pause
Delete variable.cmd
reg delete HKCU\Environment /F /V TestVar
setx DummyVarUsedToDelete ""
reg delete HKCU\Environment /F /V DummyVarUsedToDelete
#pause
setx cannot be used to delete a variable, as explained here, but it does the missing broadcasting after a variable has been removed from the registry with reg delete.
EDIT
I added a line to delete the DummyVarUsedToDelete from the registry. This will not be broadcasted, but it is a small temporary problem.
You can use setx to delete an environment variable, this will broadcast the correct message:
setx TestVar ""
reg delete HKCU\Environment /F /V TestVar
(As discussed in the comments, using setx by itself will leave an empty entry behind in the registry, which should be deleted for the sake of consistency.)
The registry is read at boot. When a program is started it gets a copy of it's parent's environment, usually Explorer.exe's environment.
As the comment says, explorer (or any other graphical program that acts on the message) if it gets a message from some other program (like setx) warning it that the registry has been changed, rereads the registry.
The answer is simple
Use set and setx on sequential lines.
DELETING SYSTEM PATH VARIABLE
Method 1:
set var = C:\Users\mahidhai\cygwin64\usr\local\bin
REG delete "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /F /V var
In my case , it didn't work even though i ran as administrator .
Command prompt displays error registry key not found
In such case go directly to registry keys file
Method2:
Go To register editor .
Run -> regedit
NAvigate to
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
Edit directly the register key, by clicking on the register key name .
This should work fine
Method 3:
Sometimes not updated windows could be the issue . Check if any updates available . If so update immediately
Need to Create a Registry Key using bat file.Can I create Reg Key using Command prompt or a bat file.
The main purpose behind this , I want to create envoirment variable using bat file.
You can use the Windows built-in command line tools, either regedit.exe or reg.exe, see:
Regedit
REG Command in Windows XP
Reading NT's Registry with REG.EXE
Yes u can create Registry Key using Batch file
here is an example:
for disabling task manager using .bat file:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v DisableTaskMgr /t REG_DWORD /d 1
for enabling task manager:
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /f
You can take Help by entering reg/? in command prompt for various options.
Enjoy.........
SET variable=string
If you want to create a persistent environment variable (i.e. one that not only applies to the current session) you can use setx. No need to mess around with the registry directly if there is a program to do it for you:
SetX has three ways of working:
Syntax 1:
SETX [/S system [/U [domain\]user [/P [password]]]] var value [/M]
Syntax 2:
SETX [/S system [/U [domain\]user [/P [password]]]] var /K regpath [/M]
Syntax 3:
SETX [/S system [/U [domain\]user [/P [password]]]]
/F file {var {/A x,y | /R x,y string}[/M] | /X} [/D delimiters]
Description:
Creates or modifies environment variables in the user or system
environment. Can set variables based on arguments, regkeys or
file input.
How can I grant permissions to a user on a directory (Read, Write, Modify) using the Windows command line?
As of Vista, cacls is deprecated. Here's the first couple of help lines:
C:\>cacls
NOTE: Cacls is now deprecated, please use Icacls.
Displays or modifies access control lists (ACLs) of files
You should use icacls instead. This is how you grant John full control over D:\test folder and all its subfolders:
C:\>icacls "D:\test" /grant John:(OI)(CI)F /T
According do MS documentation:
F = Full Control
CI = Container Inherit - This flag indicates that subordinate containers will inherit this ACE.
OI = Object Inherit - This flag indicates that subordinate files will inherit the ACE.
/T = Apply recursively to existing files and sub-folders. (OI and CI only apply to new files and sub-folders). Credit: comment by #AlexSpence.
For complete documentation, you may run "icacls" with no arguments or see the Microsoft documentation here and here
You can also use ICACLS.
To grant the Users group Full Control to a folder:
>icacls "C:\MyFolder" /grant Users:F
To grant Modify permission to IIS users for C:\MyFolder (if you need your IIS has ability to R/W files into specific folder):
>icacls "C:\MyFolder" /grant IIS_IUSRS:M
If you do ICACLS /? you will be able to see all available options.
Open a Command Prompt, then execute this command:
icacls "c:\somelocation\of\path" /q /c /t /grant Users:F
F gives Full Access.
/q /c /t applies the permissions to subfolders.
Note: Sometimes "Run as Administrator" will help.
Use cacls command. See information here.
CACLS files /e /p {USERNAME}:{PERMISSION}
Where,
/p : Set new permission
/e : Edit permission and kept old permission as it is i.e. edit ACL instead of replacing it.
{USERNAME} : Name of user
{PERMISSION} : Permission can be:
R - Read
W - Write
C - Change (write)
F - Full control
For example grant Rocky Full (F) control with following command (type at Windows command prompt):
C:> CACLS files /e /p rocky:f
Read complete help by typing following command:
C:> cacls /?
I try the below way and it work for me:
1. open cmd.exe
2. takeown /R /F *.*
3. icacls * /T /grant [username]:(D)
4. del *.* /S /Q
So that the files can become my own access and it assign to "Delete" and then I can delete the files and folders.
Corrupt Permissions: Regaining access to a folder and its sub-objects
Although most of the answers posted in reply to the question have some merit, IMHO none of them give a complete solution. The following (might be) a perfect solution for Windows 7 if you are locked-out of a folder by corrupted permission settings:
icacls "c:\folder" /remove:d /grant:r Everyone:(OI)(CI)F /T
For Windows 10 the user/SID must be specified after the /remove:d option:
icacls "c:\folder" /remove:d Everyone /grant:r Everyone:(OI)(CI)F /T
.
Notes:
The command is applied to the specified directory.
Specifying the user "Everyone" sets the widest possible permission, as it includes every possible user.
The option "/remove:d" deletes any explicit DENY settings that may exist, as those override explicit ALLOW settings: a necessary preliminary to creating a new ALLOW setting. This is only a precaution, as there is often no DENY setting present, but better safe than sorry.
The option "/grant" creates a new ALLOW setting, an explicit permission that replaces (":r") any and all explicit ALLOW settings that may exist.
The "F" parameter (i.e. the permission created) makes this a grant of FULL control.
The "/T" parameter adds recursion, applying these changes to all current sub-objects in the specified directory (i.e. files and subfolders), as well as the folder itself.
The "(OI)" and "(CI)" parameters also add recursion, applying these changes to sub-objects created subsequently.
.
ADDENDUM (2019/02/10) -
The Windows 10 command line above was kindly suggested to me today, so here it is. I haven't got Windows 10 to test it, but please try it out if you have (and then will you please post a comment below).
The change only concerns removing the DENY setting as a first step. There might well not be any DENY setting present, so that option might make no difference. My understanding is, on Windows 7, that you don't need to specify a user after /remove:d but I might be wrong about that!
.
ADDENDUM (2019/11/21) -
User astark recommends replacing Everyone with the term *S-1-1-0 in order for the command to be language independent. I only have an English install of Windows, so I can't test this proposal, but it seems reasonable.
I struggled with this for a while and only combining the answers in this thread worked for me (on Windows 10):
1. Open cmd or PowerShell and go to the folder with files
2. takeown /R /F .
3. icacls * /T /grant dan:F
Good luck!
With an Excel vba script to provision and create accounts. I was needing to grant full rights permissions to the folder and subfolders that were created by the tool using our administrators 'x' account to our new user.
cacls looked something like this:
cacls \FileServer\Users\Username /e /g Domain\Username:C
I needed to migrate this code to Windows 7 and beyond. My solution turned out to be:
icacls \FileServer\Users\Username /grant:r Domain\Username:(OI)(CI)F /t
/grant:r - Grants specified user access rights. Permissions replace previously granted explicit permissions. Without :r, permissions are added to any previously granted explicit permissions
(OI)(CI) - This folder, subfolders, and files.
F - Full Access
/t - Traverse all subfolders to match files/directories.
What this gave me was a folder on this server that the user could only see that folder and created subfolders, that they could read and write files. As well as create new folders.
Just in case there is anyone else that stumbles on this page, if you want to string various permissions together in the one command, I used this:
icacls "c:\TestFolder" /grant:r Test_User:(OI)(CI)(RC,RD,RX)
Note the csv string for the various permissions.
XCACLS.VBS is a very powerful script that will change/edit ACL info. c:\windows\system32\cscript.exe xcacls.vbs help returns all switches and options.
You can get official distribution from Microsoft Support Page
Bulk folder creation and grant permission works me by using the below powershell script.
Import-Csv "D:\Scripts\foldernames.csv" | foreach-object {
$username = $_.foldername
# foldername is the header of csv file
$domain = “example.com”
$folder= "D:\Users"
$domainusername = $domain+“\”+$username
New-Item $folder\$username –Type Directory
Get-Acl $folder\$username
$acl = Get-Acl $folder\$username
$acl.SetAccessRuleProtection($True, $False)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Administrators","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("SYSTEM","FullControl", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$domain\Domain Admins","Read", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($domainusername,"Modify", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl $folder\$username $acl
}
Note: You have to create same domain username in csv file otherwise you will get permission issues
attrib +r +a +s +h <folder name> <file name> to hide
attrib -r -a -s -h <folder name> <file name> to unhide
excellent point Călin Darie
I had a lot of scripts to use cacls I move them to icacls
how ever I could not find a script to change the root mount volumes example: d:\datafolder. I finally crated the script below, which mounts the volume as a temporary drive then applies sec. then unmounts it. It is the only way I found that you can update the root mount security.
1 gets the folder mount GUID to a temp file then reads the GUID to mount the volume as a temp drive X: applies sec and logs the changes then unmounts the Volume only from the X: drive so the mounted folder is not altered or interrupted other then the applied sec.
here is sample of my script:
**mountvol "d:\%1" /L >tempDrive.temp && FOR /f "tokens=*" %%I IN (tempDrive.temp) DO mountvol X: %%I
D:\tools\security\icacls.exe %~2 /grant domain\group:(OI)(CI)F /T /C >>%~1LUNsec-%TDWEEK%-%TMONTH%-%TDAY%-%TYEAR%-%THOUR%-%TMINUTE%-%TAM%.txt
if exist x:\*.* mountvol X: /d**
I am Administrator and some script placed "Deny" permission on my name on all files and subfolders in a directory. Executing the icacls "D:\test" /grant John:(OI)(CI)F /T command did not work, because it seemed it did not remove the "Deny" right from my name from this list.
The only thing that worked for me is resetting all permissions with the icacls "D:\test" /reset /T command.
navigate to top level directory you want to set permissions to with explorer
type cmd in the address bar of your explorer window
enter icacls . /grant John:(OI)(CI)F /T where John is the username
profit
Just adding this because it seemed supremely easy this way and others may profit - all credit goes to Călin Darie.
When I ran the command:
icacls "c:/path/to/folderA/folderB" /grant:r Everyone:(OI)(CI)F /T
None of the files in folderB were being processed, which was indicated via the output message:
Successfully processed 0 files; Failed processing 0 files
However, once I changed the specified path to the parent directory("c:/path/to/folderA") and re-ran the command all the files in folderB were successfully processed.
Note: If you want any other files/folders in folderA to not be processed, try moving all those files/folders to a different location before running the command above.
Hope this helps anyone running into the same issue.
i was not able to open any file in a drive, this command unlocked all -
icacls i:\* /grant Users:F /t /q /c
in windows 10 working without "c:>" and ">"
For example:
F = Full Control
/e : Edit permission and kept old permission
/p : Set new permission
cacls "file or folder path" /e /p UserName:F
(also this fixes error 2502 and 2503)
cacls "C:\Windows\Temp" /e /p UserName:F
This is what worked for me:
Manually open the folder for which the access is denied.
Select the Executable/application file in that folder.
Right-click on it and go to Properties -> Compatibility
Now see the Privilege Level and check it for Run As Administrator
Click on Change Settings for all users.
The problem is solved now.