Icacls, problems with permission in subfolder of Program Files (x86) - windows

The problem I have is very persistent.
I have a self-extracting rar file, say files.rar.
This is being uncompressed in C:\Program Files (x86)\CompanyName\XDS\bin
Now this starts a batch file, install.bat, which is in the bin folder.
A 32 bit version of cmd.exe executes this batch file.
So far so good, this all works well.
But: I have to rename one file in the bin folder and delete another. You may wonder, why put a file in there that needs to be deleted? Well, I have a 32 and 64 bit version of a driver. Depending on the target, either one of these must be renamed to NatUSB.dll, while the other must be deleted.
If I run this batch file (simplified):
icacls natusb*.dll /inheritance:r /grant:r everyone:(OI)(CI)F
icacls natusb*.dll /T
rename NatUSB_32_ezusb.dll NatUSB32.dll
del NatUSB_32_winusb.dll
I have the following problems:
I need administrator rights and that is not acceptable for the
purpose of my company
Even then I get "Access is denied" for the
renaming, possibly since there exists already a NatUSB32.dll.
However, even as administrator I can not delete this file: "Access is
denied"
The del NatUSB_32_winusb.dll also gives "Access is denied"
Then I tried to copy the two files to bin2. Reason for this: if I do "icacls bin /T" the list of files I get permission info on is too long, so I hoped to get this info just for a few files. Unfuntunately, I get "Access is denied" (while trying to copy to bin2), even while file permissions for administrator and system are "Full control".
BTW, just icacls natusb*.dll /T does not give any permissions, this only seems to work for entire folders.
When I am in the XSD (parent) folder and do "icacls bin2 /inheritance:r /grant:r everyone:(OI)(CI)F"
Next, I do "icacls bin2 /T"
bin2 Everyone:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(F)
I still cant copy the few nat*.dll from bin to bin2.
If I try to set access rights on bin folder (very similar to above), I get "bin: The handle is invalid".
BTW, the permissions on bin are as follows:
bin NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
and as stated before, with icacls I can't change any of this. BTW, the security tab doesn't show duplicate groups or names.
In short: I have problems with renaming, deleting files (must urgent, to solve current problem) and also with copying files from C:\Program Files (x86)\XXX\XDS\bin to XDS\bin2.
To solve the problems, I need to use icacls or another build in command in a script to force the access rights. Setting access rights in the security tab of a folder is not acceptable: it needs to be done from script. Also: we can not install 3rd party software, certainly not if it is large or has a commercial license. A few kB, perhaps 1MB is for a free to use tool may be acceptable if all else fails.
The solution should also not require administrator rights.

This is your main problem:
icacls natusb*.dll /inheritance:r /grant:r everyone:(OI)(CI)F
The (OI)(CI) flags are only valid for directories, not for files. Because the flags are invalid, the permission is ignored. So the net effect of this command is to remove all permissions from the file, implicitly denying access to everyone, including administrators.
If you take out the invalid flags, the command will work as expected:
icacls natusb*.dll /inheritance:r /grant:r everyone:F
However, given your description of the problem, it looks as if you will require admin access, because the permissions on the existing folder are read-only for non-administrators. There's no way around that, unless you can install into a different folder (e.g., in the user's Application Data folder) or change the destination folder permissions in advance.
Note that changing the folder permissions is likely to introduce a security vulnerability.

Related

Only with certain users: UNC paths are not supported Defaulting to windows directory

I have a batch file, whose purpose is to copy a directory from a network location and place it in the C: location of the user's system if it doesn't already exist. The problem is when the main user attempts this, the above message is displayed and the application subsequently errors out. BUT, when I run on my machine, to try and debug, it works just as it should with no problems.
I've seen a lot out there on this, but none where it works depending on the user. Also, most are about only working with network drives and not locals.
Here is the code. I am not the author of this .bat so let me know if something doesn't look quite right.
#echo off
echo Starting Application...
rem copy files over to the users local computer to prevent .dll problems when running App
C:
CD \
if not exist "C:\App" mkdir c:\App
CD App
robocopy "\\server\shared\fuller\Apps\ThisApp" c:\App /S robocopy.log
echo You may close this window or it will close by itself when the program is done.
ThisApp1.exe
I've tried using popd and pushd in various spots, but I'm not sure where I would put those, or even if it's applicable to this situation.
Put this line as the 2nd line (right after #echo off)
pushd %~dp0 & REM needed in case 'Run as Administrator' or executed from network drive
https://ss64.com/nt/pushd.html
Note that 'Run as Administrator' changes the current directory... this will put it back to where it was.

Maria DB change datadir on windows server

I installed MariaDB on my windows server and saw it defaults the datadir where the databases are stored to C:\Program Files\MariaDB 10.2\data
I wanted it moved the the E: disk that's dedicated to database stuff.
I thought copying the datadir and then modifying the my.ini in the C:\Program Files\MariaDB 10.2\data datadir would solve it, but when I tried to restart the service it wouldn't start.
I also tried setting the folder permissions to network service but that didn't seem to help.
What do I have to do to move my datadir on windows?
After a lot of searching I stumbled across http://baazgusht.blogspot.nl/2017/02/change-datadir-of-mariadb-in-window.html
It gave me the hint I needed to move the datadir on windows.
open cmd in administrator mode(start search cmd, rightlick execute as administrator)
type Net stop MariaDB (or whatever you named your service. for me it was net stop "MariaDB 10_2_7"
CD to C:\program files\mariadb 10.2\(or wherever your mariadb is installed)
Type: xcopy data E:\MariaDB /O /X /E /H /K (E:\MariaDb is my location, you may have another location. replace E:\MariaDB with whatever you want, just use the same value below for the datadir in my.ini)
Xcopy will ask when the destination doesn't exist if it should be a file or a folder. Choose the option that represents Folder.
Type: notepad data/my.ini
change the value of datadir=C:\Pro.... to datadir=E:\MariaDB
save (ctrl + s)
in CMD type net start mariadb (or whatever you named your service. for me it was net start "MariaDB 10_2_7"
I think that real problem is this one.
MariaDB use MySQL5.5 (or MariaDB10 for other version I use) as "group user" to set full permission on data folder. But this "group user" is not create under Windows "users and groups". So you cannot add this group on security tab and set permission to another folder.
Effectively, the workaround is to xcopy the original data folder to new location preserving the original permission.
But my problem is that I recover after a crash an older data folder. So it's not clear that workaround work (I wil try it tonight). I need to set the correct user group.
A true bug fix: fix intallation of MariaDB to effectivily create the "group user" in right place not just use it in folder permission.
Additional information to #Tschallacka's answer:
The copied my.ini file should be deleted from the target directory ("E:\MariaDb" in their example), since it is not honored by MariaDB. (It still contains the old path anyways.) And the contents of the source directory ("C:\Program Files\MariaDB 10.2\data" in their example) except my.ini should be deleted too, since those files are now found at the new path.
#Tschallacka's solution works because xcopy also copies permissions of the files. Windows Explorer does not.
Explanation of the options for xcopy:
/E Copies directories and subdirectories, including empty ones.
/H Copies hidden and system files also.
/K Copies attributes. Normal Xcopy will reset read-only attributes.
There are no hidden, system or read-only files in there right after install and there shouldn't after normal use and it shouldn't matter for the copied files, but it won't hurt.
/O Copies file ownership and ACL information.
The original directory has some additional permissions set. Without those, the MariaDB service seems to not be able to access the copied files properly.
/X Copies file audit settings (implies /O).
The service seems to start fine even without this option.
After some confusion with this error I can recommend that you:
Use slashes in Windows paths, for example C:/MariaDB/DB.
Experiment with adequate permissions. This seems to work:
cacls Path_to_MariaDB_DBData /E /T /P "Network Service":F

Using icacls command in Win7 cmd line to set inheritance to (I)

I am trying to set the ACL/inheritance for a folder (or file) as follows:
icacls /inheritance:r /grant:r "builtin\administrators":(I)(F)
However, this produces an error (icacls doesn't recognize the "(I)" as being valid?).
According to icacls /?, (I) is one of the inheritance rights (along with (OI), (CI), (IO), and (NP)).
When I reset the perms on the object, the icacls command shows:
builtin\administrators:(I)(OI)(CI)(F)
So the '(I)' setting IS 'in there'. I suspect I need to go through some hoops to get this where it needs to be (i.e., builtin\administrators:(I)(F)), but after spending the better part of the day searching for examples and trying various routes, I'm still where I started.
Anyone know the trick to this?

Cant find files when copying in batch in administrator mode

I am writing a batch file to setup a small program that I have written for a couple of user's machines. As the batch file will be also writing to the user's registry it will be run in admin mode. The issue I have is when running in administrator mode when it gets to the COPY (I have also tested with the MOVE command) it outputs that the system cannot find the file. However if i run the program without the admin privileges the files copy/move as expected. I have tested the file without the registry command as well as that seems to have no effect on the situation. The initial files are all located in a folder on the users desktop but I have hard-coded the path names in to ensure that there is no confusion. I do have admin rights onto the machine as do all users for their respective computers.
The contents of the batch file is listed below:
REM This program needs to be run as administrator for it to add to the registry
REM Adds a registry value that allows the user to right click a document and run the program
#echo off
MD %UserProfile%\AppData\Roaming\Microsoft\AddIns\ComparisonAddin
COPY C:\Users\MyUser\Desktop\Launch Files\Compare.xlsm %UserProfile%\AppData\Roaming\Microsoft\AddIns\ComparisonAddin
COPY C:\Users\MyUser\Desktop\Launch Files\launchCompare.bat %UserProfile%\AppData\Roaming\Microsoft\AddIns\ComparisonAddin
REG ADD "HKCR\*\shell\Get Word Difference\command" /v "" /t REG_EXPAND_SZ /d "\"%USERPROFILE%\AppData\Roaming\Microsoft\AddIns\ComparisonAddin\launchCompare.bat\" \"%%1\""
pause
The directory is created as normal in both admin mode and non admin mode. Is there any reason why the COPY/MOVE command does not work in admin mode?
Thanks.
COPY "C:\Users\MyUser\Desktop\Launch Files\Compare.xlsm" "%UserProfile%\AppData\Roaming\Microsoft\AddIns\ComparisonAddin\"
Any source or target that contains separator characters like space, comma, tab etc. must be "quoted".
I use the trailing backslash at the end of directory name as a matter of habit so that if the directory does not exist, the copy won't try to create a destination file with that name.

Can any user access the %APPDATA% folder

Can any user access the %APPDATA% folder? Or can only administrators read & access that directory? Also, do the permissions to access this directory differ over different Windows platforms from 2k to Windows 7?
You can see the permissions on %APPDATA% by using the icacls tool at the command prompt. Here's what it looks like on my machine:
C:\Users\davidp>icacls %APPDATA%
C:\Users\davidp\AppData\Roaming NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
MACHINE09\davidp:(I)(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
What this means is that only I, administrators, and the system itself can see the folder. If you run this on a folder where other users can see it, you'll see something like this:
C:\Users\davidp>icacls c:\
c:\ BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Users:(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
NT AUTHORITY\Authenticated Users:(AD)
Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
Successfully processed 1 files; Failed processing 0 files
You can see that the BUILTIN\Users group can see the c:\ folder (as you would expect).
EDIT
I'm not sure how far back the %APPDATA% variable itself goes back in Windows history. I recommend checking directly. On older systems the cacls command was the predecessor to icacls. Regardless, in Windows NT-based OSes there has always been a profile area visible only to the user and administrators.
%AppData% is a user-specific path. Yes, any user can access %appdata%, but it will go to a different directory for each user. Only an administrator can read the appdata of another user.
Do the effort of actually going to %appdata% on your machine, and looking at the path it gets converted into. Do you see what I mean?

Resources