Re: Access protected folders using system account

"Juan" <> wrote in message
news:f7626b92-bc13-43c8-a41b-...
> Hi,
>
> I'm developing a vbscript. The vbscript needs to access every file, or
> folder, in the local hard disks. I only need to access the name of the
> file. I'm using Windows XP and a NTFS partition, so it's possible to
> restrict access to a folder so only for the owner is able to access
> the folder.
>
> To avoid this situation, It's suppose that the NT AUTHORITY/system
> account is able to access every file in the system. To execute the
> vbscript I'm using the Scheduled Tasks, using the system account. But,
> when the script tries to access a protected folder a "Permission
> denied" error is returned.
>
> Does anybody have any idea what can be happening?.
>
> Thank you very much.
>
> Regards.
>
> Juan.

Run the batch file c:\Juan.bat (see below) in three modes:
a) When logged on as Administrator
b) As a scheduled task in the same way as you do with your script.
c) As a scheduled task, invoked like so:
at 16:45 c:\Juan.bat
(Make sure the time is 5 minutes in the future)

@echo off
set folder=d:\Some Folder
echo %date% %time% %UserName% >> c:\test.txt
cacls "%folder%" 1>>c:\test.txt 2>>&1
dir "%folder%" 1>>c:\test.txt 2>>&1
echo. 1>>c:\test.txt 2>>&1

When finished, post the contents of c:\test.txt.

"Juan" <> wrote in message
news:43c76394-5c51-4cef-8bf1-...
On Mar 11, 4:17 pm, "Pegasus" <n...@microsoft.com> wrote:
> "Juan" <jvaleromt...@gmail.com> wrote in message
>
> news:f7626b92-bc13-43c8-a41b-...
>
>
>
>
>
> > Hi,
>
> > I'm developing a vbscript. The vbscript needs to access every file, or
> > folder, in the local hard disks. I only need to access the name of the
> > file. I'm using Windows XP and a NTFS partition, so it's possible to
> > restrict access to a folder so only for the owner is able to access
> > the folder.
>
> > To avoid this situation, It's suppose that the NT AUTHORITY/system
> > account is able to access every file in the system. To execute the
> > vbscript I'm using the Scheduled Tasks, using the system account. But,
> > when the script tries to access a protected folder a "Permission
> > denied" error is returned.
>
> > Does anybody have any idea what can be happening?.
>
> > Thank you very much.
>
> > Regards.
>
> > Juan.
>
> Run the batch file c:\Juan.bat (see below) in three modes:
> a) When logged on as Administrator
> b) As a scheduled task in the same way as you do with your script.
> c) As a scheduled task, invoked like so:
> at 16:45 c:\Juan.bat
> (Make sure the time is 5 minutes in the future)
>
> @echo off
> set folder=d:\Some Folder
> echo %date% %time% %UserName% >> c:\test.txt
> cacls "%folder%" 1>>c:\test.txt 2>>&1
> dir "%folder%" 1>>c:\test.txt 2>>&1
> echo. 1>>c:\test.txt 2>>&1
>
> When finished, post the contents of c:\test.txt.- Hide quoted text -
>
> - Show quoted text -

Hi Pegasus,

First of all, thank you very much for your help.

I send the results of the batch file in the tree modes. It's extrange
that the user name in the cases b and c does not appear.

Test_administrator.txt
------------------------------------------------------------------
12/03/2009 10:38:04,35 Administrator
e:\HPAdmin
Access is denied.
Volume in drive E is Datos
Volume Serial Number is 4E37-C425

Directory of e:\HPAdmin

File Not Found

Test_sch.txt
------------------------------------------------------------------
12/03/2009 10:40:21,01
e:\HPAdmin
Access is denied.
Volume in drive E is Datos
Volume Serial Number is 4E37-C425

Directory of e:\HPAdmin

File Not Found

Test_at.txt
------------------------------------------------------------------
12/03/2009 10:39:00,07
e:\HPAdmin
Access is denied.
Volume in drive E is Datos
Volume Serial Number is 4E37-C425

Directory of e:\HPAdmin

File Not Found


I tried something similar, in my script I added a function to show the
username. And when the script was executed with Scheduled Task or at
command, the SYSTEM user was showed.

The function, that I used, was:

Function WhoAmI

Dim objNetwork
Dim strCurrentUserName, strCurrentDomainName, strFullUserName
Dim strComputerName

Set objNetwork = WScript.CreateObject("WScript.Network")

strCurrentUserName = objNetwork.UserName
strCurrentDomainName = objNetwork.UserDomain
strComputerName = objNetwork.ComputerName

strFullUserName = strCurrentUserName

WhoAmI = strFullUserName
' WScript.Echo "Current logged in user: " & strFullUserName & " on
" & strComputerName & VbCrLf

End Function

Again, thank you very much.

Regards.

================

I had forgotten that the System account does not show up when you run a
session under this account.

Toget back to your main issue: I would do this -
1. Seize ownership of the folder.
2. Set the permissions so that only the System and the user's account can
access the folder.
3. Use at.exe to run my batch file to recheck the permission structure.

"Juan" <> wrote in message
news:2e435b2e-8c77-4864-83a2-...

<snip>

Hi Pegasus,

I've made the steps you told me.

As you can see, It's possible to access the folder. But, the question
is. Would it be possible to access the folder, using a script executed
by the SYSTEM account, if I remove the permissions for the SYSTEM
user?.

==============

No, it isn't.

"Juan" <> wrote in message
news:6f4f0b80-4d39-4abc-a0c1-...
On Mar 13, 10:53 am, "Pegasus [MVP]" <n...@microsoft.com> wrote:
> "Juan" <jvaleromt...@gmail.com> wrote in message
>
> news:2e435b2e-8c77-4864-83a2-...
>
> <snip>
>
> Hi Pegasus,
>
> I've made the steps you told me.
>
> As you can see, It's possible to access the folder. But, the question
> is. Would it be possible to access the folder, using a script executed
> by the SYSTEM account, if I remove the permissions for the SYSTEM
> user?.
>
> ==============
>
> No, it isn't.

Pegasus,

Thank you very much for your help.

Only one thinking... I don't understand why some antivirus software (I
have installed Symantec) is able to access folders with kind of
permissions. I suppose, the antivirus software has a way to bypass
NTFS security.

Regards.

==================

What makes you think that AV software can access folders that are beyond the
reach of the System account?

"Juan" <> wrote in message
news:97fbb24a-8bb7-41af-a0e1-...
> On 13 mar, 18:12, "Pegasus" <n...@microsoft.com> wrote:
>> "Juan" <jvaleromt...@gmail.com> wrote in message
>>
>> news:6f4f0b80-4d39-4abc-a0c1-...
>> On Mar 13, 10:53 am, "Pegasus [MVP]" <n...@microsoft.com> wrote:
>>
>>
>>
>>
>>
>> > "Juan" <jvaleromt...@gmail.com> wrote in message
>>
>> >news:2e435b2e-8c77-4864-83a2-...
>>
>> > <snip>
>>
>> > Hi Pegasus,
>>
>> > I've made the steps you told me.
>>
>> > As you can see, It's possible to access the folder. But, the question
>> > is. Would it be possible to access the folder, using a script executed
>> > by the SYSTEM account, if I remove the permissions for the SYSTEM
>> > user?.
>>
>> > ==============
>>
>> > No, it isn't.
>>
>> Pegasus,
>>
>> Thank you very much for your help.
>>
>> Only one thinking... I don't understand why some antivirus software (I
>> have installed Symantec) is able to access folders with kind of
>> permissions. I suppose, the antivirus software has a way to bypass
>> NTFS security.
>>
>> Regards.
>>
>> ==================
>>
>> What makes you think that AV software can access folders that are beyond
>> the
>> reach of the System account?- Ocultar texto de la cita -
>>
>> - Mostrar texto de la cita -
>
> Because, If I scan for viruses in the "problematic" folder, the AV
> software doesn't complain about "Access Denied" error and the AV
> software says that certain number of files has beed scanned.

This is probably because it doesn't scan that folder! You can confirm this
easily by placing the industry-standard Eicar test virus file into your
folder. Read here how to create it:
http://www.eicar.org/anti_virus_test_file.htm