Solved

Unable to display current owner - icacls and Long Filenames

Posted on 2010-09-01
20
3,021 Views
Last Modified: 2012-05-10
Im trying to ascertain file permissions, owner etc. Since the GUI doesnt work, Im using icacls but it cant handle long filenames or filenames with spaces so I want the filenames in 8.3 format. For filenames with spaces, I tried putting the full filename in quotes, that returned 'Access is denied'. Filena~1.exe returned 'file cannot be found' I dont want a .bat or a .vbs. I just want the file security settings in the least number of steps (KISS method). One file at a time using icacls at the command line is preferable.

Logged on as administrator, server 2003

Thank you.
0
Comment
Question by:disciple_of_chim-chim
  • 10
  • 6
  • 4
20 Comments
 
LVL 4

Expert Comment

by:pbarry1
ID: 33581920
Hi,

you need to put the filename in double-quotes (ex: icacls "C:\Filename with spaces.txt") and, but you already know that, you need to have access rights to the files being analyzed..  

Hope this helps.
0
 

Author Comment

by:disciple_of_chim-chim
ID: 33581977
Im at the E:\folder prompt. There is a copy of cmd.exe in the folder.    As I said,   I put the full filename in quotes
E:\folder>icacls full filename

Administrator apparently doesnt have access rights to the file, thats why I want to know who does before I take ownership.
0
 

Author Comment

by:disciple_of_chim-chim
ID: 33581985
#@*% Make that E:\folder>icacls "full filename"
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 4

Expert Comment

by:pbarry1
ID: 33582086
Sorry,

by quote, I though you meant '  ', not " " (English is not my native language).

Since Administrator doesn't seem to have access to the file, you can try running the command under the "SYSTEM" account.  The easiest way I know to do that is by creating a new Scheduled Task that uses this command:

icacls "full filename" /save c:\acl.txt

Make sure the owner of the scheduled task is SYSTEM (when prompt for a user name, just enter SYSTEM without password.  It will replace it with NT AUTHORITY\SYSTEM).  Since you're an Admin, it should let you do that.
0
 
LVL 5

Expert Comment

by:helpnet
ID: 33582812
Using the System Account in a scheduled task or a startup script is the way to go. As if an account does not have rights to the file, you will get an access denied if you try to run icacls (becuase f rights).  

By the way, icacls does not have a problem with long filenames, it is just spaces make it ambiguous.  I know you said one file at a time, but it is much easier to do it for the subdirectory structure want to do it one file at a time (a lot of typing and scheduled tasks to set),

icacls c:\*.* /T >c:\users\acl.txt

For a particular directory

icacls "c:\DirectoryName" /T >c:\users\acl.txt

The > does the same thing as /save, and redirects the output to the file after the prompt.

 Will generate a text file with rights for all files in the directory structure.

If you use >> instead of >, it appends the output to the file instead of writing over the top of it.

Eg

icacls "c:\DirectoryName\Filename1" /T >c:\users\acl.txt
icacls "c:\DirectoryName\Filename2" /T >>c:\users\acl.txt
icacls "c:\DirectoryName\Filename3" /T >>c:\users\acl.txt
icacls "c:\DirectoryName\Filename4" /T >>c:\users\acl.txt

The resulting c:\users\acl.txt would include the output for all four commands, one after another

0
 
LVL 5

Expert Comment

by:helpnet
ID: 33582833
Because you (Administrator) do not have rights, you will not be able to do it one file at a time at the command line, it will need to be in a batch file/script.
0
 
LVL 5

Expert Comment

by:helpnet
ID: 33582936
http://blogs.msdn.com/b/adioltean/archive/2004/11/27/271063.aspx

This suggests a way to run a command prompt as system interactively.  I tried the second method, and it didn't work for me.  


But psexec does actually open an interactive command prompt running under the system account, so you should be able to run icacls from here if the system account has rights to the files (and it is possible it doesn't).

0
 
LVL 5

Expert Comment

by:helpnet
ID: 33582966
http://rhyous.com/2009/12/03/how-to-open-a-command-prompt-running-as-local-system-on-windows-7/
Sorry wrong line above

Download pstools from here /en-us/sysinternals/bb897553.aspx

Extract PSexec and copy to a location you can run it from a cmd prompt.

open a cmd prompt as administrator
run psexec -i -s cmd.exe

This will open a second CMD window that is running as the system account.
0
 

Author Comment

by:disciple_of_chim-chim
ID: 33583854
I ran this:

at 00:09 /interactive cmd.exe

The title on the cmd window was C:\WINDOWS\system32\svchost.exe
The prompt was at C:\WINDOWS\system32>
On the processes tab in Task Manager, cmd.exe is running under SYSTEM.

I changed directories until I was in E:\folder where the file in question is. I cannot copy the file, that is why I must work from the E drive.

E:\folder>icacls "full filename.exe" /T >acl.txt
full filename.exe: Access is denied.

acl.txt was written to E:\folder it was blank


E:\folder>icacls "full filename.exe" /save e:\acl.txt
full filename.exe: Access is denied.
Successfully processed 0 files; Failed processing 1 files

acl.txt was written to E:\folder with the failure message in it.


E:\folder>icacls "E:\folder" /T >C:\acl.txt
E:\folder\full filename.exe: Access is denied.

acl.txt was written to C:\ it was blank

There is one other file in that folder but it is hidden, cannot change that either. Its not lookin good for the home team.
0
 
LVL 4

Expert Comment

by:pbarry1
ID: 33586406
You can try the 'Takeown /f "filename" /a' command.  You won't be able to view who's the current owner, but at least, you should be able to regain access.  And after, you will see what are the file permissions.

If using the filename doesn't work, try using the directory name (Unless resetting ownership on all files is unacceptable for you).
0
 

Author Comment

by:disciple_of_chim-chim
ID: 33591709
So, I cannot see the present file permissions or the present owner?
0
 
LVL 4

Expert Comment

by:pbarry1
ID: 33595737
I just remembered another way to see the owners: try this

DIR "E:\folder\full filename.exe" /Q

IF it doesn't work, try it with wildcards.  Ex: DIR "E:\folder\*.exe*" /Q   (the last wildcard is just to make sure the filename is not corrupted.)
0
 

Author Comment

by:disciple_of_chim-chim
ID: 33599066

C:\Documents and Settings\Administrator>DIR "E:\folder\*.exe" /Q

Volume in drive E is Info

Volume Serial Number is A55E-A07E

Directory of E:\folder

11/20/2009  12:26 PM            14,999 ...                    full filename.exe

               1 File(s)         14,999 bytes
               0 Dir(s)  299,887,572,992 bytes free





C:\Documents and Settings\Administrator>DIR "E:\folder\*.exe*" /Q

Volume in drive E is Info

Volume Serial Number is A55E-A07E

Directory of E:\folder\

11/20/2009  12:26 PM            14,999 ...                    full filename.exe

               1 File(s)         14,999 bytes
               0 Dir(s)  199,887,572,992 bytes free
0
 
LVL 4

Expert Comment

by:pbarry1
ID: 33619566
Well, it seems the only way to regain access to this file is by taking ownership.  You can turn on the auditing on this file and see if it will display the old owner after you've taken ownership, but I have doubts.
0
 

Author Comment

by:disciple_of_chim-chim
ID: 33638067
When I go to the Auditing tab for the file, Add, Edit and Remove are not available.
0
 
LVL 4

Expert Comment

by:pbarry1
ID: 33638193
If this computer is part of a Domain, there might be a Group Policy restricting you to activate the auditing.  You'll need to remove that restriction first.  If this computer is not part of a domain, make sure your Local Security Policy allow you to turn on Auditing.

Then start the autiding on the E:\folder, not just the file.
0
 

Author Comment

by:disciple_of_chim-chim
ID: 33639143
I simplified the original question. There are way too many files and folders in that directory to audit everything.
0
 

Author Comment

by:disciple_of_chim-chim
ID: 33666917
Has another one of my questions reached the 'you cant get there from here' point?
0
 

Accepted Solution

by:
disciple_of_chim-chim earned 0 total points
ID: 35310941
Access denied? pfft. I deleted it with Malwarebytes's FileASSASSIN.


Me 1
Pain in the as* file 0
0
 

Author Closing Comment

by:disciple_of_chim-chim
ID: 35357048
It was actionable and in the final analysis, if I was able to delete it, then I was the owner. And after 7 months, thats good enough for me.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ports for sccm 2012 1 80
Remote Desktop to Server prints everything duplex 7 56
Group policy not applying 5 91
Server HP DL380 G7 13 45
My previous article  (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html)detailed one possible method to get SCCM 2007 installed an…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question