Solved

cannot copy files from network drive to local machine using .bat file

Posted on 2011-03-17
14
1,554 Views
Last Modified: 2012-05-11
I have a newly installed WIN7 computer on a SBS 2008 domain. In the office, users have a file: COPY.BAT which they use to copy updated .ade files from a network drive to the local C:\Program Files folder. When I try to run this bat file on this WIN7 computer, it exectutes the internal COPY programs, but each one gives me an "access denied" message. Yet, if I use Windows exlporer and copy the file by-hand from the network drive, and past it into the target folder, no problem.

What's going on? How do I fix this?
0
Comment
Question by:jmarkfoley
14 Comments
 
LVL 20

Expert Comment

by:edster9999
ID: 35160200
try putting double quotes round the full file name including the paths.
copy "x:\whatever" "c:\program files\whatever\whatever"

How do you access the network drive ?  Full path name (\\server\share\whatever) or with a drive letter (X:\whatever).
If it is the full path name try mapping a drive.
You can do it with something like

net use X: \\server\share\whatever
copy "X:\file" "c:\program files\whatever"
net use /d X:

0
 
LVL 19

Expert Comment

by:n2fc
ID: 35160248
"Program Files" is a protected folder (even for administrators)...

You can try one of the following:
+ Try running the bat file from an administrative promp (run cmd.exe "as admin" and then execute the bat file from within)
The following choices are risky from a security standpoint! You can try them to see if they workaround the issue, but they are not a long term solution!
+ Change the security permissions on the "Program Files" folder to allow write access
+ Change the USer Account Control Settings to off (this may or may not work... I haven;t tried it yet)

The reason it works with Windows Explorer is that it is allowing people to override the security as administrators while it runs... You do not get this opportunity unless running the bat file under an administarative prompt.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35161676
Do you get a prompt for allowing the copy (something asking if you want to do that with admin privs) when using Explorer? If so, n2fc is absolutely correct in the last paragraph.

For a "once-in-a-while" copy you should rely on the "runas admin" approach - but that requires the user to be able to use an admin account.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 35167844
Qlemo: yes, I do get a prompt with Explorer

n2fc: The runas admin solution is not good in this case. This is an old Access application with lots of sub-ade files. One or two of these is routinely updated and needs to be copied to the local workstation. These are clerical user, not technical. The .bat solution was to provide and easy click-an-go function. I think it would be too much to give then runas admin instructions.

I tried un-setting the read-only attribute on both the Program Files(x86) folder and the target sub-folder: TRAVERSE. It didn't work, same access denied message. Here is what I am getting:

'\\MAIL\RedirectedFolders\bpatterson\Desktop'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported.  Defaulting to Windows directory.

C:\Windows>Copy "L:\mark no sharepoint\develop\travPa.ade" "C:\Program Files (x86)\TRAVERSE"
Access is denied.
        0 file(s) copied.

I also tried to change the security permissions, but neither the edit permissions or Advanced options let me change the permissions for any user! What about the User Account Control Settings? How would I investigate that option?

I know there must be a solution because my predecessor was able to get this to work on the other WIN7 computer in the office. Could I examine something on that computer to give me a clue?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35167933
Most probably the privs on that other W7 machine have been tweaked (not recommended). See this thread how to do it: http://www.experts-exchange.com/Q_26882268.html.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 35171118
Qlemo: thanks for that link, however that all looks highly complex and I run into the problem of the next poor schmuck after me trying to figure all that out.

I understand that Vista/WIN7 now "protects" the Windows/Program Files folders. Now, I would like to insert a rant here about the security concepts on the simultaneously most complex yet least actually secure OS of any that I've worked on since the 70's, but I will forebear. The fact is this, and probably thousands of other 3rd party software, expect to make direct updates to their folders in Program Files.  

So, can you tell me how to remove the User Access Control so this process will work as expected? If I can get by with removing the control on just the Program Files(x86)/TRAVERSE folder, that would be perfect. If I have to remove control on the entire Program Files(x86) folder (probably the only Microsoft alternative: all or nothing), then so be it. These users are NOT going to mess with the Program Files folders. They run this Traverse app. or Office. Period.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35171313
You are wrong in so many ways.
Vista/W7 is definitive more secure than its predecessors.
Nothing in a Program Folder should ever change after installation - so it is sound to protect that folder.
Folder and Registry virtualization is meant to redirect write access on protected resources to unprotected ones. But that does not work with "copy", only by using API calls in applications.
We are talking about a 64bit system here, which makes things even more complicated, since additional redirection is applied. A 32bit application needs to see "C:\Program Folders (x86)" when trying to access "C:\Program Folders", for example. There is no need to use a x64 OS for any usual client machine; a 32bit OS would have made things simpler.
However, if you want to weaken systems by removing protection for one of the  program folders, it is no big deal. All you have to do is change the privs on that folder once for each machine. You need to do that as admin. Run in an elevated command prompt:
takeown /f "%ProgramFiles(x86)%\TRAVERSE"
icacls "%ProgramFiles(x86)%\TRAVERSE" /grant Everyone:F

Open in new window

If you want to write a batch file with a little more automation (doing the "runas" part in addition), use this code:
@echo off
if "%1" == "" runas /user:administrator "\"%~f0\" elevated": exit /b 0

takeown /f "%ProgramFiles(x86)%\TRAVERSE"
icacls "%ProgramFiles(x86)%\TRAVERSE" /grant Everyone:F

Open in new window

We could restrict access to the files which should be replaced, which would make it less insecure, but I don't think it is required.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 1

Author Comment

by:jmarkfoley
ID: 35172154
Sorry. didn't mean to ruffle any feathers :) Yes, this version of WINDOWS is more secure than previous versions of WINDOWS. I was refering to non-Windows OSs. As to whether anything should ever change in a Program Folder, that may be Microsoft's new policy, perhaps with good reason, but other OSs find other solutions (including user settable execution paths), but in any case, various vendors were unaware of this future policy back in the XP days when they created programs. I am lucky enough to have inherited such a program. We will be migrating away from this program as soon as possible, but meanwhile, I'm stuck having to distribute updated ade files to multiple workstations, often on a weekly basis.

I am going to give your 1st solution a shot (probably more secure than the second because a clever user could examine the .bat file and get crazy ideas). But it may have to wait until Tuesday as I don't have access to that machine until then. I'll keep you posted.

Meanwhile, what does the "\"%~f0\" parameter in your runas command do? I've looked at the help on this and I can't puzzle it out.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 35173063
That part is tricky. Usually, %0 is the batch file name as called.
%~f0 constructs the batch file name, fully extended with drive, path, filename and extension.
The surrounding double quotes are needed in case the full path has spaces or other "special" characters in, like an ampersand (which is the command separator in CMD.exe).
And since runas needs the whole command line to be called to be enclosed in double quotes, we need to "escape" the double quotes of "%~f0" with backslashs.
The result is that runas is calling the batch file again with an additional argument, which populates %1, so runas is not called again - instead the script continues with the real stuff to do.

I did not notice until now that this line contains a syntax error - the colon is wrong there. That line should read:
if "%1" == "" runas /user:administrator "\"%~f0\" elevated" & exit /b 0
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 35179135
Wowser! That makes sense about the "%~f0", but highly esoteric!

Still getting stuck on your solution #1. I logged onto this machine as Administrator, opened a command window and ran the takeown command:

C:\Users\HPadminRS.HPRS>takeown /f "%ProgramFiles(x86)%\TRAVERSE"
ERROR: The current logged on user does not have ownership privileges on
       the file (or folder) "C:\Program Files (x86)\TRAVERSE".

What am I doing wrong?
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 500 total points
ID: 35179178
Even when logged in as admin, you need to elevate the command prompt to get all privileges. That is what the runas has been for.
When you start cmd.exe via the Search box of Start Menu, right click on cmd.exe, as choose "Run as administrator". After that you should be able to take ownership.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 35179347
Thanks, I though logging on as the actual administrator would would. Getting closer, the step you gave me worked:

C:\Windows\system32>takeown /f "%ProgramFiles(x86)%\TRAVERSE"

SUCCESS: The file (or folder): "C:\Program Files (x86)\TRAVERSE" now owned by user "HPRS\bpatterson".

C:\Windows\system32>icacls "%ProgramFiles(x86)%\TRAVERSE" /grant Everyone:F
processed file: C:\Program Files (x86)\TRAVERSE

However, still getting access denied on the .bat file copy:

C:\Windows>Copy "L:\mark no sharepoint\develop\travPa.ade" "C:\Program Files (x86)\TRAVERSE"
Access is denied.
        0 file(s) copied.
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 35181230
That is because that file already exists - and seem to have not inherited the change of permissions. Use either
  icacls "%ProgramFiles(x86)%\TRAVERSE" /grant Everyone:F /T
or
  icacls "%ProgramFiles(x86)%\TRAVERSE\*.ada" /grant Everyone:F

0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 35187809
Eureka!  the command:

icacls "%ProgramFiles(x86)%\TRAVERSE" /grant Everyone:F /T

seems to have done the trick! Thanks for your help.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I recently purchased an HP EliteBook 2540p notebook/laptop. It has two video ports on it – VGA and DisplayPort. HP offers an optional docking station for the 2540p that also has both a VGA port and a DisplayPort. There are numerous online reports do…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now