AccessEnum is a Windows SysInternals tool that reliably list SIDs and user accounts on Windows 7,8+
"While the flexible security model employed by Windows NT-based systems allows full control over security and file permissions, managing permissions so that users have appropriate access to files, directories and Registry keys can be difficult. There's no built-in way to quickly view user accesses to a tree of directories or keys. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary." Download AccessEnum
Dowload and run AccessEnum with elevated priveledes and you typically see some positive results:
 |
click large
When I ran AccessEnum on C:\ (root), it revealed some questionable ??? read / write users.
|
 |
| click large |
Right-click on the highlighted file reveals;
 |
| click large |
the Current Owner:
Unable to display current owner. I tried the running icacls in a windows cmd prompt;
PS C:\>ICACLS "C:\windows\winsxs\temp\pendingrenames\01b8c129d167cf01b5070000ec288829.install.ins" /reset /T /C
and it returned
Access is denied.
 |
| click large |
So how do gain access to this file?
Solution - Just drop all current owner and re-create the owners.
 |
| click large |
Right click, choose Security Tab, Choose
Continue which pop-ups another window in which you can
Add a good known account, mainly you.
One I did this I could see the file contents of
*.install.ins
 |
| click large |
This file seems innocuous enough, but I am satisfied that I know who controls it now and its not a hacked account.
Now running both of these script worked to reset the the ACL on this file
Windows CMD (Elevated) Script -
Download Raw - See
Original at wastebin.com - UI upgrade by
:)
ICACLS "C:\path\to\folder\filename.extension" /reset /T /C
Running this script add back inheritance to ACL for that directory.
Windows CMD (Elevated) Script -
Download Raw - See
Original at wastebin.com - UI upgrade by
:)
ICACLS "C:\path\to\folder\filename.extension" /inheritance:e /T /C
The result is if you right click on the file you get the correct ACL Group and User Names.
Note: This file name is incorrect the above got deleted but this has same ACL.
 |
| click large |
"While the flexible security model employed by Windows NT-based systems allows full control over security and file permissions, managing permissions so that users have appropriate access to files, directories and Registry keys can be difficult. There's no built-in way to quickly view user accesses to a tree of directories or keys. AccessEnum gives you a full view of your file system and Registry security settings in seconds, making it the ideal tool for helping you for security holes and lock down permissions where necessary." Download AccessEnum
I also see the ??? when there is a very long path name. If I click the corresponding file/folder then I can see the security details in the properties dialog.
ReplyDelete