Batch File that denies access to a folder

[luke127]

Hi guys I know my old thread got shutdown but I know why. This thread is different. It's for home use. I have a little brother age 12 who has about the same knowledge of PC's as me. But the thing is he keeps going into the C:\ drive and looking in my user account folder. I already keep removing his ownership but he just goes in and resets it and no I can't remove him from having admin rights as he knows mum's password and he just goes in and changes it again. UGH. Anyone help with the script? I have a batch to EXE coverter so him hacking it isn't a problem. I can encrypt it as well so he can't delete it without the password.

So anyone know how to do this?

He also cannot edit the security permissions of the folder or batch file in question. Due to me encrypting both.

 

[carnageX]

Why don't you just use TrueCrypt?

 

[luke127]

Because he overwrites the security permissions and deletes the file. With a batch file however you need the batch and the folder that it denies access to. I can hide the folder and restrict its access. This would stop him in his tracks.

 

[carnageX]

Just use TrueCrypt to encrypt the data that you want hidden.. There wouldn't be access unless the password is known.

The How-To Geek Guide to Getting Started with TrueCrypt - How-To Geek

 

[luke127]

Carnage. I am not stupid. I use truecrypt. Anyway I just want the batch file for this. I don't think that this is not a reasonable request so can somebody write the script please. As for truecrypt HE DELETES THE CONTAINER FILE. That's the weakness with truecrypt its a container encryptor. Not one where I can just right click and go encrypt. Like axcrypt which I do use. Anyway can somebody just write the script please. This isn't just for security from my brother its also for expanding my know how of batch language. The more I read the better I get. So can someone please write it! D:

 

[carnageX]

If you're trying to learn batch scripting, why not write it yourself? You'll learn more than just looking at somebody else's code.

 

[luke127]

Because I don't know how to write it in the first place!! I only know the basics of batch scripting like the echo command or the rename command that's it. This is out of my league for the moment unless someone could recommend a book or a website which has a good guide on batch scripting because I can't find one! I have a computing teacher at school looking for some books on batch files so hopefully she will come back with something.

NOTE: the computing teacher actually teaches​ computing and is not part of the school IT department.

 

[carnageX]

Everything I've found on Google is the same code that you used in your previous thread.

Tested the code out, and it works fine for me.

Modified it slightly so it's a bit cleaner using variables rather than hard-coding the foldername / password everywhere:


Change Locker in line 3 to the name of the folder you want, and hellothere line 4 to the password you want.

cls
@ECHO OFF
set LOCKFODLER=Locker
set PASSWRD=hellothere
title Folder %LOCKFODLER%
if EXIST "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}" goto UNLOCK
if NOT EXIST %LOCKFODLER% goto MDLOCKER
:CONFIRM
echo Are you sure you want to lock the folder(Y/N)
set/p "cho=>"
if %cho%==Y goto LOCK
if %cho%==y goto LOCK
if %cho%==n goto END
if %cho%==N goto END
echo Invalid choice.
goto CONFIRM
:LOCK
ren %LOCKFODLER% "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
attrib +h +s "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
echo Folder locked
goto End
:UNLOCK
echo Enter the Password to unlock folder
set/p "pass=>"
if NOT %pass%== %PASSWRD% goto FAIL
attrib -h -s "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
ren "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}" %LOCKFODLER%
echo Folder Unlocked successfully
goto End
:FAIL
echo Invalid password
goto end
:MDLOCKER
md %LOCKFODLER%
echo %LOCKFODLER% created successfully
goto End
:End

Tested it myself and it works fine. Only thing is, if you disable the "Hide protected operating system files" option in the Folder Options, you can get right into it and view the contents of the folder. So yeah.. if your brother is smart enough to change permissions / ownership.. pretty sure he can figure out to unhide system files and view it anyway. Only ways to do it:

Encrypt the folder / drive / account, whatever.
Or just don't save anything worth looking at or that will get you in trouble .

 

[luke127]

Thanks Carnage. I encrypted the folder and the batch and he's tried several times already. But thanks to my tripwaire I know that! I told him off and he hasn't done anything since.

Also could someone point me to a book that has detailed descriptions and/or examples of VBscripts or Batch Scripting? If someone could do this I would greatly appreciate it

Also is anyone here familiar with ICACLS.exe? Could this be programmed into a batch file that changes a folders access permissions for everyone to NO ACCESS and then when I execute the batch file and put the password in it changes a permissions for everyone to full control. Is this possible?

 

[carnageX]

Yes, it's possible.

If you want to add the functionality into the existing batch file from above..
On lines 20 and 29:

cls
@ECHO OFF
set LOCKFODLER=Locker
set PASSWRD=hellothere
title Folder %LOCKFODLER%
if EXIST "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}" goto UNLOCK
if NOT EXIST %LOCKFODLER% goto MDLOCKER
:CONFIRM
echo Are you sure you want to lock the folder(Y/N)
set/p "cho=>"
if %cho%==Y goto LOCK
if %cho%==y goto LOCK
if %cho%==n goto END
if %cho%==N goto END
echo Invalid choice.
goto CONFIRM
:LOCK
ren %LOCKFODLER% "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
attrib +h +s "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
icacls %LOCKFOLDER%\* /deny Everyone:F
echo Folder locked
goto End
:UNLOCK
echo Enter the Password to unlock folder
set/p "pass=>"
if NOT %pass%== %PASSWRD% goto FAIL
attrib -h -s "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
ren "Control Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}" %LOCKFODLER%
icacls %LOCKFOLDER%\* /grant Everyone:F
echo Folder Unlocked successfully
goto End
:FAIL
echo Invalid password
goto end
:MDLOCKER
md %LOCKFODLER%
echo %LOCKFODLER% created successfully
goto End
:End

Line 20 will deny read/write access to the contents of the lock folder:
icacls %LOCKFOLDER%\* /deny Everyone:F
and line 29 will grant access when the correct password is given:
icacls %LOCKFOLDER%\* /grant Everyone:F

Note that this will still display the contents of your lock folder, unless you put everything in a single subfolder.
e.g., if you have c:\locker as your directory that contains all your files and the batch file, and your unlock batch file is under C:\. If there's a file c:\locker\secretDocument.txt, it will be viewable, but not accessible.

So, to alleviate this, put everything in a subfolder of c:\locker. So your file would be in c:\locker\subfolder\secretDocument.txt

They will be able to see subfolder in the explorer window, but unable to open it.



You could also put the icacls command in a separate batch file if you wanted, too.


HOWEVER...
If the person is an administrator on the computer, they can still change the permissions of the folder manually through the file/folder properties > security tab and granting Everyone access again. So, there again... you're going to have to encrypt it, or use some other kind of 3rd party software to deny access if you actually want to be secure.

Edit: did some more testing.. i was able to change permissions on a single file, but not a subfolder; kept giving me an error about no permissions on the subfolder... so if you place everything in a single subfolder that's locked under your locker folder... then it might be fine.. unless they log into the system's Administrator account.