{"id":2642,"date":"2021-02-02T10:46:46","date_gmt":"2021-02-02T09:46:46","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2642"},"modified":"2026-05-25T10:13:52","modified_gmt":"2026-05-25T08:13:52","slug":"windows-foundations","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2642","title":{"rendered":"<span class=\"caps\">NTFS<\/span>"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">File and directory integrity levels<\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">C:\\Users\\User&gt;icacls hallo\nhallo NT AUTHORITY\\SYSTEM:(I)(F)\n      BUILTIN\\Administrators:(I)(F)\n      WINDEV2012EVAL\\User:(I)(F)\n      Mandatory Label\\High Mandatory Level:(NW)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><code>(I)(F) <\/code>means that the cor\u00adre\u00adspond\u00ading user or group has <code>(F)<\/code> Full per\u00admis\u00adsion on the file and that the per\u00admis\u00adsions are inher\u00adit\u00aded from the par\u00adent = directory.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Note<\/em> that the Read right \u00ae also enables exe\u00adcu\u00adtion on that file! (There is also the Exe\u00adcute\u00adable flag (X).)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>Manda\u00adto\u00adry labels<\/em> describe that the file or direc\u00adto\u00adry can only be accessed (inde\u00adpen\u00addent\u00adly of the flags) if the process = user has at least the same lev\u00adel. The lev\u00adels can be seen with <code>whoami \/priv<\/code>. There are the fol\u00adlow\u00ading lev\u00adels: untrust\u00aded, low, medi\u00adum, high, sys\u00adtem, installer.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive method: Use accesschk.exe from SysInternalTools:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">accesschk.exe \/accepteula $dir<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Set permissions<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Set per\u00admis\u00adsions to a direc\u00adto\u00adry or&nbsp;file:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">icacls $dir \/grant $user:(OI)(CI)(F)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Set read per\u00admis\u00adsions to a direc\u00adto\u00adry for anoth\u00ader user \/ all&nbsp;users:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">icacls $dir \/grant $user:(OI)(RX)\nicacls $dir \/grant everyone:(OI)(RX)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Expla\u00adna\u00adtion of the flags is in the stan\u00addard out\u00adput from icacls:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">perm is a permission mask and can be specified in one of two forms:\n    a sequence of simple rights:\n            N - no access\n            F - full access\n            M - modify access\n            RX - read and execute access\n            R - read-only access\n            W - write-only access\n            D - delete access\n    a comma-separated list in parentheses of specific rights:\n            DE - delete\n            RC - read control\n            WDAC - write DAC\n            WO - write owner\n            S - synchronize\n            AS - access system security\n            MA - maximum allowed\n            GR - generic read\n            GW - generic write\n            GE - generic execute\n            GA - generic all\n            RD - read data\/list directory\n            WD - write data\/add file\n            AD - append data\/add subdirectory\n            REA - read extended attributes\n            WEA - write extended attributes\n            X - execute\/traverse\n            DC - delete child\n            RA - read attributes\n            WA - write attributes\n    inheritance rights may precede either form and are applied\n    only to directories:\n            (OI) - object inherit\n            (CI) - container inherit\n            (IO) - inherit only\n            (NP) - don't propagate inherit\n            (I) - permission inherited from parent container<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"caps\">ADS<\/span> Alternate Data Streams<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>In <span class=\"caps\">NTFS<\/span>, a <em>stream<\/em> is a prop\u00ader\u00adty of a&nbsp;file.<\/li>\n\n\n\n<li>A file can have mul\u00adti\u00adple streams, which can be ref\u00ader\u00adenced by a <em>iden\u00adti\u00adfi\u00ader<\/em>.<\/li>\n\n\n\n<li>A stream is accessed via :$stream\u00adName append\u00aded to a&nbsp;file.&nbsp;<ul class=\"wp-block-list\">\n<li>Exampe: For the file <code>a.txt<\/code>, there coud be the streams <code>a.txt:alpha<\/code> or <code>a.txt:hidden<\/code>.<\/li>\n\n\n\n<li>It can be accessed as with <code>more &lt; a.txt:hidden<\/code>.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Show all data streams in a direc\u00adto\u00adry \/ from a file:<br><code>dir \/r<\/code><br><code>dir \/r file.txt<\/code>\n<ul class=\"wp-block-list\">\n<li><span class=\"caps\">ADS<\/span> are dis\u00adplayed below the \u201cmain\u201d file, e.g. for \u201cfamily.jpg\u201d, there will be a \u201cfamily.jpg:data_stream_name:$<span class=\"caps\">DATA<\/span>\u201d for each addi\u00adtion\u00adal data stream.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Read a data stream:<br><code>more &lt; file.txt:data_stream_name<\/code><\/li>\n\n\n\n<li>f<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Journaling<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">NTFS<\/span> stores its jour\u00adnal in the spe\u00adcial <span class=\"caps\">NTFS<\/span> file <code>$LogFile<\/code>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The addi\u00adtion\u00adal jour\u00adnal <span class=\"caps\">USN<\/span> Update Sequence Num\u00adber is store in the spe\u00adcial file <code>$Extend\\$UrnJrnl<\/code>. With each write access, the num\u00adber is increased. Use\u00adful for back\u00adup tools. Also, old file names can be found there. Use\u00adful for inci\u00addent analysis.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Extract the journals from an&nbsp;image<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">TODO<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>File and direc\u00adto\u00adry integri\u00adty lev\u00adels C:\\Users\\User&gt;icacls hal\u00adlo hal\u00adlo <span class=\"caps\">NT<\/span> <span class=\"caps\">AUTHORITY<\/span>\\<span class=\"caps\">SYSTEM<\/span>:(I)(F) <span class=\"caps\">BUILTIN<\/span>\\Administrators:(I)(F) <span class=\"caps\">WINDEV2012EVAL<\/span>\\User:(I)(F) Manda\u00adto\u00adry Label\\High Manda\u00adto\u00adry Level:(<span class=\"caps\">NW<\/span>) (I)(F) means that the cor\u00adre\u00adspond\u00ading user or group has (F) Full per\u00admis\u00adsion on the file and that the per\u00admis\u00adsions are inher\u00adit\u00aded from the par\u00adent = direc\u00adto\u00adry. Note that the Read right \u00ae also enables exe\u00adcu\u00adtion on that file! (There [\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[468],"tags":[460,461,117,434,24],"class_list":["post-2642","post","type-post","status-publish","format-standard","hentry","category-general","tag-ads","tag-alternate-data-stream","tag-icacls","tag-ntfs","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2642","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2642"}],"version-history":[{"count":13,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2642\/revisions"}],"predecessor-version":[{"id":4944,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2642\/revisions\/4944"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2642"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2642"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2642"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}