Asp Posted August 13, 2019 Share Posted August 13, 2019 (edited) One reason I stuck with XP is that I thought I would not need to worry about permissions issues that bedevil you on later versions. But now it has. I've been using "Far Manager", the Norton Commander look alike for Windows, for about 20 years. A week ago it suddenly stopped working. I looked in the folder and the far.exe file was gone, other files it used were still there. I found that an antivirus app had suddenly decided Far was a risk (possibly because I used it to execute another installer that the program also didn't like) and "quarantined" it. So I told the app (Threatfire) that this program was good and reinstalled it. Seemed to work. But... now it works the first time I run it. If I close and try to restart it, or open another copy (I often run two copies at once) I get: "Windows cannot access the specified device, path or file. You may not have the appropriate permission to access the item." If I reboot, I can run it once more. I tried to uninstall Far ( so I could reinstall it), The installer gets the same message. I run as "Owner" and have never had a permissions problem in XP that I can recall. How can I fix this? Edited August 13, 2019 by Asp Link to comment Share on other sites More sharing options...
jaclaz Posted August 13, 2019 Share Posted August 13, 2019 6 hours ago, Asp said: How can I fix this? Well, first thing you should check the permissions of the file (and of the directory where it is): http://www.ntfs.com/ntfs-permissions.htm You may need to take ownership. You are however "mixing" two different "features". One is NTFS permissions (that have been on NTFS since the dawn of time) and the other is UAC, User Account Control, which is the "new" thing since Vista). BUT it seems strange that it can run once and then no more. Is it not some feature of that "Threatfire" thingy? jaclaz 1 Link to comment Share on other sites More sharing options...
Asp Posted August 13, 2019 Author Share Posted August 13, 2019 I disabled Threatfire, and Avast, and my firewall. Still the same message. I can't see a "Security" tab on the properties of the file. There is one on the folder. "Owner" has all the permissions on. I rebooted and now I get the error first time I try to run it. Link to comment Share on other sites More sharing options...
jaclaz Posted August 13, 2019 Share Posted August 13, 2019 Wait a minute, which OS is that? XP Home? (but I seem to remember that Home misses it on folders also ) In case: https://www.bleepingcomputer.com/forums/t/281059/how-to-add-security-tab-in-windows-xp-home/ Are you sure the file is actually a file (and not a link)? Anyway, try checking it with CACLS or XCACLS: https://ss64.com/nt/cacls.html https://ss64.com/nt/xcacls.html So, if I get it right, when Threatfire is running with the far.exe added to the exclusion list, you can run it once but not twice, and now with Threatfire disabled it cannot run even the first instance? Then it must be still connected to Threatfire. jaclaz Link to comment Share on other sites More sharing options...
Asp Posted August 14, 2019 Author Share Posted August 14, 2019 (edited) Update: I think this is solved. When I first realised that Threatfire had quarantined Far.exe, I opened Threatfire and added Far to its exceptions (i.e., whitelisted), then reinstalled Far. However, the original Far.exe was still quarantined, and this apparently also applied to a file with the same name (and location? Didn't test that). As below, the reinstalled file has no owner and can't be run, deleted or moved. (Except sometimes runnable once, somehow.) Anyway, I looked into Threatfire's Quarantine settings and found Far.exe still listed, so I deleted that. Reinstalled Far again and now it's normal. Threatfire is now abandonware, Originally from PCTools, which now part of Norton, but no sign of it on their site. But it still works and despite the hassle, I'll keep it. It reacts to suspicious activity, not virus signatures. A little paranoid but adds peace of mind. --- Previous explorations: XP pro, SP3. Tried cacls: C:\Far>dir Volume in drive C has no label. Volume Serial Number is D80C-0FAC Directory of C:\Far 13/08/2019 07:34 PM <DIR> . 13/08/2019 07:34 PM <DIR> .. 03/02/2011 12:13 AM 324 ClearPluginsCache.cmd 19/06/2013 07:29 AM <DIR> Documentation 03/02/2011 12:00 AM 1,380,352 Far.exe 03/02/2011 12:00 AM 585,638 far.map 12/08/2019 01:01 AM 2,855 Far.PIF 30/07/2019 10:05 PM 692 Far.txt 03/02/2011 12:00 AM 206,129 FarEng.hlf 03/02/2011 12:00 AM 36,232 FarEng.lng 13/08/2019 07:34 PM 210 FarSettings.Machine.reg 13/08/2019 07:34 PM 586,406 FarSettings.User.reg 29/07/2019 12:29 PM <DIR> FExcept 03/02/2011 12:00 AM 561 File_id.diz 30/07/2019 09:38 PM <DIR> Plugins 03/02/2011 12:13 AM 772 RestoreSettings.cmd 03/02/2011 12:13 AM 734 SaveSettings.cmd 12 File(s) 2,800,905 bytes 5 Dir(s) 3,885,535,232 bytes free C:\Far>cacls far.exe C:\Far\Far.exe Access is denied. C:\Far>cacls far.map C:\Far\far.map BUILTIN\Administrators:F BUILTIN\Administrators:F COMPUTER-4717\Owner:F NT AUTHORITY\SYSTEM:F BUILTIN\Users:R C:\Far>cacls Far.exe /C /G COMPUTER-4717\Owner:F Are you sure (Y/N)?y ACCESS_DENIED: C:\Far\Far.exe C:\Far>cacls Far.exe /T /C /G COMPUTER-4717\Owner:F Are you sure (Y/N)?y ACCESS_DENIED: C:\Far\Far.exe Displaying owners of files: C:\Far>dir /q Volume in drive C has no label. Volume Serial Number is D80C-0FAC Directory of C:\Far 13/08/2019 07:34 PM <DIR> BUILTIN\Administrators . 13/08/2019 07:34 PM <DIR> BUILTIN\Administrators .. 03/02/2011 12:13 AM 324 BUILTIN\Administrators ClearPluginsCache. cmd 19/06/2013 07:29 AM <DIR> BUILTIN\Administrators Documentation 03/02/2011 12:00 AM 1,380,352 ... Far.exe 03/02/2011 12:00 AM 585,638 BUILTIN\Administrators far.map 12/08/2019 01:01 AM 2,855 COMPUTER-4717\Owner Far.PIF 30/07/2019 10:05 PM 692 COMPUTER-4717\Owner Far.txt 03/02/2011 12:00 AM 206,129 BUILTIN\Administrators FarEng.hlf 03/02/2011 12:00 AM 36,232 BUILTIN\Administrators FarEng.lng 13/08/2019 07:34 PM 210 COMPUTER-4717\Owner FarSettings.Machin e.reg 13/08/2019 07:34 PM 586,406 COMPUTER-4717\Owner FarSettings.User.r eg 29/07/2019 12:29 PM <DIR> BUILTIN\Administrators FExcept 03/02/2011 12:00 AM 561 BUILTIN\Administrators File_id.diz 30/07/2019 09:38 PM <DIR> BUILTIN\Administrators Plugins 03/02/2011 12:13 AM 772 BUILTIN\Administrators RestoreSettings.cm d 03/02/2011 12:13 AM 734 BUILTIN\Administrators SaveSettings.cmd 12 File(s) 2,800,905 bytes 5 Dir(s) 3,884,883,968 bytes free What does "..." mean? No owner? Otherwise, tried to delete far.exe with Unlocker, couldn't do it, despite saying it would on next boot. Also, next boot I could again run Far, once, then exit and it's access denied again. Edited August 14, 2019 by Asp Link to comment Share on other sites More sharing options...
jaclaz Posted August 14, 2019 Share Posted August 14, 2019 Very likely it is (was) a non-canonical ACL : https://support.microsoft.com/en-us/help/320081/you-cannot-delete-a-file-or-a-folder-on-an-ntfs-file-system-volume What I would do (once everything is actually disabled/deleted/etc.) Copy the Far.exe to a FAT16/32 volume. Delete the Far.exe copy on the NTFS volume. Copy back from FAT volume to the original NTFS folder. Check again NTFS permissions. Alternatively, use SetACL: https://helgeklein.com/setacl/ jaclaz Link to comment Share on other sites More sharing options...
Asp Posted August 15, 2019 Author Share Posted August 15, 2019 Thanks. Just removing the filename from the quarantine list seems to have fixed it. False postives are a real pain, but it shows how effective Threatfire's quarantine is, Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now