Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


Asp

permissions (?) problem

Recommended Posts

One reason I stuck with XP is that I thought I would not need to worry about permissions issues that bedevil you on later versions.

But now it has.

I've been using "Far Manager", the Norton Commander look alike for Windows, for about 20 years.

A week ago it suddenly stopped working. I looked in the folder and the far.exe file was gone, other files it used were still there. I found that an antivirus app had suddenly decided Far was a risk (possibly because I used it to execute another installer that the program also didn't like) and "quarantined" it. So I told the app (Threatfire) that this program was good and reinstalled it. Seemed to work.

But... now it works the first time I run it. If I close and try to restart it, or open another copy (I often run two copies at once) I get:

"Windows cannot access the specified device, path or file. You may not have the appropriate permission to access the item."

If I reboot, I can run it once more.

I tried to uninstall Far ( so I could reinstall it), The installer gets the same message.

I run as "Owner" and have never had a permissions problem in XP that I can recall. 

How can I fix this?

 

 

 

Edited by Asp

Share this post


Link to post
Share on other sites

6 hours ago, Asp said:

How can I fix this?

Well, first thing you should check the permissions of the file (and of the directory where it is):

http://www.ntfs.com/ntfs-permissions.htm

You may need to take ownership.

You are however "mixing" two different "features".

One is NTFS permissions (that have been on NTFS since the dawn of time) and the other is UAC, User Account Control, which is the "new" thing since Vista).

BUT it seems strange that it can run once and then no more.

Is it not some feature of that "Threatfire" thingy?

jaclaz

Share this post


Link to post
Share on other sites

I disabled Threatfire, and Avast, and my firewall. Still the same message.

I can't see a "Security" tab on the properties of the file. There is one on the folder.  "Owner" has all the permissions on.

I rebooted and now I get the error first time I try to run it.

 

 

Share this post


Link to post
Share on other sites

Wait a minute, which OS is that?

XP Home? (but I seem to remember that Home misses it on folders also :unsure:) 

In case:

https://www.bleepingcomputer.com/forums/t/281059/how-to-add-security-tab-in-windows-xp-home/

Are you sure the file is actually a file (and not a link)?

Anyway, try checking it with CACLS or XCACLS:

https://ss64.com/nt/cacls.html

https://ss64.com/nt/xcacls.html

So, if I get it right, when Threatfire is running with the far.exe added to the exclusion list, you can run it once but not twice, and now with Threatfire disabled it cannot run even the first instance?

Then it must be still connected to Threatfire. :dubbio:

jaclaz

Share this post


Link to post
Share on other sites

Update:

I think this is solved.

When I first realised that Threatfire had quarantined Far.exe, I opened Threatfire and added Far to its exceptions (i.e., whitelisted), then reinstalled Far. However, the original Far.exe was still quarantined, and this apparently also applied to a file with the same name (and location? Didn't test that). As below, the reinstalled file has no owner and can't be run, deleted or moved. (Except sometimes runnable once, somehow.)

Anyway, I looked into Threatfire's Quarantine settings and found Far.exe still listed, so I deleted that. Reinstalled Far again and now it's normal.

Threatfire is now abandonware, Originally from PCTools, which now part of Norton, but no sign of it on their site. But it still works and despite the hassle, I'll keep it. It reacts to suspicious activity, not virus signatures. A little paranoid but adds peace of mind.

 

--- Previous explorations:

XP pro, SP3.

Tried cacls:

C:\Far>dir
 Volume in drive C has no label.
 Volume Serial Number is D80C-0FAC

 Directory of C:\Far

13/08/2019  07:34 PM    <DIR>          .
13/08/2019  07:34 PM    <DIR>          ..
03/02/2011  12:13 AM               324 ClearPluginsCache.cmd
19/06/2013  07:29 AM    <DIR>          Documentation
03/02/2011  12:00 AM         1,380,352 Far.exe
03/02/2011  12:00 AM           585,638 far.map
12/08/2019  01:01 AM             2,855 Far.PIF
30/07/2019  10:05 PM               692 Far.txt
03/02/2011  12:00 AM           206,129 FarEng.hlf
03/02/2011  12:00 AM            36,232 FarEng.lng
13/08/2019  07:34 PM               210 FarSettings.Machine.reg
13/08/2019  07:34 PM           586,406 FarSettings.User.reg
29/07/2019  12:29 PM    <DIR>          FExcept
03/02/2011  12:00 AM               561 File_id.diz
30/07/2019  09:38 PM    <DIR>          Plugins
03/02/2011  12:13 AM               772 RestoreSettings.cmd
03/02/2011  12:13 AM               734 SaveSettings.cmd
              12 File(s)      2,800,905 bytes
               5 Dir(s)   3,885,535,232 bytes free

C:\Far>cacls far.exe
C:\Far\Far.exe
Access is denied.

C:\Far>cacls far.map
C:\Far\far.map BUILTIN\Administrators:F
               BUILTIN\Administrators:F
               COMPUTER-4717\Owner:F
               NT AUTHORITY\SYSTEM:F
               BUILTIN\Users:R
 
C:\Far>cacls Far.exe /C /G COMPUTER-4717\Owner:F
Are you sure (Y/N)?y
 ACCESS_DENIED: C:\Far\Far.exe

C:\Far>cacls Far.exe /T /C /G COMPUTER-4717\Owner:F
Are you sure (Y/N)?y
 ACCESS_DENIED: C:\Far\Far.exe

 

Displaying owners of files:

C:\Far>dir /q
 Volume in drive C has no label.
 Volume Serial Number is D80C-0FAC

 Directory of C:\Far

13/08/2019  07:34 PM    <DIR>          BUILTIN\Administrators .
13/08/2019  07:34 PM    <DIR>          BUILTIN\Administrators ..
03/02/2011  12:13 AM               324 BUILTIN\Administrators ClearPluginsCache.
cmd
19/06/2013  07:29 AM    <DIR>          BUILTIN\Administrators Documentation
03/02/2011  12:00 AM         1,380,352 ...                    Far.exe
03/02/2011  12:00 AM           585,638 BUILTIN\Administrators far.map
12/08/2019  01:01 AM             2,855 COMPUTER-4717\Owner    Far.PIF
30/07/2019  10:05 PM               692 COMPUTER-4717\Owner    Far.txt
03/02/2011  12:00 AM           206,129 BUILTIN\Administrators FarEng.hlf
03/02/2011  12:00 AM            36,232 BUILTIN\Administrators FarEng.lng
13/08/2019  07:34 PM               210 COMPUTER-4717\Owner    FarSettings.Machin
e.reg
13/08/2019  07:34 PM           586,406 COMPUTER-4717\Owner    FarSettings.User.r
eg
29/07/2019  12:29 PM    <DIR>          BUILTIN\Administrators FExcept
03/02/2011  12:00 AM               561 BUILTIN\Administrators File_id.diz
30/07/2019  09:38 PM    <DIR>          BUILTIN\Administrators Plugins
03/02/2011  12:13 AM               772 BUILTIN\Administrators RestoreSettings.cm
d
03/02/2011  12:13 AM               734 BUILTIN\Administrators SaveSettings.cmd
              12 File(s)      2,800,905 bytes
               5 Dir(s)   3,884,883,968 bytes free

What does "..." mean? No owner?

 

Otherwise, tried to delete  far.exe with Unlocker, couldn't do it, despite saying it would on next boot. Also, next boot I could again run Far, once, then exit and it's access denied again.

 

 

 

Edited by Asp

Share this post


Link to post
Share on other sites

Very likely it is (was) a non-canonical ACL :dubbio::

https://support.microsoft.com/en-us/help/320081/you-cannot-delete-a-file-or-a-folder-on-an-ntfs-file-system-volume

What I would do (once everything is actually disabled/deleted/etc.)

Copy the Far.exe to a FAT16/32 volume.

Delete the Far.exe copy on the NTFS volume.

Copy back from FAT volume to the original NTFS folder.

Check again NTFS permissions.

Alternatively, use SetACL:

https://helgeklein.com/setacl/

jaclaz

Share this post


Link to post
Share on other sites

Thanks.

Just removing the filename from the quarantine list seems to have fixed it.

False postives are a real pain, but  it shows how effective Threatfire's quarantine is,

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...