File Attributes and Attrib.exe

4522

In the A+ Exam Cram I discuss the basics of files and folders and how to access and work with them in the GUI and in the command line. To further understand how to secure files, let’s talk about the available file attributes. They start with the group of attributes known as RASH:

Read-only (R): Write-protects the file so that it cannot be modified.

Archive (A): Its purpose is to quickly determine if a file requires backing up; it is set when a file is overwritten or modified by the operating system.

System (S): Indicates that the file is integral and important to the operating system; it protects the file.

Hidden (H): Makes a file invisible when applications attempt to display a list of files.

There are two more attributes: compression, which decreases the size of a file so that it uses less space on a volume, and encryption, which converts the file (using a cipher) so that it cannot be read by others. These are normally modified within the GUI within the file or folder’s Properties sheet.

On example of modifying a file attribute would be to configure the file myProfile.txt as read-only. This can be done in the GUI by accessing the Properties sheet of the file, or by utilizing the Command Prompt. To do this in the Command Prompt, you would navigate to the folder that contains myProfile.txt and type the following syntax:

attrib +R myProfile.txt

Attrib is the attribute command needed for this process, and +R makes the file myProfile.txt read-only. (You can also use lowercase switches.)

It is important to note that the system attribute protects a file.

Viruses and other malicious attacks could possibly remove the system attribute (and read-only attribute) in an attempt to make modifications to the file or delete the file. For example, if a virus, worm, or RAT gained access to a system with the correct administrative privileges, removing the file would be as simple as using the following syntax:

attrib –R –A –S –H filename

When checking if viruses exist or have done damage to a system, use the attrib command in the root directory to verify that the proper attributes are set on system files. Here are a couple of the important root directory system files to watch out for:

– bootmgr

– pagefile.sys (all Windows)

By default, the preceding files should be set to ASHR except for pagefile.sys that should be set to ASH. If there have been any modifications to them, use the attrib command to reset them[md]you might also want to verify that they weren’t corrupted, and if you suspect foul play, recover the original files from the installation media.