Useful NTFS and security command-line operations

The commands below are a subset of the complete command list found in Useful command-lines, and provide different methods to query, modify and report on aspects of NTFS, including security, MFT, ABE, alternate data streams, security templates and SDDL.

Each command-line can be copied and pasted at the command prompt, if you use a batch file you'll need to reference variables with double-percent (%%).


Disable path parsing to access a file using UNC
type "\\?\UNC\server\share\path\file.txt"

Dump file and security attributes on an NTFS filesystem
filestat %file%

Show the ACL in SDDL format using cacls (2003)
cacls c:\ /s

Add authenticated users:R to the root (not OICI) using SDDL with cacls
cacls c:\ /S:"D:PAI(A;OICI;FA;;;BA)(A;;0x1200a9;;;AU)(A;OICI;FA;;;SY)"

Query Storage Report Management global settings (file screening and quotas)
reg query HKEY_LOCAL_MACHINE\Cluster\SRM\Settings\SrmGlobalSettings /v Data

Show the current mounted volumes on the local system
mountvol OR mountvol c:\ /l

Create a hardlink directory entry linking one file to another
fsutil hardlink create %NewFileLink% %ExistingFile%

create symbolic dir, file links, hard links and dir junctions Vista/2008
mklink

Add a string to an alternate stream stored as a $DATA attribute
echo this content will be stored in the file sub stream > test.txt:stream1

Add the contents of a file to an alternate data strem
type file.txt > test.txt:stream1

Create a new file in an alternate stream as part of a directory
md test & echo alternate stream > test:stream1

Display the stream
more <> test:test.exe

Run the executable in the alternate stream
cmd /c start .\test:test.exe

Retrieve the binary file from an alternate data stream (port of Unix Cat)
cat test:test.exe > note.exe

Remove an NTFS alternate data stream (does not maintain timestamps)
type test.txt>test1.txt

Delete an alternate data stream
streams -d test.txt

Dump NTFS info from the MFT for a File Record Segment (unix port)
ntfsinfo -d /dev/hda1 -i 36

Find cluster disk size and free space
echo clusnode1 > clusternodes.txt & echo clusnode2 >> clusternodes.txt & echo clusnode3 >> clusternodes.txt & echo clusnode4 >> clusternodes.txt & wmic /node:@clusternodes.txt path Win32_LogicalDisk WHERE "FileSystem='NTFS' AND Name != 'C:' AND Name != 'D:'" GET SystemName,Name,Size,FreeSpace,VolumeName

Create a security template from the given directory for SDDL secedit processing
for /d %i in (%source%\*.*) do @for /f "tokens=2" %j in ('cacls.exe %i /S') do @echo Processing %~ni & echo "%i",2,%j >> Security.txt

Make test directories from a security template
for /f "tokens=1,2,3,* delims=\," %i in ('"find /i "dir1\dir2" template.inf"') do md "c:\temp\sectest\%j\%k

Reformat the target of a security template for offline testing
for /f "tokens=1,2,3,* delims=\," %i in ('"find /i "dir1\dir2" template.inf"') do @echo "c:\temp\sectest\%j\%k,%l

Remotely configure filesystem NTFS security using a secedit template
psexec \\%server% secedit /configure /db c:\windows\temp\%random%.sdb /cfg c:\windows\security\templates\%template%.inf /log c:\windows\temp\Configure.log


Disable automatic mounting of volumes added to a 2003 system
automount disable
Remove automatic mount points for volumes that no longer exist
automount scrub

Report the NTFS permissions for restore from a SDDL template
setacl -on c:\windows -ot file -actn list -rec cont_obj -lst f:sddl -bckp test.txt

List the file system filters and instances installed on the system
fltmc filters & fltmc instances

Run diskpart to list NTFS volumes remotely
psexec \\%server% cmd /c "echo list volume diskpart find /i "NTFS""

Find local disks other than C: and D: that are NTFS
wmic /node:"%server%" path Win32_LogicalDisk WHERE "FileSystem='NTFS' AND Name != 'C:' AND Name != 'D:'" GET SystemName,Name

Find local disks using powershell and output to CSV
Get-WmiObject -Namespace root\cimv2 -ComputerName %server% -Query "SELECT * from Win32_LogicalDisk WHERE FileSystem='NTFS' AND Description = 'Local Fixed Disk' AND Name != 'C:' AND Name != 'D:'" export-csv c:\disk.csv

Read directories from a security template, checking if they exist
for /f "skip=2 tokens=1 delims=," %i in ('"find /i "OICI" \\%server%\%Template%"') do @if not exist \\%server%\%drive%$%~pi echo \\%server%\%drive%%~pi

Query the NTFS attributes of a file
nfi "C:\windows\system32\notepad.exe"

Report and save the security on one or more NTFS Filesystem objects
ICACLS %object% /save %outputfile%

Reset the inherited DACL flag on an object to not protected, inherit below
setacl -on %Directory% -ot file -actn setprot -op dacl:np

Reset inherited permissions for specified NTFS objects
setacl -on %Directory%\*.* -ot file -actn rstchldrn -rst DACL

Check user home drive permissions from hmDir (top-level)
for /f %i in (%users.txt%) do @for /f "tokens=*" %m in ('"dsquery user -name %i dsget user -hmdir find /i "%i""') do cacls "%m"

Check Access Based Enumeration is enabled on a top-level share
psexec \\%server% abecmd %share%

Check permissions are being inherited
for /f %i in (%users.txt%) do @for /f "tokens=1" %m in ('"dsquery user -name %i dsget user -hmdir find /i "%i""') do @for /d %p in (%m\*.*) do @echo cacls "%p"

Check ownership of files
for /f %i in (%users.txt%) do @for /f "tokens=1" %m in ('"dsquery user -name %i dsget user -hmdir find /i "%i""') do @dir %m /q/s

Process robocopy /l output to find files/data that would be copied
for /f "tokens=2,5 delims=_:" %i in (output.txt) do @If "!User!" NEQ "%i" (@Set User=%i&@Set Line=%i,%j) else (@Set Line=!Line!,%j & @Echo !Line!)

List ACLs in SDDL format
setacl -on %filepath% -ot file -actn list -lst f:sddl

Change the ownership of all subdirectories and files in a folder
subinacl /subdirectorie %Path%\*.* /setowner=%Domain%\%User%

Change the ownership of a folder
subinacl /file %Path% /setowner=%Domain%\%User%

Logical Disk Information
wmic /node:%server% path Win32_LogicalDisk

Physical Disk Information
wmic /node:%server% path Win32_DiskPartition



Wayne's World of IT (WWoIT), Copyright 2008 Wayne Martin.