[cso]

perms.txt:

SteelWerX Extended Configuration Access Control Lists Beta 2
Written by Bobbi Flekman 2006 (C)
*******************************************************************************
File: C:\WINDOWS\explorer.exe

DACL Information:
Revision:	   2
Number of ACEs: 5
Bytes in use:   136
Bytes free:	 0

Controlflags ************************************
  SE_DACL_PRESENT		  SE_DACL_AUTO_INHERITED   
  SE_SELF_RELATIVE		 

ACE # (Type): 0 (ACCESS_ALLOWED_ACE_TYPE)
		Size: 24
User: Users (LINBURN-01\Users)
 SID: S-1-5-32-545
Flags ************************************
  INHERITED_ACE			  
Mask  ************************************
  FILE_READ_DATA		   FILE_READ_EA			 FILE_EXECUTE			 
  FILE_READ_ATTRIBUTES	 READ_CONTROL			 SYNCHRONIZE			  
  STANDARD_RIGHTS_READ	 STANDARD_RIGHTS_WRITE	STANDARD_RIGHTS_EXECUTE  

ACE # (Type): 1 (ACCESS_ALLOWED_ACE_TYPE)
		Size: 24
User: Power Users (LINBURN-01\Power Users)
 SID: S-1-5-32-547
Flags ************************************
  INHERITED_ACE			  
Mask  ************************************
  FILE_READ_DATA		   FILE_WRITE_DATA		  FILE_APPEND_DATA		 
  FILE_READ_EA			 FILE_WRITE_EA			FILE_EXECUTE			 
  FILE_READ_ATTRIBUTES	 FILE_WRITE_ATTRIBUTES	DELETE				   
  READ_CONTROL			 SYNCHRONIZE			  STANDARD_RIGHTS_READ	 
  STANDARD_RIGHTS_WRITE	STANDARD_RIGHTS_EXECUTE  

ACE # (Type): 2 (ACCESS_ALLOWED_ACE_TYPE)
		Size: 24
User: Administrators (LINBURN-01\Administrators)
 SID: S-1-5-32-544
Flags ************************************
  INHERITED_ACE			  
Mask  ************************************
  FILE_READ_DATA		   FILE_WRITE_DATA		  FILE_APPEND_DATA		 
  FILE_READ_EA			 FILE_WRITE_EA			FILE_EXECUTE			 
  FILE_DELETE_CHILD		FILE_READ_ATTRIBUTES	 FILE_WRITE_ATTRIBUTES	
  DELETE				   READ_CONTROL			 WRITE_DAC				
  WRITE_OWNER			  STANDARD_RIGHTS_REQUIRED SYNCHRONIZE			  
  STANDARD_RIGHTS_READ	 STANDARD_RIGHTS_WRITE	STANDARD_RIGHTS_EXECUTE  

ACE # (Type): 3 (ACCESS_ALLOWED_ACE_TYPE)
		Size: 20
User: SYSTEM (NT AUTHORITY\SYSTEM)
 SID: S-1-5-18
Flags ************************************
  INHERITED_ACE			  
Mask  ************************************
  FILE_READ_DATA		   FILE_WRITE_DATA		  FILE_APPEND_DATA		 
  FILE_READ_EA			 FILE_WRITE_EA			FILE_EXECUTE			 
  FILE_DELETE_CHILD		FILE_READ_ATTRIBUTES	 FILE_WRITE_ATTRIBUTES	
  DELETE				   READ_CONTROL			 WRITE_DAC				
  WRITE_OWNER			  STANDARD_RIGHTS_REQUIRED SYNCHRONIZE			  
  STANDARD_RIGHTS_READ	 STANDARD_RIGHTS_WRITE	STANDARD_RIGHTS_EXECUTE  

ACE # (Type): 4 (ACCESS_ALLOWED_ACE_TYPE)
		Size: 36
User: S-1-5-21-1292428093-1957994488-725345543-1003 (\S-1-5-21-1292428093-1957994488-725345543-1003)
 SID: S-1-5-21-1292428093-1957994488-725345543-1003
Flags ************************************
  INHERITED_ACE			  
Mask  ************************************
  FILE_READ_DATA		   FILE_WRITE_DATA		  FILE_APPEND_DATA		 
  FILE_READ_EA			 FILE_WRITE_EA			FILE_EXECUTE			 
  FILE_DELETE_CHILD		FILE_READ_ATTRIBUTES	 FILE_WRITE_ATTRIBUTES	
  DELETE				   READ_CONTROL			 WRITE_DAC				
  WRITE_OWNER			  STANDARD_RIGHTS_REQUIRED SYNCHRONIZE			  
  STANDARD_RIGHTS_READ	 STANDARD_RIGHTS_WRITE	STANDARD_RIGHTS_EXECUTE  


No Auditing set

Owner: S-1-5-21-1292428093-1957994488-725345543-1003 (\S-1-5-21-1292428093-1957994488-725345543-1003)

As for the btw (by the way) comment I meant that although a files.txt was successfully created by the 'dir %Systemdrive%\explorer.* ...' command from a previous post it generated a 'file not found' message as it did so.

Cheers!

[Advertisements]

Thanks. The account you are working under is has Administrator rights I assume?

I'm asking someone to look at the output, so a definite answer could take a bit.

Regards,

[Metallica]

Thanks. The account you are working under is has Administrator rights I assume?

I'm asking someone to look at the output, so a definite answer could take a bit.

Regards,

[cso]

Yes, the account has admin privs.
Thanks for your help.

[Metallica]

Hi cso,

Another test. Can you find C:\WINDOWS\explorer.exe
and rename it to sesame.exe ?
Then doubleclick it and let us know what happens.

In the same folder you will see a file called explorer (the extension is .scf but hidden)
Doubleclick that file as well and let us know what happens.

Thanks,

[cso]

Hello,
c:\windows\sesame.exe starts an explorer on My Documents.
c:\windows\explorer.scf starts an explorer on C:.
Cheers

[Metallica]

Hello,
c:\windows\sesame.exe starts an explorer on My Documents.
c:\windows\explorer.scf starts an explorer on C:.
Cheers

Thanks.
And if you rename explorer.exe (now sesame.exe) to explorer.com
What happens then if you doubleclick it?

This is a nice puzzle, now that your computer is in working order again.

[cso]

(explorer.exe is back; I assume from dllcache)
The .com opens an explorer on My Documents.
Hmm, I thought .coms had to be tiny model (<64k)?

[Metallica]

Not anymore as far as I know.

I'm no programmer, but you can rename most exe files to .com without suffering any consequences.
As, unfortunately a lot of malware writers have found out, if you do not specify the extension the .com file will get executed first.

[Metallica]

Explanation from a programmer:

The difference between .COM and .EXE is that a .COM file is a direct memory layout. When started it will occupy the memory in exactly the same order as the binary contents of the file. Because this hinders intelligent things like swapping memory to disc and using direct access to hard discs and other stuff, the .EXE file format was created. Fortunately Windows does not look at the name to execute programs, but at the internal layout of it, so renaming an .EXE to .COM will always work.

He also asked if you have done anything with the user-accounts on the computer?
The export from SWXCACLS (which is his work) looks as if a useraccount has been deleted or some other strange things have happened to it, because the computer doesn't seem to have a name for a useraccount that matches the SID.

Regards,

[cso]

Hello again,
I'm about the fourth main user of this machine in the last three years and at some point it has been a shared resource. I created the account I use on it when I started here about a year ago. It is badly in need of scrapping but there is quite a lot of 'historic' software and data on it that I've been slowly reconciling, backup-up and ensuring I can reinstall or recreate elsewhere. This whole incident has reinforced for me how important it is to do that. Do I need NewSID or somesuch?
Thanks.

[cso]

PS
Is that the same Bobbi Flekman who was in This is Spinal Tap?
Cheers

[Metallica]

Hmmm. I'd have to ask.

Maybe he'll be kind enough to join this thread.

[Bobbi Flekman]

PS
Is that the same Bobbi Flekman who was in This is Spinal Tap?
Cheers

Yep... That's where I stole my name from. I didn't want to take the real well known names like Nigel Tufnel, and Bruno (the driver) was a little too obscure for my taste.

You don't need NewSID for this. It might even create additional problems because internally a SID is all you are to a computer. When strange things happen, you can claim ownership of the file/folder with an account belonging to the Administrator's group and change permissions.