File permissions: Executable but not moveable?


  1. dimali
    Posts : 2
    Windows 7 Ultimate 64-bit
       New #1

    File permissions: Executable but not moveable?


    Hello everyone,

    trying to make a file unable to be deleted or moved, but still executable, I was changing the file permissions and didn't manage to make it work.

    Allowed: Execute File, Read Data, Read Extended
    Denied: Write Attributes, Write Extended, Write Data, Append Data, Delete

    When I do that, I can still delete and move it, unless I deny full control or remove all allowed. Do you have an idea how to make it work?

    Thanks in advance :)
      My Computer
    Quote Quote

  3. Pyprohly
    Posts : 721
    Windows 10, Windows 8.1 Pro, Windows 7 Professional, OS X El Capitan
       New #2

    Hello Dimali,

    You may realise this already, but there is a strong relationship between deleting and moving in terms of NTFS permissions. I want to make it very clear to readers that if one is asking to deny a user move capabilities on a certain file system object, essentially, they are asking how to deny that user from deleting the object, as a move is a combination of the copy and delete operations. If you can’t delete, you can’t move and vice versa.

    dimali said:
    I was changing the file permissions and didn't manage to make it work.
    I'm glad you gave it a go first. Dimali, you’re close to the solution, you just need to add one more access right...

    The Delete access right is a bit of a weird one. Simply checking this option for a file system object is usually not enough to prevent the target trustee from deleting the object, on its own. For the denied Delete rule to be effective, the object must also include a rule that specifies a deny of the access right Delete subfolders and files. Only when an object has both Delete and Delete subfolders and files rights denied, the target trustee will then not be able to delete the object.

    This behaviour makes sense; a delete operation is an operation performed on a folder, not a file.

    “But files don’t offer a checkable Delete subfolders and files right—only folders have them?”
    Correct. This means if you wish to revoke one’s ability to delete a file, it’s two new ACEs you’ll have to create: one on the file (check the Delete access right) and one on the folder containing that file (check the Delete subfolders and files access right). It’s worth noting that the file does not necessarily have to inherit the latter rule: only, the Delete subfolders and files access rule must be in effect on the folder containing the object... except when dealing with folders themselves. If it is instead a folder you wish to prevent deletion of, simply deny both the Delete and Delete subfolders and file access rights on that one folder to achieve the same effect.

    “If preventing deletion of a file system object involves denying the Delete and Delete subfolders and file rights, why can’t I ever delete an object denied Full Control?”
    This is an exception. Being denied Full Control is not the same as being denied every other access right. If you are denied Full Control, or if you have zero ‘allow’ type rules on a file system object, immediately we can conclude that your user cannot do anything with or to that object, including deletion.


    TL;DR
    To prevent a user having delete access to a file system object, on the object, create a rule which denies the Delete access right, then on the folder containing that object, create a rule that denies the Delete subfolders and files right.
    Last edited by Pyprohly; 27 Jun 2016 at 08:12.
      My Computer
    Quote Quote

  4. dimali
    Posts : 2
    Windows 7 Ultimate 64-bit
    Thread Starter
       New #3

    Excellent! It worked like a charm.
    Thank You a lot, Pyprohly.
      My Computer
    Quote Quote

 

  Related Discussions
I plan on downloading some legacy pci modem drivers and installing them on my Windows 7 machine. I want to be able to back out everything the driver install does, though, if the new drivers don't work. Is that doable? What I am assuming I would do is 1. Download an exe file from some...
I am trying to get started with Google's Android Studio. I have installed the studio software and the Android SDK on my d:\ drive, as follows... d:\dev\android\android-studio d:\dev\android\sdk In the SDK, there is a .bat file, android.bat, that in turn calls another .bat file,...
corrupted executable file
in System Security

Hi All AVG found an corrupted executable file c:\Windows\SysWOW64\mfc45.dat. I delete it from the virus vault and it returns. AVG Tech help wanted to exclude it from the search which of course just ignores it not delete it. They said that they could not delete it because it was a windows file. I...
i wonder how to make Executable files? well i actually found a program called iexpress.exe but I'm stuck in some point do idea what to do.. http://oi48.tinypic.com/wqm1x.png
I used Windows built-in CD burning to burn the CD, and selected the 2nd option, the "Mastered" option where "files can't be edited or removed after burning". I am just wondering, is this normal, there is an addition of 8MB on the file burned into the CD. I tried installing Roxio Creator, and it...
Our Sites
Site Links
About Us
Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

 © Designer Media Ltd
All times are GMT -5. The time now is 18:05.
Find Us