Hiding data on Windows with illegal file-, foldernames and subsubstreams

First of all if you want to hide or encrypt your data you should rely on tools like TrueCrypt.

This here is only a proof of concept which shows how you can trick Windows and make your files not accessible for persons who are not familiar with this technique.

As some of you might know you can’t create folders or files with names like ” ” or “.” or “COM1” or “CON” or “sysstem.” But there is a trick do create these files and folder anyway (except for the “.” and “..”)

All you need is the command line and this little prefix

\?

With it you can do a lot more than usual.

See the following examples.

mkdir "\?C:sysstem "
mkdir "\?C:sysstem ."
mkdir "\?C:sysstem .."
mkdir "\?C:sysstemsysstem."
mkdir "\?C:sysstem                sysstem              "
mkdir "\?C:sysstemCOM1"
mkdir "\?C:sysstemCON"
mkdir "\?C:sysstemLPT1"

You can create all these folders without a problem. Most of these directories are not accessible from the explorer, but over the commandline.

Next thing you can do is to create a substream on a folder. It’s not possible to just give it the name of a space character because the editor will implicitly add an .txt to it. Just give it a weird extension.

notepad "\?C:sysstem : . -"

Notepad says that the filestream does not exist and if you want to create it. Say yes.

After you have done so you may notice this characters in the the titlebar

脠Ȋ - Editor_2012-12-14_09-38-06

 

if you saved the text the charcaters will change to the following

ୀᄒ - Editor_2012-12-14_09-38-19

Notice that if you copy files with substreams from NTFS to another filesystem, all the substreams will be gone because other filesystems are not able to store these.

It is also possible to fill ones harddiskspace where it is not possible to free up the space. And with the fact that you created ” ..” folders, they are not able to delete these folders or files because explorer will crash or just give errors if you do so.

Try to fool around a little and tell me if you have found more crazy stuff.

System File Permission management in Windows CMD – First steps

An efficient way to set permissions + inheritance on a NTFS is do this by Windows CMD (Batch) rather than by clicking trough all the dialogs like a madman.

Here is a case scenario where the usernames and the foldernames of the users are exact the same.

Example:

  • Username: johndoe
  • Foldername: johndoe
  • Domain: sysstem
Define your domain or read it via the predefined variable (%USERDOMAIN%)
Set the location of your directory where the userfolders are located in.
The Script goes through all directories and sets the rights OI (Object Inheritance), CI (Container Inheritance), F (Full Permission).
“inheritance:d” copies the permission of the parent, breaks the inheritance and saves it to all child objects and containers recursivly.

@echo off
setLocal EnableDelayedExpansion
set dir=\fileserver01.sysstem.ataustriaviennausers
set domain=sysstem
set logfile=icacls.log

for /f "tokens=*" %%a in ('dir %dir% /b') do (
	echo %%a>>%logfile%
	icacls %dir%%%a /grant %domain%%%a:^(OI^)^(CI^)^(F^) /inheritance:d >> %logfile%
)
echo See %logfile% for Errors
pause

Here is an overview of how one can set the inheritance.

Microsoft NTFS Permission Inheritance (c) Microsoft (Original URL: http://i.msdn.microsoft.com/cc163885.fig05(en-us).gif)

If you are on a Windows Server 2003 SP2 x86 you will need the a patch from the Microsoft-site which will not require a restart since it might be only a simple bytepatch.

I am not sure if I could provide the patch here on my site so here is a link to download this patch. You need to register with an email-address so Microsoft could contact you if they made any changes on the patch.

Windows Autologin

If you have only one user on your Windows machine and do not want to type in your password at startup or you do not use a password at all, you can add the following to your registry so the startup is a little bit faster.

Copy and paste this into a textfile and name it autologin.reg (make sure it is not named autologin.reg.txt or something else)

If you are not in a domain or do not use a password you can ommit the lines with these options.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon]
"DefaultUserName"="User"
"DefaultPassword"="Password"
"DefaultDomainName"="Domain"
"ShowLogonOptions"=dword:00000000
"AutoAdminLogon"="1"