0

I have a folder that contains bunch of *.exe and *.dll files (not necessarily all in root) and I want to Forbid Write to {S-1-1-0} (Everyone) on all these files.

I've tried:

 Get-ChildItem -Path c:\my\path\ -Filter *.exe -Recurse -ErrorAction SilentlyContinue -Force | Foreach {icacls $_.fullname /deny"Authenticated Users:(w)"}

however this does something weird - I can no longer run the executable, instead of just not being able to write into it.

I found a similar issues, but there is no answer

https://stackoverflow.com/questions/67301987/deny-write-to-everyone-blocking-also-read-access-icacls

https://stackoverflow.com/questions/48504651/icacls-deny-de-and-d-doesnt-work

UPD: to clear this up, I just want to either set (with add if not present) Authenticated Users to Deny:Write and that is but it proves to be impossible task

Kirikan
  • 43

1 Answers1

1

Icacls seems to be the problem. I get the same weird behaviour when I use icacls, but I have no issues when I use the set-acl command. Here is the script using set-acl that worked for me:

$files = ls -path "C:\SomePath" -include ('*.exe', '*.dll') -recurse

foreach ($file in $files){


$acl = Get-Acl $file.fullname
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Everyone", "Write", "Deny")
$acl.SetAccessRule($rule)
Set-Acl $file.fullname $acl


}
Shifty
  • 399