On Tue, 1/7/2025 3:36 PM, Scott wrote:
I see some icons on my desktop (W11) are faded, notably BBC. Google
search suggests this may be something to do with the file being
hidden, but also this may not be the reason. As it's a bit beyond my
Windows abilities, can anyone explain in simple terms?
Administrator terminal:
# Assumes partition has not lost its USN journal.
# Sample filename is just the example in my notes file.
# The number returned, has bit fields which are the Attributes.
#
fsutil usn readdata Y:\Windows\Logs\CBS\CBS.log
# This is the decoder table. A file can have several bits set,
# and the sum total of several bit field binary values, totals to the
# quantity that has been read out.
FILE_ATTRIBUTE_READONLY = 1 (0x1) \ <=== This is NOT really readonly... Stop focusing on this!
FILE_ATTRIBUTE_HIDDEN = 2 (0x2) \ These are the original Attributes from MSDOS,
FILE_ATTRIBUTE_SYSTEM = 4 (0x4) / dir /ah * kind of thing
FILE_ATTRIBUTE_DIRECTORY = 16 (0x10)
FILE_ATTRIBUTE_ARCHIVE = 32 (0x20)
FILE_ATTRIBUTE_NORMAL = 128 (0x80)
FILE_ATTRIBUTE_TEMPORARY = 256 (0x100)
FILE_ATTRIBUTE_SPARSE_FILE = 512 (0x200)
FILE_ATTRIBUTE_REPARSE_POINT = 1024 (0x400)
FILE_ATTRIBUTE_COMPRESSED = 2048 (0x800) # This is old compression on NTFS. New Compression is a Reparse Point.
FILE_ATTRIBUTE_OFFLINE = 4096 (0x1000)
FILE_ATTRIBUTE_NOT_CONTENT_INDEXED = 8192 (0x2000)
FILE_ATTRIBUTE_ENCRYPTED = 16384 (0x4000) # This is EFS, not Bitlocker
# That can give you some idea of what the Attributes of a file are.
# Files have many other details.
*******
From this ZIP, locate nfi.exe executable. This is a utility from
a long time ago (more than 20 years), which lists the filenames
of the files in NTFS. The command example assumes we have unpacked
the ZIP download and extracted the "nfi.exe" file sitting in Downloads folder.
https://web.archive.org/web/20150329185738/http://download.microsoft.com/download/win2000srv/utility/3.0/nt45/en-us/oem3sr2.zip
(administrator command prompt so the CD command will work OK )
cd /d %userprofile%\Downloads
nfi c: > list.txt
notepad list.txt
# It's a really small executable.
Name: nfi.exe
Size: 21744 bytes (21 KiB)
SHA256: 6D8AD6DA2ECC720F801CA58BD8A1FC0447C7BC2A08977C5EC099507959CC122E
# These are examples of files on my desktop. They come from two folders
# as potential sources of desktop program icons. These are two program icons.
File 2260
\Users\Public\Desktop\MonInfo.lnk <=== Moninfo program from EntechTaiwan
$STANDARD_INFORMATION (resident) Linkage points to Program Files storage location...
$FILE_NAME (resident)
$DATA (nonresident)
logical sectors 336-343 (0x150-0x157)
File 10600
\Users\paul\Desktop\Meshmixer.lnk <=== Meshmixer program for some kind of CAD file
$STANDARD_INFORMATION (resident)
$FILE_NAME (resident)
$FILE_NAME (resident)
$DATA (nonresident)
logical sectors 2848-2855 (0xb20-0xb27)
fsutil usn readdata C:\Users\Public\Desktop\MonInfo.lnk
File Attributes : 0x20 <=== That's the Archive bit, related to backups
The second file has the same attribute.
This is a very weak attribute, as attributes go.
The permissions model, I don't understand it well enough to comment.
However, you can run the commands on your .lnk files, once you figure
out or guess the names (by known construct) and run them. Note that
to further complicate the permissions model, a file can "inherit" permissions from the level above, and permissions capabilities include ALLOW and DENY. Using DENY is generally not recommended, as it is enough trouble figuring
out what the permissions are, when only ALLOW is used.
https://en.wikipedia.org/wiki/Cacls
icacls can output directly, or store the permissions model in a text file for later "playback" and permissions restoration. Note that when stored in a text file, a compact notation is used, which is even harder to discern. There is a little trick, for restoring permissions at the very top of a partition. You can't play back the file, without editing it and fixing it, when doing one
of those starting at the very top of the disk.
*An icon might be gray, if the thing it points to is gone...*
*******
# You can see permissions in the Properties dialog for a file, in File Explorer.
icacls C:\Users\Public\Desktop\MonInfo.lnk
C:\Users\Public\Desktop\MonInfo.lnk BUILTIN\Administrators:(I)(F)
NT AUTHORITY\INTERACTIVE:(I)(RX)
NT AUTHORITY\SYSTEM:(I)(F)
S-1-5-21-3407405234-1171005867-2411829197-1000:(I)(DE,DC)
WALLACE\paul:(I)(DE,DC)
*******
icacls C:\Users\Public\Desktop\MonInfo.lnk /save outfile.txt
MonInfo.lnk # The line has been manually edited at the parenthesis level, for clarity
D:AI(A;ID;FA;;;BA) <=== Administrator account
(A;ID;0x1200a9;;;IU)
(A;ID;FA;;;SY) <=== SYSTEM account
(A;ID;DTSD;;;S-1-5-21-3407405234-1171005867-2411829197-1000) <=== OS has three user accounts registered
(A;ID;DTSD;;;S-1-5-21-3407405234-1171005867-2411829197-1001) <=== This must be paul
*******
The 3407405234-1171005867-2411829197 part is a tuple unique to the OS install. In the example on this page, the informal shorthand "do-ma-in" refers to
that set of randomly assigned numbers at installation time.
https://renenyffenegger.ch/notes/Windows/security/SID/index
S-1-5-21-do-ma-in-500 (local?) Administrator <=== administrator is 500, users start at 1000
*******
Notice that I haven't answered your question. We would need
to get that guy who invented the scheme, as he is the only
one who understands it (he wrote a book).
*An icon might be gray, if the thing it points to is gone...*
I think this has a higher probability, than that you whacked
all the file permissions in a "horrific icacls accident" :-)
Check that the Program Files, if that's what these were,
still exist. If you attempted to move your Program Files,
well, just, wow...
Paul (i.e. user 1001 :-) )
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)
