Advanced Security Settings
Permission Entry
cmd¶!dir c:\p*
Volume in drive C is Windows7_OS
Volume Serial Number is 4814-FA88
Directory of c:\
07. 12. 2019 11:14 <DIR> PerfLogs
20. 03. 2023 17:08 <DIR> Program Files
02. 10. 2023 14:44 <DIR> Program Files (x86)
30. 06. 2017 20:55 <DIR> projekty.science.upjs.sk
29. 11. 2020 17:19 <DIR> Python27
23. 11. 2020 17:40 <DIR> Python39
0 File(s) 0 bytes
6 Dir(s) 1˙502˙818˙304 bytes free
!dir /Q c:\p*
Volume in drive C is Windows7_OS
Volume Serial Number is 4814-FA88
Directory of c:\
07. 12. 2019 11:14 <DIR> ... PerfLogs
20. 03. 2023 17:08 <DIR> NT SERVICE\TrustedInstaProgram Files
02. 10. 2023 14:44 <DIR> NT SERVICE\TrustedInstaProgram Files (x86)
30. 06. 2017 20:55 <DIR> RKB-TP\rkb projekty.science.upjs.sk
29. 11. 2020 17:19 <DIR> NT AUTHORITY\SYSTEM Python27
23. 11. 2020 17:40 <DIR> BUILTIN\Administrators Python39
0 File(s) 0 bytes
6 Dir(s) 1˙502˙277˙632 bytes free
!dir c:\r*
Volume in drive C is Windows7_OS
Volume Serial Number is 4814-FA88
Directory of c:\
04. 10. 2023 08:48 <DIR> rkb
0 File(s) 0 bytes
1 Dir(s) 1˙467˙432˙960 bytes free
!dir /a c:\r*
Volume in drive C is Windows7_OS
Volume Serial Number is 4814-FA88
Directory of c:\
09. 03. 2022 15:43 <DIR> Recovery
04. 10. 2023 08:48 <DIR> rkb
0 File(s) 0 bytes
2 Dir(s) 1˙467˙273˙216 bytes free
!icacls "c:\Program Files"
c:\Program Files NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(M)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(M)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
BUILTIN\Users:(RX)
BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(RX)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
Successfully processed 1 files; Failed processing 0 files
!powershell -command " dir c:\p* "
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7. 12. 2019 10:14 PerfLogs
d-r--- 20. 3. 2023 16:08 Program Files
d-r--- 2. 10. 2023 14:44 Program Files (x86)
d----- 30. 6. 2017 20:55 projekty.science.upjs.sk
d----- 29. 11. 2020 16:19 Python27
d----- 23. 11. 2020 16:40 Python39
!powershell -command " dir -hidden c:\ "
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d--hs- 5. 8. 2016 11:00 $Recycle.Bin
d--h-- 18. 9. 2023 8:06 $WINDOWS.~BT
d--h-- 18. 9. 2023 8:04 $WinREAgent
d--hs- 28. 7. 2016 9:30 Boot
d--hsl 14. 7. 2009 7:08 Documents and Settings
d--h-- 26. 9. 2022 18:14 ProgramData
d--hs- 9. 3. 2022 14:43 Recovery
d--hs- 5. 5. 2023 12:07 System Volume Information
-a-h-- 25. 12. 2017 7:09 0 $WINRE_BACKUP_PARTITION.MARKE
R
-arhs- 21. 11. 2010 4:23 383786 bootmgr
-a-hs- 30. 10. 2015 8:18 1 BOOTNXT
-arhs- 30. 1. 2014 20:47 8192 BOOTSECT.BAK
---hs- 20. 2. 2023 8:55 112 bootTel.dat
-a-hs- 2. 10. 2023 14:42 8192 DumpStack.log.tmp
-a-hs- 3. 10. 2023 15:24 6190977024 hiberfil.sys
-a-hs- 2. 10. 2023 14:42 8589934592 pagefile.sys
-a-hs- 2. 10. 2023 14:42 16777216 swapfile.sys
!powershell -command " ls c:\p* "
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7. 12. 2019 10:14 PerfLogs
d-r--- 20. 3. 2023 16:08 Program Files
d-r--- 2. 10. 2023 14:44 Program Files (x86)
d----- 30. 6. 2017 20:55 projekty.science.upjs.sk
d----- 29. 11. 2020 16:19 Python27
d----- 23. 11. 2020 16:40 Python39
!powershell -command " Get-ChildItem c:\p* "
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7. 12. 2019 10:14 PerfLogs
d-r--- 20. 3. 2023 16:08 Program Files
d-r--- 2. 10. 2023 14:44 Program Files (x86)
d----- 30. 6. 2017 20:55 projekty.science.upjs.sk
d----- 29. 11. 2020 16:19 Python27
d----- 23. 11. 2020 16:40 Python39
!powershell -command " Get-ChildItem c:\p* "
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7. 12. 2019 10:14 PerfLogs
d-r--- 20. 3. 2023 16:08 Program Files
d-r--- 2. 10. 2023 14:44 Program Files (x86)
d----- 30. 6. 2017 20:55 projekty.science.upjs.sk
d----- 29. 11. 2020 16:19 Python27
d----- 23. 11. 2020 16:40 Python39
# funguje nielen pre súbory, ale aj registre
!powershell -command " Get-ChildItem -Path HKLM:\HARDWARE "
Hive: HKEY_LOCAL_MACHINE\HARDWARE
Name Property
---- --------
ACPI
DESCRIPTION
DEVICEMAP
RESOURCEMAP
!powershell -command " dir HKLM:\HARDWARE "
Hive: HKEY_LOCAL_MACHINE\HARDWARE
Name Property
---- --------
ACPI
DESCRIPTION
DEVICEMAP
RESOURCEMAP
!powershell -command " Get-Acl c:\ | Format-List "
Path : Microsoft.PowerShell.Core\FileSystem::C:\
Owner : NT SERVICE\TrustedInstaller
Group : NT SERVICE\TrustedInstaller
Access : NT AUTHORITY\Authenticated Users Allow AppendData
NT AUTHORITY\Authenticated Users Allow -536805376
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-
5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;;LC;
;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICIIO;G
A;;;BA)(A;;FA;;;BA)(A;OICI;0x1200a9;;;BU)
!powershell -command " Get-Acl c:\ | fl "
Path : Microsoft.PowerShell.Core\FileSystem::C:\
Owner : NT SERVICE\TrustedInstaller
Group : NT SERVICE\TrustedInstaller
Access : NT AUTHORITY\Authenticated Users Allow AppendData
NT AUTHORITY\Authenticated Users Allow -536805376
NT AUTHORITY\SYSTEM Allow FullControl
NT AUTHORITY\SYSTEM Allow 268435456
BUILTIN\Administrators Allow 268435456
BUILTIN\Administrators Allow FullControl
BUILTIN\Users Allow ReadAndExecute, Synchronize
Audit :
Sddl : O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-
5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;;LC;
;;AU)(A;OICIIO;SDGXGWGR;;;AU)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICIIO;G
A;;;BA)(A;;FA;;;BA)(A;OICI;0x1200a9;;;BU)
!powershell " Get-Acl C:\Windows\s*.log | Format-List -Property PSPath, Sddl "
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Windows\setupact.log
Sddl : O:BAG:SYD:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x12
00a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Windows\setuperr.log
Sddl : O:SYG:SYD:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x12
00a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Windows\sk-SK.log
Sddl : O:SYG:SYD:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x12
00a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SK-SK_IE11.log
Sddl : O:SYG:SYD:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x12
00a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Windows\Synaptics.log
Sddl : O:SYG:SYD:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x12
00a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Windows\Synaptics.PD.log
Sddl : O:SYG:SYD:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;0x1200a9;;;BU)(A;ID;0x12
00a9;;;AC)(A;ID;0x1200a9;;;S-1-15-2-2)
!powershell -command " Get-ChildItem -Attributes Compressed c:\ "
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 31. 5. 2016 10:23 DRIVERS
d----- 8. 6. 2020 17:32 Intel