Can I have an "execute only" batch file under Windows XP?
Solution 1
First of all - a big thank you to all the participants!
Before I continue to the solution, let me give you more details why it was needed in the first place.
We have a batch file that runs a database script to update some tables.
The script needs a password to connect to the database, so it was specified in the batch file.
A user needed to occasionally run the script on a production system but letting them have the password was not an option.
The solution involved the following:
1) The batch file's permissions were set to allow access only for a specified account.
2) A task was set up in the Windows scheduler to run that batch file under that specific account. The permissions for the scheduled tasks allow read & execute access to the user(s) in question. The task was set to "disabled".
3) Whenever the batch file needs to be run, the corresponding task is manually started by the user.
As an added bonus, the task can be started remotely:
schtasks /run /s remote_system /tn task_name
Again, thank you for your responses.
Solution 2
Batch files, by default, are at the very least viewable/readable to anyone with sufficient permissions on the machine they are running on.
If you need to create a file that will is not readable you'll need to use some different file. Any script (vbs, batch, powershell, jscript) will be viewable by anyone able to run the file.
Even executables can be viewed. It is only the difference in how they can be viewed that allows some sort of hiding of the contents of a file.
Because script files are, by definition, text-based instruction lists, they can be viewed easily, in a text editor.
UPDATE (Added per comment): The problem with encryption is that as the script is run it must be unencrypted.
I guess you have to decide who you want to prevent from reading the script: Must it be unviewable in any situation by anybody, or just by most average people?
If it is sufficient to keep it from being viewed by average joes, just remove the Edit entry for batfiles from the registry and make sure the script runs with minimal output. If you have to keep it away from everybody, you need to find some other way of running it.
Solution 3
You can always convert a batch file to an exe using something like BTEC, although as music2myear has pointed out even that wouldn't prevent someone determined enough from viewing much of its contents.
Solution 4
I dont think you can but have a look here for advanced permissions and what they do http://www.ntfs.com/ntfs-permissions-file-advanced.htm
Related videos on Youtube
09 : 04
01 : 36
06 : 07
18 : 44
07 : 24
Alex O
Updated on September 18, 2022Comments
-
Alex O almost 2 years
Is it possible to set up a batch file on a Windows XP system that a user will be able to execute but not read (type, edit, etc.)?
I tried playing with permissions, allowing "Execute File" but not "Read Data" but it doesn't seem to work.
Thanks.
-
Admin about 9 yearsAnd a related question: Can we have an execute-only binary file (.exe) in Windows? This is possible on Unix systems.
-
-
UNK about 13 yearsI can break out a disassembler if I have to - you will never prevent anybody from viewing anything if they're determined enough. Making it that one step harder may suffice.
-
afrazier about 13 yearsIt is possible to encode VB/JScript files to prevent casual viewing though (Linky), and I'd be very surprised if there wasn't some way to encode or encrypt PowerShell scripts.
-
afrazier about 13 yearsLike I said, it prevents casual viewing. To keep it secret from everybody, you can't give it to anyone. :-)
