Can I have an "execute only" batch file under Windows XP?

9,294

Solution 1

First of all - a big thank you to all the participants!

Before I continue to the solution, let me give you more details why it was needed in the first place.

We have a batch file that runs a database script to update some tables. The script needs a password to connect to the database, so it was specified in the batch file.
A user needed to occasionally run the script on a production system but letting them have the password was not an option.

The solution involved the following:
1) The batch file's permissions were set to allow access only for a specified account.
2) A task was set up in the Windows scheduler to run that batch file under that specific account. The permissions for the scheduled tasks allow read & execute access to the user(s) in question. The task was set to "disabled".
3) Whenever the batch file needs to be run, the corresponding task is manually started by the user.

As an added bonus, the task can be started remotely:

schtasks /run /s remote_system /tn task_name

Again, thank you for your responses.

Solution 2

Batch files, by default, are at the very least viewable/readable to anyone with sufficient permissions on the machine they are running on.

If you need to create a file that will is not readable you'll need to use some different file. Any script (vbs, batch, powershell, jscript) will be viewable by anyone able to run the file.

Even executables can be viewed. It is only the difference in how they can be viewed that allows some sort of hiding of the contents of a file.

Because script files are, by definition, text-based instruction lists, they can be viewed easily, in a text editor.

UPDATE (Added per comment): The problem with encryption is that as the script is run it must be unencrypted.

I guess you have to decide who you want to prevent from reading the script: Must it be unviewable in any situation by anybody, or just by most average people?

If it is sufficient to keep it from being viewed by average joes, just remove the Edit entry for batfiles from the registry and make sure the script runs with minimal output. If you have to keep it away from everybody, you need to find some other way of running it.

Solution 3

You can always convert a batch file to an exe using something like BTEC, although as music2myear has pointed out even that wouldn't prevent someone determined enough from viewing much of its contents.

Solution 4

I dont think you can but have a look here for advanced permissions and what they do http://www.ntfs.com/ntfs-permissions-file-advanced.htm

Share:
9,294

Related videos on Youtube

Alex O
Author by

Alex O

Updated on September 18, 2022

Comments

  • Alex O
    Alex O over 1 year

    Is it possible to set up a batch file on a Windows XP system that a user will be able to execute but not read (type, edit, etc.)?

    I tried playing with permissions, allowing "Execute File" but not "Read Data" but it doesn't seem to work.

    Thanks.

    • Admin
      Admin almost 9 years
      And a related question: Can we have an execute-only binary file (.exe) in Windows? This is possible on Unix systems.
  • UNK
    UNK about 13 years
    I can break out a disassembler if I have to - you will never prevent anybody from viewing anything if they're determined enough. Making it that one step harder may suffice.
  • afrazier
    afrazier about 13 years
    It is possible to encode VB/JScript files to prevent casual viewing though (Linky), and I'd be very surprised if there wasn't some way to encode or encrypt PowerShell scripts.
  • afrazier
    afrazier about 13 years
    Like I said, it prevents casual viewing. To keep it secret from everybody, you can't give it to anyone. :-)