Using ProcMon To Check Folder Permissions

One of the interesting question I read on many forums is “deletion of Start Menu” under “C:\Documents and Settings\All Users “ location. Microsoft doesn’t allow users ( any user ) explicitly delete the folder but they allow to copy / move the folder and rename it. While most of the organizations tend to remove access to explorer, most of the administrators get stuck at the Start Menu folder. Though they would not be able to delete the folder, but they can move the folder to different location so that users wont be able to see the startup option under start  programs.

Few questions I had was
• How is this folder different from other folders
• What happens when we try to delete or access a folder
• What are the system files associated while accessing a single folder

To dig internal , I used Mark’s process monitor[PM] utility to capture both registry and file related information, prior to PM there were Filemon and Regmon mini application respectively.

Please understand that capturing the activity using PM would present you with thousands of registries and files which would be tedious to parse through. In order to remove the unnecessary registry / file related information you can use “ include Process From window “ icon, drag it on to the location where you want to capture and then start the capture.

One of the important aspect of reading PM logs is to understand what it presents and related every line with the action you performed earlier. Please mind that the names displayed under “operation” field is not exactly the same as you think. Those are simplified names for IRP Function Codes which are mentioned either in MSDN , or in the DDK documentation. For eg: QueryAllInformationFile is File_All_Information structure which acts as output buffer. If you want precise output then you can enable could enable “Enable Advance output” which would resolve to actual structures.
Under Detail tab you would see the description of the IRP and its structure members.

Step1 : create a folder called “test “

Step2 : Launch process monitor utility and use “include process from window” option
to drag to the test folder

Step3 : stop the process monitor trace

Step4 : On Process Monitor  Filter  Enable advance output

Step5 : open the MSDN link and try verifying the structure

Step6 : observe the behavior and the IRP’s being referenced when opened a folder.

Exercise 2 :

Using the above procedure , verify the behavior when accessing System Folder vs User created Folder.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s