Getting size of unaccessible folder tree? BackupRead() ?

  • Thread starter Thread starter Sten Westerback
  • Start date Start date
S

Sten Westerback

Hi

I just made a little tool that recursively finds out how many bytes the
files in
a folder tree contains. The tool will run with administrative rights on
Windows NT/2k/XP systems with NTFS where user is allowed to have folders
with security set so that only (s)he can access it.

My question is:
Is it possible for administrator to enumarate the files and subfolders in
such folders
without aquiring user credentials and preferably without getting and then
resetting
permission to the folder? The purpose is to find out the backup needs for
the users.

The only idea i have to go on at the moment is to use backup sematics in
CreateFile() to open the folder and then BackupRead() and BackupSeek()
to scan over end of stream and get actual size returned..
I tried this with this function:

BOOL bGetFailedFolderSizes(char *p_szFolder, BOOL bInNoBackup)
{
HANDLE hDir;
WIN32_STREAM_ID *p_strid;
DWORD dw, dwOut;
VOID *p_Cont=NULL;

hDir = CreateFile (p_szFolder, GENERIC_READ,
FILE_SHARE_READ|FILE_SHARE_DELETE,
NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
if (hDir==NULL) return FALSE;
dw=sizeof(WIN32_STREAM_ID) + 500000;
if ((p_strid=malloc(dw))==NULL) { CloseHandle(hDir); return FALSE; }
memset(p_strid, 0, dw);
while (BackupRead(hDir, p_strid, dw, &dwOut, FALSE, FALSE, &p_Cont))
{
// just debugging for now; not sure what the directory stream
contains...
}
CloseHandle(hDir);
return FALSE;
}

BackupRead() returns "true" but still the buffer isn't touch and context
pointer is
set to 0xFFFFFFFF. Do one need to enable some Local Policy for it to work?

- Sten
 
Sten said:
Hi

I just made a little tool that recursively finds out how many bytes the
files in
a folder tree contains. The tool will run with administrative rights on
Windows NT/2k/XP systems with NTFS where user is allowed to have folders
with security set so that only (s)he can access it.

My question is:
Is it possible for administrator to enumarate the files and subfolders in
such folders
without aquiring user credentials and preferably without getting and then
resetting
permission to the folder? The purpose is to find out the backup needs for
the users.

Yes, if the user running your tool has the SeBackupName privlege.
The only idea i have to go on at the moment is to use backup sematics in
CreateFile() to open the folder and then BackupRead() and BackupSeek()
to scan over end of stream and get actual size returned..
I tried this with this function:

BOOL bGetFailedFolderSizes(char *p_szFolder, BOOL bInNoBackup)
{
HANDLE hDir;
WIN32_STREAM_ID *p_strid;
DWORD dw, dwOut;
VOID *p_Cont=NULL;

hDir = CreateFile (p_szFolder, GENERIC_READ,
FILE_SHARE_READ|FILE_SHARE_DELETE,
NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS, NULL);
if (hDir==NULL) return FALSE;
dw=sizeof(WIN32_STREAM_ID) + 500000;
if ((p_strid=malloc(dw))==NULL) { CloseHandle(hDir); return FALSE; }
memset(p_strid, 0, dw);
while (BackupRead(hDir, p_strid, dw, &dwOut, FALSE, FALSE, &p_Cont))
{
// just debugging for now; not sure what the directory stream
contains...
}
CloseHandle(hDir);
return FALSE;
}

BackupRead() returns "true" but still the buffer isn't touch and context
pointer is
set to 0xFFFFFFFF. Do one need to enable some Local Policy for it to work?

You will need to enable SeBackupPrivilege first for your process and
then use FILE_FLAG_BACKUP_SEMANTICS flag in each call to CreateFile().

However, in your example you open a directory and use BackupRead() to
read everything but security information and that gives no data because
there is no data but security to backup on directories. So, if you
change the second last parameter to TRUE you will get a few hundred
bytes of security information to the backup stream buffer.
 
Olof Lagerkvist said:
Yes, if the user running your tool has the SeBackupName privlege.

The automated "user" of the tool is the Administrator account (Tivoli)
so the privilege should be available and testable by running backup tool.
work?

You will need to enable SeBackupPrivilege first for your process and
then use FILE_FLAG_BACKUP_SEMANTICS flag in each call to CreateFile().

Ok, i'll try that if...
However, in your example you open a directory and use BackupRead() to
read everything but security information and that gives no data because
there is no data but security to backup on directories. So, if you
change the second last parameter to TRUE you will get a few hundred
bytes of security information to the backup stream buffer.

.... if i could also get the names of files and folders in the folder then
this
is useful. I thought it would give records of filenames or links to files.

Note that somehow the Backup tools is able to enumerate files in all folders
so
i wonder if this is supposed to work or do they use something else?

So basically i guess my question is:
Is there some other way to find out size of files in a folder than using
FindFirstFile() etc? One that isn't restricted (too much) by Security...

- Sten
 
Sten said:
Ok, i'll try that if...




... if i could also get the names of files and folders in the folder then
this
is useful. I thought it would give records of filenames or links to files.

No, BackupRead() on a directory only reads the meta data for the
directory itself and that can only be security information, alternate
data streams, reparse data etc, not information about the files in the
directory.
Note that somehow the Backup tools is able to enumerate files in all folders
so
i wonder if this is supposed to work or do they use something else?

So basically i guess my question is:
Is there some other way to find out size of files in a folder than using
FindFirstFile() etc? One that isn't restricted (too much) by Security...

FindFirstFile()/FindNextFile() are not restricted by security when
SeBackupPrivilege is enabled for the calling process.

If you want, you may look at my backup stream utility 'strarc':
http://here.is/olof/files/strarc.zip
Source is somewhere in this source archive:
http://here.is/olof/files/source.tar.lzma
 
I was thinking that "normal APIs'" like FindFirstFile would have same
restrictions as Exlorer does. Now i added the SeBackupPrivilege
enabling code and now it works. They could add a comment about
this to the description of FindFirstFile....

Thanks,
-Sten
 
Back
Top