Passworded Folder Bypass?

[spools.exe]

For those who don't know it is possible to create a password protected folder. Simply by just creating a compressed folder, going to the "file" menu and clicking "password". It will prompt you for a password that you can use to lock the folder with.

BYPASS PASSWORD PROTECTION

>> My Computer
>> Local Disk (C:\)
>> Documents and Settings
>> Owner Name's Folder
>> Local Settings (This was a hidden folder)
>> Temp (Do not delete anything in this folder)

Once in there look for a folder that contains your compressed folder (*.zip).
If you open it it will display all the contents with the need for a password.

I belive that is a problem. I know you can deni acces to the temp folder. Is there anyother way i "patch" this problem?

[VicE$DoS$]

I read this on astalavista recently...

http://www.astalavista.com/library/m...-bypassing.txt

Its an interesting one...is so simplistic its frightening.

..I dont have XP and havent really played with it, Is there an option to clear the //local temp directory when you log off?

Cheers
V$D$

[phishphreek]

Maybe I'm missing something... but don't you need permissions to access another users folder? That user would either need to grant you access... or you would need to be admin.

If not.. then they are using FAT and not NTFS.

I wonder if you can do the same thing with knoppix?

I'm not saying that this isn't a problem... because most people don't even know how to set permissions... but if they did... don't you think they would not need to put passwords on their folders? Or... if someone really wanted to keep someone out... use encryption! Keep your key away from the PC.

[maxim_86ualb2]

u dont need permition....... just goto documents & seting... from c:\> & u will get to all the users... folders..... + this all works that is creapy

[SDK]

maxim_86ualb2, Document & Setting user folder are block unless you're admin.

[Maestr0]

Actually users folders are blocked from access by anyone except the owner (this can be changed to allow admins access also from the domain or local machine secuty policy) Of course nothing stops the admin from taking ownership but then the user cant get in . I believe this function was intended to password folders which you want available to certain users through the network and was not meant to be a hardened securtiy technique for those with physical access to your machine, you may find just encrypting the folder instead is probably more secure, if you dont trust MS with your encryption use PGP instead.

-Maestr0

[Lv4]

actually admin doesn't have to take ownership of the folders in question. They already have an implied ownership so don't need explicit ownership... at least in 2000 it's that way. I haven't messed around with XP too much so I don't know if it's the same way or not.

Anyway as a test on my 2k box here I logged on as my user ID which is also an admin on the box. I then went to the Documents & Settings directory and could see everyones folders (three other people had logged on to this box in the past week) and access them by just clicking on them. The local admin group is added to the ACL by default, but you COULD remove them if you really wanted to so that only the owner had access... but like you said an admin could just take ownership of it or could add their group back to the ACL.

[phishphreek]

actually admin doesn't have to take ownership of the folders in question. They already have an implied ownership so don't need explicit ownership... at least in 2000 it's that way. I haven't messed around with XP too much so I don't know if it's the same way or not.

Thats the way it is on the XP Pro boxes I've worked on.

[Maestr0]

Hmmm, sorry to misinform, I had thought default was other way around. I am sure however it can be changed in policy settings.

-Maestr0