[ACCEPTED]-How can I make a file trully immutable (non-deletable and read-only)?-winapi

Accepted answer
Score: 16

This is one of the "what would happen if 21 that were true?" questions. It has nothing 20 to do with the operating system, the points 19 apply equally to any general purpose computer.

Imagine 18 that there were a way to somehow create 17 an immutable file.

  • What's there to stop someone 16 from filling up a file system with an immutable 15 file (or many of them)?

  • What if someone were 14 to create immutable files with pathnames 13 the operating system needs (Windows example 12 - NTUSER.DAT for some user, *nix example 11 - /bin/ls, etc.)?

  • What if the operating system 10 decides it must move the file (e.g., while 9 defragmenting or otherwise reorganizing 8 the file system)?

  • What if a piece of malware 7 replaces a system file with a copy of itself 6 then makes that file immutable to prevent 5 anyone from ever cleaning the system?

I feel 4 the question is incomplete as it is now. Could 3 you edit it to include more details about 2 the underlying problem you're trying to 1 solve?

Score: 15

You can't do that, for the simple reason 18 that you shouldn't ever be allowed to anyway. As 17 Mihal pointed out, this has the potential 16 to wreak havoc on a computer.

Programming 15 Ethics 101: If your program is going to 14 run on someone else's computer, remember 13 that it's their property, not yours. That 12 means they have the right to modify and/or 11 delete anything they want to. Try to treat 10 the system like your property, and they'll 9 treat your program like malware.

Probably 8 the best solution, if you need to make certain 7 that a file will be available, is Massif's 6 idea to embed it within your program as 5 a resource. That way, nothing short of 4 someone tampering with the EXE will stop 3 you from having it available, and if that 2 does happen, you've got bigger problems to worry 1 about anyway.

Score: 12

burn a cd.


Score: 8

A way be to sure that these files aren't 12 changed 'behind the scenes' would be to 11 add a signature to the file.

To sign the 10 file you could for example: Make a string 9 with the whole content of the file + a secret 8 password and calculate an SHA1-Hash of the 7 string. Then add this hash on the first 6 or last line of the file.

To check the signature: Read 5 the file, remove the line with the hash, add 4 the secret password, recalculte the hash 3 and check if it is the same as the one in 2 the file.

To calculate SHA-1-Hashes with 1 Delphi you can for example use MessageDigests.

Score: 6

Buy a PROM, and a micro controller programmer 1 kit, and burn your file into the ROM...

Score: 4

you're doomed. Even windows can't prevent 6 me deleting files arbitrarily if I boot 5 into safe mode.

How about setting a watcher 4 on the file in question and replacing it 3 with a pristine one should it be changed? Or 2 embedding the file in the resources of the 1 program that needs it?

Score: 4

If I knew how to do this, I'd report it 1 to Microsoft as a bug.

Score: 3

Burn it to write-once media.


Score: 2

Why do you want this? It seams to me like 7 an odd requirement.

I don't think you can 6 do this. The best alikes I can think of 5 are: Create the file as an admin and set 4 the permissions that so that a normal user 3 change not change it (this assumes different 2 users) or create an application that resets 1 the file if it changes.

Score: 2

You can use windows security acls to protect the file. However 3 if the person has access to the hardware 2 then they can always as massif says boot 1 into another mode or os and delete it.

Score: 2

Why don't you just encrypt the file and 2 open/close it along with your executable? Or 1 place it in your self-made filesystem?

Score: 2

Raymond Chen from Microsoft just recently 39 wrote an article that's closely related: The way to stop people from copying files to a folder is to use NTFS security, not to block drag/drop. While 38 this one mentions trying to stop someone 37 from copying a file to a specific folder 36 you can use the same solution presented 35 to fix your problem here.

To properly secure 34 the file and prevent tampering you can set 33 the ACLs on the file to have Read permissions 32 but deny Write, Delete and Change permissions. You 31 can set that for a specific user, group, or 30 even everyone! The owner of the file will 29 always have permission to change the permissions, so 28 you can't permenantly lock yourself out 27 (even if you try to deny the CREATOR OWNER special object). Keep 26 in mind that to manually set these from 25 the security dialog box, you'll have to 24 enter the advanced permissions area, they 23 aren't available from the standard page. You 22 may also want to break inheritance so that 21 the file has only the permissions you set 20 and none from its parent.

In this case it 19 would be best to leverage options that are 18 already there and so you won't have to try 17 and hack the system to make work. NTFS has 16 robust security and can accomplish what 15 you want without you writing code. You can 14 also work with the security directly through 13 the WINAPI using methods related to File Security and Access Rights (MSDN). You 12 can provide the permissions when you call 11 the first CreateFile or change permissions after the 10 fact by using SetNamedSecurityInfo or SetSecurityInfo.

EDIT: To address the concerns 9 of malware, you can even deny SYSTEM access so 8 even services running under the system account 7 cannot delete it or write to it. I've actually 6 taken care of one pesky virus in that method. it 5 would keep creating a directory, so I booted 4 PE, emptied out the directory, then denied 3 everyone access to it including the SYSTEM account. The 2 virus was unable to propagate while I worked 1 on removing it.

More Related questions