Discouraging Others from Messing with Your Machine.
I received the following request some time ago and see others like it all the time in the various newsgroups.
I was just checkin' out your web page because I need to find a way to either password protect or hide a batch file. I want to make a call to this batch file from the autoexec.bat, but either remain undetected or made so that One cannot change the autoexec.bat after that.

Paul

It prompted me to collect bits and pieces of security related ideas that I have played with over the years into one place. So, here goes.
There are software password protection packages available, though I don't have a current reference. But, anything done in software can be defeated by a determined enough expert. Anything!

I suspect that Paul wants to keep troublemakers from messing with his computer's startup sequence. For this purpose, there are some rather easy things that can be done in standard DOS to foil the uninitiated and even many with quite a bit of computer knowledge.

Here are several possibilities in accending order of security:

  1. If your CMOS setup routine lets you change which drives are read at boot time, change it to boot from the hard drive only, or at least from the hard drive first. Such a setup routine will probably also provide a means of setting a password to be required before any changes can be made. If so, set the password and keep it in a safe place, otherwise making changes will be very difficult, if the need should ever arise. These two fixes are pretty much essential. Otherwise, a determine person can use their own boot disk to start your system.

    Important Note: Make and test all of your security related changes before you do this and keep a bootable recovery disk handy, just in case. Once changed, it will be time consuming to reverse. If you forget the password, it will be especially troublesome. So keep the password in a safe place, away from the computer. Also, make sure the storage location is one where you're likely to look when you need it months from now.

  2. If you're using DOS 6 or later add a line "SWITCHES=/N/F" to your CONFIG.SYS file. Before version 6.0, there was no way to abort the loading of devices and such in the CONFIG.SYS process, so the switches were not needed. Though this is a primary part of protecting your system, remember to do this last because activating these switches makes it difficult to deal with errors in the start-up process (you'll need that bootable recovery disk).

  3. Make the first line in your AUTOEXEC.BAT file '@CTTY NUL' and the last executable line, 'CTTY CON'. This will keep someone from using Control-C or Control-Break to jump out of the AUTOEXEC.BAT process before it is complete. If you want anything displayed on the screen, say for troubleshooting, add the string '> CON' to the line. For example, @CTTY NUL ECHO This will be displayed, > CON ECHO but this will not. CTTY CON Be advised that this approach creates a tiny security problem. While the ECHO is sending output to the screen, a Control-C or Control-Break will be processed by the system. This will stop the running batch file, but it will leave all input and output redirected to the NUL device. So, the process is stopped, but the user does not regain control of the keyboard. There is a better way, but it is a bit more complicated. If you need it, go to the follow-up page on using a secondary command processor (TBD) to trap the control break.

    You will also need to redirect CON into any process that requires user interaction during the boot process. Otherwise, it will hang. For example, with version 6.0 or later, you can do something like the following ...

    CHOICE /cyn /t:n,5 Do you want to skip the next command < CON > CON Note that this will not make it possible to use the Control-Break because CHOICE traps it and returns an ERRORLEVEL of zero instead. However, this is true for CHOICE.COM only, other programs may permit the user to escape the procedure. Still, control is not returned, until the CTTY CON is executed. Use a secondary command processor (TBD) if you need additional control of the process.

  4. Use ATTRIB.EXE to make your CONFIG.SYS and AUTOEXEC.BAT files read only, hidden, system files. (ATTRIB +r +s +h AUTOEXEC.BAT) Then delete ATTRIB.EXE from your machine. Keep a copy on a floppy instead. Or, rename it to something else and move it from \DOS to another directory. While you're at it either remove or rename and move the DOS utility DELTREE.EXE. This program has the ability to do some nasty things in the hands of the wrong people.

  5. Rename your real AUTOEXEC.BAT file to a name using the <Alt-255> character, like <Alt-255><Alt-255>.BAT (Hold the Alt key down and press 2 5 5 on the numeric keypad.) Modify the SHELL= line in your CONFIG.SYS file by adding "/K<Alt-255><Alt-255>" at the end. Don't put the .BAT part. That way it is very hard for someone to recognize what you have done. (The <Alt-255> character displays like a space so it's hard to tell it's there if there are no characters following it on the line.) Finally, make up an innocuous substitute AUTOEXEC.BAT to replace the renamed version and hide it and CONFIG.SYS the same way as in 1 and 2 above. Mark the <Alt-255> file as system and read-only, but do not hide it. The SHELL command will not find it if it is hidden, unless you provide the whole name (including the .BAT part).

    This approach redirects the startup process to the renamed AUTOEXEC.BAT file so that any changes to the dummy version, named AUTOEXEC.BAT, are ignored.

  6. Creating a directory with one or more <Alt-255> characters (and nothing else) is an extension of the previous idea. Move your real startup process batch file (<Alt-255><Alt-255>.BAT) into that directory and then use ATTRIB.EXE to hide the directory. You will need to add this directory name to the startup batch file name on the SHELL= line in CONFIG.SYS. This will make the modification a tiny bit more obvious because the line will end in "/K<Alt-255>\<Alt-255><Alt-255>" (which looks like "/K  \"), but it should still go unnoticed (or at least be quite confusing).

    This change will make it that much harder for someone, first, to recognize what you've done and, second, to be able to find the files and modify them. This is because they'll need direct knowledge of what they're looking for. If they find your unused AUTOEXEC.BAT file using DIR /AH, it will be fairly difficult to get to it to change with ATTRIB gone. Even if they do change it, it will have no impact.

    Systems running Windows 3.1x have even more problems with files named with the <Alt-255> character. Windows will show the file or directory, but it misrepresents it as the underbar character '_' and it cannot be accessed. (I don't know about Windows 95.)

None of these are foolproof (or should I say "hackproof"), as I said at the start. But they will definitely thwart some mischieveous souls and slow down nearly anyone who's bent on messing with your startup process.

Those are the basics of keeping people from altering your start-up process, but you may also want to provide password protection to your system. This is possible using DOS commands alone. If that's your interest, follow the link (TBD).

Top | General Notes | Homepage