Blog Post

Knowing how to use ATTRIB

,

ATTRIB is one of those commands back from the days of DOS which most folks don't even realize it's there. The purpose of the command, as its name implies, is to manage the attributes of files and folders. There are 4 attributes which it can manage:

  • A - Whether or not the archive attribute is set (this can tell a backup process if the file has changed since the last backup).
  • H - Whether or not the file/folder is hidden.
  • R - Whether or not the file/folder is read-only.
  • S - Whether or not the file/folder is treated as a system object.

We don't use it too much any more because the Windows GUI tends to allow us to manage the A, H, and R attributes just fine. One of the few cases where you would have to resort to ATTRIB is if the file is marked as a system folder. When cleaning up some malware from another person's desktop yesterday, I ran into this. In that particular case you can't make the file visible again, nor can you change it from being a system file without the use of ATTRIB. The following image shows that the hidden checkbox is grayed out when both of these attributes are set:

This is how the HOSTS file was set because the malware automatically inserted its own entries for common sites like www.google.com. For the average user, these settings means that even if they knew exactly where to navigate to, they wouldn't have been able to fix the file. Enter in ATTRIB. ATTRIB with just the name of the file or folder can tell us what attributes are set. Here's an example against a protected HOSTS file:

C:\WINDOWS\system32\drivers\etc>attrib hosts
A  SH      C:\WINDOWS\system32\drivers\etc\hosts

Note that A, S, and H are set. Now one of the things about it being a hidden and system file is if I try to undo just the system attribute or just the hidden attribute, it won't work. Here's what you'd see:

C:\WINDOWS\system32\drivers\etc>attrib -h hosts
Not resetting system file - C:\WINDOWS\system32\drivers\etc\hosts

C:\WINDOWS\system32\drivers\etc>attrib -s hosts
Not resetting hidden file - C:\WINDOWS\system32\drivers\etc\hosts

As you can probably guess, the - (minus sign) tells ATTRIB to try and remove the attribute. If you wanted to add an attribute, like I did for this example, you would use + (plus sign) instead. However, back to how to solve this quandry, the trick is to toggle both attributes off at the same time:

C:\WINDOWS\system32\drivers\etc>attrib -h -s hosts

C:\WINDOWS\system32\drivers\etc>attrib hosts
A          C:\WINDOWS\system32\drivers\etc\hosts

And with the hosts file in this state, it was back to the way it should have been configured, with the exception of the entries inside of it I still had to clean up because of that malware. As a matter of fact, I had to use ATTRIB one more time on a folder in order to allow for a folder where the malware was hiding to be discovered by the security scanners.

This is one of those cases where an old round of DOS knowledge allowed me to do something you couldn't do through the Windows GUI. Knowing little tricks like these can often make a difference when you're troubleshoot or correcting issues like the one I was facing. Without knowing ATTRIB and how it worked, I don't know that we would have been able to clean the computer. The malware were rogue antivirus software packages and they were preventing other AV packages from installing and running properly. These rogue antivirus programs are on the rise because they prey on an innocent person's trust. The person will trust the information that just popped up is legitimate, and the rogue product gets installed. The end user doesn't know better and the software itself tends to be difficult to clean up.

 

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating