1

I'm using SetFileAttributes API to reset FILE_ATTRIBUTE_ARCHIVE attribute on files. My app that I need it for acts as a backup software. Here's how I do it:

DWORD dwAtt = ::GetFileAttributes(strSrcFilePath);
if(dwAtt != INVALID_FILE_ATTRIBUTES)
{
    if(!::SetFileAttributes(strSrcFilePath, dwAtt & ~FILE_ATTRIBUTE_ARCHIVE))
    {
        //Error
        int error = ::GetLastError();
    }
}

The user account that my process runs under belongs to the Backup Operators group:

enter image description here

which according to this document should give my process access to modify files regardless of their permissions.

But when I run the code above, SetFileAttributes fails with ERROR_ACCESS_DENIED.

Am I missing something?

Do I need to give my process write-access to the file just to reset its FILE_ATTRIBUTE_ARCHIVE attribute?

c00000fd
  • 20,994
  • 29
  • 177
  • 400
  • Can you log into the PC with that account and manually set file attributes as a test? – Randy Schuman Aug 26 '16 at 01:13
  • 1
    Just having backup privileges isn't enough. The program has to enable them (using AdjustTokenPrivileges) and in some cases (e.g., CreateFile) also has to use a special flag as described in the documentation of the relevant API function. – Harry Johnston Aug 26 '16 at 01:15
  • @RandySchuman: No, I can't set them through Windows Explorer if I log in under my `BackupUser` account. – c00000fd Aug 26 '16 at 03:24
  • @HarryJohnston: Yes. Fair enough. Can you elaborate on which privilege do I need to enable using `AdjustTokenPrivileges` though? Also how does `CreateFile` fit into it? I'm not creating those files that I'm backing up. I'm simply copying them and then need to reset the `FILE_ATTRIBUTE_ARCHIVE` on them. – c00000fd Aug 26 '16 at 03:26
  • CreateFile was just an example. For SetFileAttributes, all you have to do is to enable the relevant privilege(s). Since you're both reading and setting the flags, I think you'll need both SE_RESTORE_PRIVILEGE and SE_BACKUP_PRIVILEGE. – Harry Johnston Aug 26 '16 at 03:33
  • @c00000fd This may be what you need. http://stackoverflow.com/questions/12338711/error-access-denied-setting-file-owner/12341165#12341165 – Randy Schuman Aug 26 '16 at 03:52
  • @HarryJohnston: Just tried to enable both `SE_RESTORE_NAME` and `SE_BACKUP_NAME` in my process running under my `BackupUser` account and `AdjustTokenPrivileges` failed on both with `ERROR_NOT_ALL_ASSIGNED`. – c00000fd Aug 26 '16 at 03:56
  • @RandySchuman: No. If I take ownership of the files that my app is trying to back up it will seriously mess up the system. Plus, I have to run it as an admin to do it anyway. My `BackupUser` is just a standard user account. – c00000fd Aug 26 '16 at 03:57
  • 1
    If a user has backup privileges, UAC kicks in. You'll need to run your program elevated. I *think* you can do this using the non-admin account and just get backup privileges and not everything else, though I'm not sure; UAC gets a bit confused in this scenario if I remember rightly. Best solution is to just make the user an administrator. Having backup privileges is equivalent to being an administrator anyway. – Harry Johnston Aug 26 '16 at 04:01
  • @HarryJohnston: Yep, you got it. Appreciate your help! I technically need only `SE_RESTORE_NAME` privilege and to run my process elevated. And it does the job. Why did you also mention `SE_BACKUP_NAME` though? – c00000fd Aug 26 '16 at 04:18
  • I think that you will need `SE_BACKUP_NAME` as well if you have to deal with the case where you don't have read permission either to the file or to its parent directory. (Theoretically, backup privilege lets you bypass the rules that would stop you from reading something, and restore privilege lets you bypass the rules that would stop you from writing something. But in practice they might not be implemented that way, I've never checked.) – Harry Johnston Aug 26 '16 at 04:29
  • @c00000fd Ok, wasn't sure, just thought the link might help. Glad you got it working. – Randy Schuman Aug 26 '16 at 05:17

0 Answers0