0

I have an oracle db server on a windows 2k3 box. I am currently unable to create or copy a batch file to the root of c. I can create batch files on different folders (i.e. in my user directory) or I can create .txt files in the root of C, but not batch files.

I know someone might say, just put the batch file somewhere else. We have an update from one of our software vendors that wants to create a batch file in C:\ and they don't want to rewrite their update for one customer.

They suggested it might be caused by our HBSS, but we have another 2k3 box for IIS that has no trouble creating batch files, and it has the same HBSS installed.

I have tried with several admin accounts. My account has domain admin, and my SA colleague has enterprise admin.

Is there something in GPO that prevents you from making bat files in C:\?

SupremeDud
  • 103
  • 4
  • 6
    Did you check file permissions? – Chris S Dec 09 '11 at 18:41
  • Unless someone added something custom to a gp, I don't think that would be your issue. Check the file permissions like Chris S mentioned. – Jeff Dec 09 '11 at 18:50
  • I can create other files just fine. txt, doc, bmp no problem. The moment I try to copy, create, or rename a file to .bat I get access denied. The administrator group has FC to c:\ and I am definitely in the administrators group. – SupremeDud Dec 09 '11 at 18:53
  • Check AV, it might be blocking bat and com files. – Chris S Dec 09 '11 at 19:04
  • Could AV be blocking it? – Nixphoe Dec 09 '11 at 19:04
  • It was our McAffee HBSS. It wasn't configured how I thought. – SupremeDud Dec 09 '11 at 19:24
  • So if you go to a command line and run `echo echo hello world > thisisatest.bat` you get an access denied? But you wouldn't get one if you saved to .txt instead? – Zoredache Dec 09 '11 at 19:24
  • 1
    @SupremeDud If that is the resolution to this issue, please post it as an answer and make it "accepted". – jscott Dec 09 '11 at 19:38

3 Answers3

2

I know this question is old, but there doesn't seem to be a resolution so on the HBSS possibility.

You can navigate to the HBSS HIPS GUI:

  1. Click Start, Run, type explorer and click OK.
  2. Navigate to: C:\Program Files\McAfee\Host Intrusion Prevention.
  3. Double-click McAfeeFire.exe.

You can click on the tabs on the top of the GUI to see what the policies are that are being enforced, and what is being permitted and blocked.

If your HBSS admins are worth their salt as admins, they've divided out the servers by functionality and have applied policies based on those attributes. So it is VERY possible that McAfee is blocking this action. You'll need to work with your HBSS admins to get a waiver policy in place to be able to do what you want here if this ends up being the culprit.

It could also be the McAfee VSE blocking the creation...but this is much less likely than the HIPS.

cclater
  • 106
  • 8
0

Check to see which group policies are being applied to your account by opening up the command line and using gpresult /r. Then check with your system admin to see if any of those policies are set to restrict .bat files on your c drive. You might get lucky and see a group policy that is explicitly named as such.

MattChorba
  • 119
  • 8
  • Can you point me at the reference for any group policy that would actually do this? I have never seen one. – Zoredache Dec 09 '11 at 19:25
  • I'd be interested also, I've created File Screens, with FSRM, to block specific extensions, but I did not think I could do it with GP. – jscott Dec 09 '11 at 19:40
0

I've seen this behavior with Anti-Virus blocking batch files in some directories.

Nixphoe
  • 4,584
  • 7
  • 34
  • 52