File Attributes (Read-Only, Hidden, etc.) - Manipulable Properties

Files within NTFS possess various attributes – flags stored as metadata that control their behavior, visibility, and interaction with the operating system and applications. Common attributes encountered during screenshares include:

  • Read-Only: When set, this attribute attempts to prevent the file's content from being modified and makes deletion slightly harder (requiring confirmation or specific overrides).

  • Hidden: Files with this attribute are concealed from view in default directory listings, such as in File Explorer or basic dir commands in CMD. Viewing hidden files requires changing folder view settings ("Show hidden files, folders, and drives") or using specific commands (dir /ah).

  • System: Marks a file as critical for the operating system's function. System files are typically also hidden by default. Explorer has a separate setting ("Hide protected operating system files") for these.

  • Archive: Primarily used by backup software to track files that have been modified since the last backup. Less relevant for typical cheat detection.

  • Not Content Indexed: Excludes the file's content from being indexed by Windows Search.

  • Temporary: Marks the file for potential cleanup by disk utilities.

  • Compressed / Encrypted: Indicates NTFS-level compression or encryption is applied.

These attributes can be easily viewed and modified through several means:

  • File Properties in Windows Explorer (Right-click > Properties > General tab).

  • Command-line tools: attrib (classic), cacls, icacls (more modern, permission-focused).

  • Programmatically via Windows APIs.

In the context of screensharing and bypasses, attributes are often manipulated:

  • The Hidden attribute is commonly used to conceal cheat files, folders, or related artifacts from easy discovery.

  • The Read-Only attribute can be applied to forensic artifacts like Prefetch files (.pf) to prevent the operating system (SysMain service) from updating their last execution timestamps or run counts, effectively "freezing" the artifact to hide recent activity.

Crucially, changes to file attributes are typically logged in the $USNJrnl under the BASIC_INFO_CHANGE reason code. Analyzing the Journal for such events related to suspicious files or known artifact locations can reveal tampering attempts.

PreviousAlternate Data Streams (ADS) - Hidden Data StreamsNextCommon Windows Artifacts and Their Basic Analysis

Last updated