Understanding privileges and permissions - Security

Question

Recently i downloaded one software that is "protecting" the folders by hiding them.

The software is https://fspro.net/my-lockbox/

I opened the cmd as administrator and i thought that i will recover it by attributes but, nothing, it raised an error File not found - personal

Then i noticed something when i just typed cd personal - Access is denied.

My first thought it was that has to do about privileges takeown /F "D:\person" /A /R /D Y but again the same error Access is denied..

Ok, i continue and i closed every process that had to do with that program.

I followed the same but nothing! With these command icacls "D:\person" /setowner "Administrators" /T /C i got
D:\person: Access is denied. D:\person\*: Access is denied. Successfully processed 0 files; Failed processing 2 files. OK maybe it is something more than this!

Before i "hide" the folder i was inside the folder and when i hided it i checked the Properties and i saw You must have Read permissions to view the properties of this object

I checked the advanced option - Change the Owner and i didn't have the option to change it but only You must have Read permissions to view the properties of this object

With PowerShell and with PowerForensics library .... I found the file!! Also, with a third party (WinUtilities Undelete and https://www.x-ways.net/winhex/)!

I noticed that the name of the file had not changed,(didn't use clsid) it was there! Just hidden, without attributes without encryption!

My question is what is going on there?

What am i missing about privileges - permissions?

what makes it inaccessible and hidden?

Please, the point of this question is not to critique but about knowledge! Thanks!

Answer 1

My Lockbox utilize File System Driver. It essentially sit between the OS and the file system, allowing it to prevent reading and/or hide folders/files when Explorer or other apps using standard API call list the directory. Since it's simply an additional app that get loaded on boot, it's trivial to for apps that doesn't use standard API to list & read the "hidden" files, or just boot from other OS (can be Windows too) that doesn't have the My Lockbox installed. Even disabling the filter driver is enough to bypass the protection. Windows provide this intercept functionality not just for files and folders, but also for registry and process.

This is why My Lockbox attempt to thwart uninstallation without password since that will simply disable any "protection". The difficulty on doing this (since uninstalling don't really need My Lockbox approval), the similarity to virus trying to hide itself (which lead to incompatibilities with antivirus apps), and the wide availability of free & easy to use encryption app that will still work even when you boot from another OS, makes file system driver "protection" without encryption rather obsolete now.