Is there a way to create a file that only my application can access using VC++?

Question

I am trying to protect a file my application created using VC++ so that no one can delete the file event Windows Admin user. However, my application can read, write, and delete it. My application is not running all the times. I am planning to use CreateFile SECURITY_DESCRIPTOR structure for this purpose. Any suggestions are welcome?

Answer 1

A few suggestions

1) If you take away file ownership i.e. nobody owns it, it will be difficult but not impossible to delete. Windows admin needs to takeown (windows equivalent of unix chown) the file before it can be deleted.

2) If local user (the one that runs services) creates the file, even admin can't delete it - you need the localuser to delete it: that is, unless you change ownership to admin, then admin can delete it. Trying to change permissions on a file owned by localuser is something else. It isn't easy at all. Note that you can't login as localuser.

Answer 2

Your application has to be run by a Windows user.

The administrator's decision will always be able supersede whatever was done by your application. Even if you run your application as the administrator. This is because it would be equivalent to the administrator creating a file by hand and going back to change or delete it.

So no, this is not possible.

In short : The administrator cannot create a file so secure that he himself cannot delete it.