ls is a console utility that lists information on Windows files.
It is based on the GNU/Linux ls directory
information utility.
It displays exhaustive information on DACLs/SACLs,
integrity levels,
reparse points, shortcuts, hard links, symbolic links,
hidden streams, encryption,
compaction, virtualization,
volume serial number, object tracking identifier,
and offline status.
ls is free software. For download information see the GNU ls web page at the UTools web site.
To invoke ls simply type its name at the command prompt:
> ls myfile.dat mytext.txt word.doc
This shows you a list of files in your current directory. If your system administrator has installed a GNU package (such as Cygnus Cygwin) your system administrator may have have renamed ls to msls to avoid a name conflict with Cygwin's pure UNIX version of ls. If ls does not work try typing msls.
To get basic information on the available command line options you can use the following options. (Every GNU program should accept them).
--help
--version
To get long information use the -l option:
> ls -l total 158 -ra--a---- 1 Alan 68032 Jan 28 17:59 append-only.dat drwxrwxrwx 1 Alan 0 Jan 27 09:57 dir -rwE------ 1 Alan 15 Jan 27 00:53 encrypted -rw-r-----$ 1 Alan 5 Jan 24 08:13 file -rw-r-----$ 1 Alan 5 Jan 24 08:13 file:secret:$DATA -rwxrwxr-x 1 Alan 10 Jan 29 00:47 myprog.exe Srw------- 1 Ginger 432254 Jan 11 12:55 sparse-file.dat -rw-rw-rw- 1 Ginger 3423 Jan 29 04:41 text.txt -rw-rw-rw- 1 Ginger 40960 Jan 21 02:54 word.doc
A long listing may scroll off the top of your screen. To pause
the output between each screenful
use the option -M (or --more). To interrupt
the output press Control+C or Control+Break at any time.
As with every GNU utility you can abbreviate command options to uniqueness. So instead of typing
> ls -l --acls=very-long myfile.dat
you can abbreviate the command like this,
> ls -l --ac=v myfile.dat
The -l (long) option is implied for many options such as
--acls, --sids, --gids,
--encryption-users, and
--full-time.
To change the current directory use the command cd.
> cd \Documents and Settings\Administrator > ls -l
To change the drive letter (default C:) append the /d option to cd.
> cd /d D:\
> ls -l
The file permissions in Microsoft's New Technology File System (NTFS) are based on Access Control Lists, or ACLs. An ACL is a list of users and groups that are allowed or denied access to a file.
There are three basic types of permissions. Each has a letter
code: r, w, or x.
r - permission to read the file. For directories this means permission to
view the contents of the directory.
w - permission to write to (change) the file. For directories this means
permission to add and remove files in the directory.
x - permission to execute the file (run it as a program). For directories
this means permission to access the files in the directory.
(In rare cases a file may have append-only
permission where the w will change to a.)
There are three groups of rwx mode strings, one for
each category of users. Each group can have different permissions to
perform any of the above operations on a file:
For example, a file that allows all permissions for yourself and
others but denies access by anonymous users
would have the mode string rwxrwx---. Revoking
write permission from other users would change it to
rwxr-x---.
This is only a simplified view of the file permissions. NTFS file permissions
are actually much more complex than this.
To see the complete ACL use the option
--view-security. This will pop
up the standard Windows dialog to show very detailed information
on the file's ACL:
Click on the Advanced button to see the gory details including special permission flags, auditing, ownership, and effective permissions.
If you are an NTFS expert you might want to see the
full ACL printed out. Use --acls=long.
> ls -l --acls=long myfile.dat -rwxr-x--a 1 Alan 12800 Jan 21 02:54 myfile.dat D:AI(A;;Modify;;;Alan)(A;;0x100080;;;Ginger)(A;ID;Full;;;BA) (A;ID;Full;;;SY)(A;ID;Full;;;LA)(A;ID;Read+Exec;;;BU)
The ACL string may be difficult to interpret by inexperienced users
(remember this is for NTFS experts).
For more human-readable format use --acls=very-long.
This will write out the ACL in a very long format that is
somewhat more readable.
Remember the first example with --ac=v shown above?
Here is the complete output:
> ls --ac=v myfile.dat
-rwxr-x--a 1 Alan 12800 Jan 21 02:54 myfile.dat
Alan:
Read
Write
Execute
Append Data
Read Attributes
Write Attributes
Delete
Read Security Info
Synchronize
Not Inherited
Ginger:
Read Attributes
Synchronize
Not Inherited
Administrators: Full
SYSTEM: Full
Administrator: Full
Users: Read + Execute
Whenever a new file or directory is created it inherits the ACL of its parent directory. If an ACL was created explicitly (i.e., not inherited), it is marked "Not Inherited". ACL inheritance is a standard feature of NTFS. Standard inheritance only applies to newly created files and directories.
ls will also report on a type of inheritance called cascade-propagation. The cascade-propagation of file permissions was introduced in Windows 2000. It cascades the inheritance of ACLs from a directory down to all existing files and directories (and sub-directories and sub-sub-directories) down the directory tree. ls will report on whether changes to permissions will cascade down the directory tree ("Changes will propagate to existing descendants"), report on protection against auto-propagation ("DACL is protected from clobbering by parent"), and report special single-level propagation ("Propagate one level only").
In addition ls will report on System Access Control Lists (SACLs). A SACL is a special form of ACL that is used to monitor access to sensitive files. SACLs will trigger security audit messages in the Event Log whenever the files are accessed (or denied access) by the users or groups being monitored in the SACL. SACLs can only be viewed or changed by system administrators. Regular ACLs are sometimes called Discretionary Access Control Lists (DACLs) to distinguish them from SACLs.
In addition to DACLs, Windows Vista added a new layer of security to files and registry keys called mandatory integrity levels, sometimes called mandatory labels.
Mandatory integrity levels are entirely separate from DACLs. They can only be set by system administrators. There are five mandatory integrity levels:
If a file or a registry key has no integrity level it defaults to medium.
To view the integrity level of a file use --ac=v.
> ls --ac=v SystemFile.dat
-rw-rw---a 1 SYSTEM 13552 Oct 1 07:56 SystemFile.dat
Administrators: Full
SYSTEM: Full
Users: Read + Execute
System Access Control List:
High Mandatory Level: Integrity Level
No-Write-Up
Not Inherited
The integrity level is stored in the SACL. An integrity level can have associated with it up to three different types of mandatory protection:
You can set or modify integrity levels using the console command-line
utility icacls.exe. You cannot set an integrity level
higher than your own. To view your integrity level see
Viewing Your Process Token.
The characters -rwxrwxrwx are called
a mode string (this is UNIX jargon). A
mode string has an initial character that defines the type of file:
- for a regular file
d for directory (aka folder)
c for a compressed fileS for a sparse file
l for a link (reparse-point, shortcut, or symbolic link)(UNIX supports other file types not listed here.) A compressed file uses NTFS compression to reduce the physical disk size. A sparse file reduces disk usage by not allocating physical disk space for disk sectors that contain all zeros. A link redirects the file path to another location.
An l indicates a link. There are three types of links: reparse-points, shortcuts, and symbolic links.
A reparse-point
redirects ("reparses") the directory path at that point,
redirecting it to another location. The location must be on the same
file system.
A shortcut is a special
data file ending in a .LNK suffix.
The Windows Shell opens a shortcut
when a user clicks on it as an icon in a Windows folder
or on the popup menu of the Start button. The shortcut
contains a text string that represents the path that the shell is to open
to access the real file in another directory.
A symbolic link (introduced in Windows Vista)
works the same way as a soft link
on Linux or Unix. It redirects the file path to another location.
The location can be anywhere, including on another drive letter
or on a remote file share. The use of symbolic links over a network
requires use of Windows Vista (or later) on both the local computer
and the remote computer.
ls has several options to add colors and other distinctive
decorations to the file names. The most basic option is
--color, which decorates the files
with various distinctive colors.
| Regular files are shown with White Letters |
| Directories are shown with Green Letters |
| Executable programs are shown with Yellow Letters |
| Multimedia files (.mpg, .gif, etc) are shown with Magenta Letters |
| Compressed archives (.zip, .gz, etc) are shown with Cyan Letters |
|
Compressed NTFS files are also shown with Cyan Letters if you use --compressed
|
|
Special files such as encrypted files, hidden
streams,
and symbolic links are shown with Blue Letters |
| Broken symbolic links are shown with Red Letters |
|
Recently modified files are shown with Intense White Letters if you use --recent
|
Use --recent=n to show files that have been modified
within the last n minutes (default n=60).
If the recently modified file already has a non-white color, it is shown with
inverted colors.
If you don't like the color scheme you can change it with the dircolors utility.
If you are using the console window, keep in mind that you are limited to only 8 total colors. This is a historical artifact of the console colors mimicking the capabilities of the original 1980 IBM PC CGI display.
If you are
using a fancier "terminal window" like
xterm, rxvt, or
EMACS, you can use many more colors (and use different fonts
too).
On these smarter consoles ls will show
--recent
files using
| Underlined Letters |
If you don't like colors (or you have a disability where
you cannot see colors)
you can use the -F option
to classify the file type with a suffix,
one of the characters *\@$. The
characters denote
an executable file *, a directory \,
a symbolic link @, or a hidden stream $,
respectively.
Use the -h option to show file sizes in human-readable form,
such as 1.5M instead of 1502997.
The default units are powers of 1024. To use powers of 1000
use --si.
SI stands for Système International units. (That's just
a fancy way of saying "metric system".)
ls lists information about files of any type. Options and file arguments can be intermixed in any order.
If the file argument is actually a directory name, ls lists its contents. For regular files ls lists just the file name. If no arguments are specified ls lists the contents of the current directory.
Output to the console
is displayed
in columns -- sorted vertically.
Unprintable characters
are shown as question marks (?). If the output is redirected to
a file ( ls *.dat > filelist )
the output is listed one file per line and
any unprintable characters are output as-is.
Two special directory names are
"." and "..",
called dot and dot-dot.
These represent the current directory and the parent directory.
Thus for example ..\foo.dat represents
the file foo.dat at one directory level above the current directory.
You can use wildcards such as * and ? to match
one or more files. The * matches any number
of characters, while ? matches exactly one character. Thus for
example *.da? matches
foo.dat and yum.day,
but not fab.dog.
Wildcards are searched using the native NTFS Application
Programming Interface (API) for maximum speed.
Try
ls -ld \\server\c$\windows\system32\*.
Assuming you have permission on the server, it
will take only a few seconds to report a list of several thousand files.
The following is the complete list of command options for ls.
Because GNU ls
is such a fundamental utility, it has accumulated
many options over the years.
Msls adds even more options to display information on
Microsoft's FAT and NTFS file systems.
The options are grouped into categories and described in the sections below.
These options affect kind of the information that ls displays.
--acls [=style]
none - Do not show the ACL at all. Instead return
the dummy mode string -rw-rw-rw-,
modulo any file attributes
(such as Read Only).
This is the default if the file system is not a local hard disk.
(See --fast and --slow.)
FAT file systems always return -rw-rw-rw-.
short - Show a summary of the ACL in the mode string.
For the format of the mode string see File Permissions
and --format=long.
This is the default if the file system
is a local hard disk.
long - Show the complete ACL in a long encoded
SDDL string. ls attempts to
prettify the string somewhat by substituting user names for
SID strings and by substituting common file masks with text descriptions.
For example, “Read” is substituted for 0x1200A9.
With the -n option the string is shown as-is with no substitutions.
very-long - Break out the entire ACL in a
very verbose format. The output style is similar to the CACLS.EXE
utility. ls attempts to make the descriptions
as intuitive as possible, at the risk of even more verbosity.
With -n display numeric SIDs in
the verbose description (see --sids).
See also --view-security.
exhaustive - Same as very-long except
show exhaustive information. Display a complete dump of
the security descriptor.
--encryption-usersReport the names of users who hold the encryption keys on encrypted files. Also report the names of the recovery agents, if any. For more information see Encrypted Files.
--fast
Do not report extended information on slow media such as networks, diskette, or CD-ROMs. For more information see Performance: --slow vs --fast.
-g
--groups [=y/n]
-G
Do not show POSIX group information in a long format directory listing. This is enabled by default on the Windows version of ls.
--gids [=style]
-n (numeric) is specified.
Implicitly sets -g if style
is not not none.
style if specified may be one of
none - Do not fetch the POSIX group SID at all. Instead show
a dummy value (0). This is the default
if --fast is specified
and the file system is not a local hard disk. FAT disks and
CD-ROMs always return 0.
short - Show short POSIX group names
(16 characters max). Strip away
the domain part of the name (domain\group) leaving
only group.
This is the default if the file system
is a local hard disk or if --slow is specified.
Implies -g.
long - Show long POSIX group names (unlimited length).
Include the domain part of the name (domain\group).
Implies -g.
-i
--inode
-K
--registry
ls -K hklm/software will show all subkeys
under HKEY_LOCAL_MACHINE\Software.-l
--format=long--format=verbose
-g),
size in bytes, and timestamp (by
default the last modification time).
For files with a time more than six months old or in the future, the timestamp contains the year instead of the time of day. If the timestamp contains today's date with the year rather than a time of day, the file's time is in the future, which means you probably have clock skew problems.
For each directory that is listed, the list of files is prefaced with a line that summarizes the count of blocks, where blocks is the total disk allocation for all files in that directory. The block size defaults to 1024 bytes, but this can be overridden (see Block size).
The ACL permissions in the mode string
(e.g., -rwxrwxrwx) are explained in
File Permissions.
Windows RT Applications: Windows 8 introduced a new runtime (RT) system for applications. These applications run in a very restricted security context that revokes all permissions, except those explicitly granted to ALL APPLICATION PACKAGES (S-1-15-2-1).
A file or directory that grants access to all WinRT apps is shown with capital letters:
-------R----------W----------XFile Attributes:
In addition to the standard Unix-style mode string,
the Windows version of ls also shows file
attributes. File attributes originated with the old MS-DOS FAT
file system, which pre-dates Microsoft Windows. File attributes
operate independently of NTFS ACL permissions. To show file attributes
Windows ls replaces the three character positions
used in Unix to indicate execute permission
(---x--x--x) since NTFS does not support
execute-only files.
---s------
------h---
---------a
---E------
--encryption-users
------T---
---------O
---------V
--virtual option to
view virtual files or registry keys.
See Vista File and Registry Virtualization.
If a file has the Read-Only attribute set this is indicated with a
capital R instead of the normal r.
Thus a file with all four attributes set (Read-Only, System, Hidden,
and Archive) will have a mode string of -R-s--h---a.
(File attributes can be changed with the utility ATTRIB.EXE.)
Finally, if a file contains embedded hidden
streams the character $
is appended to the end of the mode string. To view the names
of the hidden streams, use --streams.
-o
Produce long format directory listings, but don't display POSIX group
information. It is equivalent to using
--format=long or -l with
-G.
Since the Windows version of ls enables -G by default,
this option is equivalent to -l.
--object-idDisplay the object tracking identifier for the file (if any). For more information see Object Tracking Identifiers.
--phys-size
-l or -s to
report the physical size of the file instead of the logical size.
If the file is compressed or sparse the physical size is usually less
than the file's logical size.
(However if the file is poorly compressed
the physical size might actually be larger.)
-s
--size
--phys-size to see the physical size.
Normally the disk allocation is printed in units of 1024 bytes, but this
can be overridden (see Block
size).
--short-names
Show short 8.3 letter names, as in MS-DOS. For example, instead
of showing the file name Information.txt,
show INFORM~1.TXT.
--sids [=style]-n (numeric) is specified.
style if specified may be one of
none - Do not fetch the owner SID at all. Instead show
a dummy value (0).
This is the default if --fast
and the file system is not a local hard disk. FAT disks and
CD-ROMs always return 0.
short - Show short user names (16 characters max). Strip away
the domain part of the name (domain\user) leaving
only user. This is the default if the file system
is a local hard disk or if --slow is specified.
With -n show abbreviated numeric SIDs,
e.g., S-1-5-...-500.
long - Show long user names (unlimited length).
Include the domain part of the name (domain\user).
With -n show long numeric SIDs
e.g.,
S-1-5-21-56435836665-432874238743289-9874326432543-500.
--slow
Get extended information from slow media such as networks, diskette, or CD-ROMs. For more information see Performance: --slow vs --fast.
--streams [=y/n]
Highlight files that contain one or more embedded hidden streams.
For more information
see Hidden Streams in Files: --streams.
If --color is specified, the file is
shown with a distinctive color. If -F or -p
are specified, the file name is appended with a dollar sign ($).
In a long listing (-l)
the mode string is appended with
a dollar sign ($); see --format=long.
--token
Show your process token. This can be used to determine your elevation status on Windows Vista or Windows 7. See Viewing Your Process Token.
--user=name
Report the file permissions from the viewpoint of the user name. The mode string will be altered to show the effective file permissions from the viewpoint of the named user.
--view-securityThis will pop up the standard Windows dialog to show very detailed information on the file's ACL. The information includes special permission flags, auditing, ownership, and effective permissions.
To view effective permissions from the viewpoint of another user, press the button "Advanced", then click on on the tab "Effective Permissions". Type in or click on the name of the user whose effective permissions you want to view.
Normally the data in a file consists of a single stream of bytes. It is possible under the NTFS file system to add one or more secondary streams of bytes to a file. These are called hidden streams.
To create
or view a hidden stream, append :name
to the end of the file name.
As an example,
> ECHO "This is normal data" > myfile.txt > ECHO "This is sooper seekret" > myfile.txt:secret1 > MORE < myfile.txt:secret1 view the 'seekret'
Use the --streams option to
detect the existence of the hidden stream.
> ls -l --streams myfile.txt -rw-r----a$ 1 Alan 24 Jan 31 21:44 myfile.txt
The dollar sign ($) at the end of the mode string indicates a hidden stream. Note that the size of the hidden data does not show up in the size of the file. To view the name(s) of the hidden stream(s), use a wildcard.
> ls -l --streams my* -rw-r----a$ 1 Alan 24 Jan 31 21:44 myfile.txt -rw-r----a$ 1 Alan 39 Jan 31 21:44 myfile.txt:secret1:$DATA
If you view a directory with --streams,
ls will search every file in the directory and show the names
of every hidden stream.
Each hidden stream has a type suffix. The default type suffix is
:$DATA. Other type suffixes can be
created with undocumented APIs.
By default ls will search
for streams only on the local hard disk. (Searching for
streams over a network is a very slow operation.)
To view
streams on network folders add the --slow option.
Hidden streams were originally an attempt by Microsoft to create an object-oriented file system. This was part of the long delayed (and since abandoned) Microsoft project code-named "Cairo," to create a new operating system based on object-oriented design principles.
Use of hidden streams is rare in Microsoft Windows. The most common use is in Windows XP Service Pack 2 (SP2). SP2 uses a hidden stream to taint downloaded files with a "Security Zone" marker. The taint prevents execution by the Windows Shell.
Hidden streams are sometimes used to hide encryption keys for Digital Rights Management (DRM) in order to prevent viewing by unlicensed DRM users.
In the opinion of the author, hidden streams are a very bad and harmful mis-feature of NTFS, and he believes their use should be avoided. This is because files with hidden streams cannot be copied or backed up without special handling. And they are a hiding place for viruses and malware.
Windows Vista introduced the concept of User Account Control (UAC). With UAC an administrator does not run with administrative permissions except when he/she explicitly requests it for a specific task. Requesting permission is called elevating the task.
For example, if you open a command console (CMD.EXE) without
elevation, it will run with restricted permissions.
To view your permissions ls can display your
process token. The process token contains all of your
security credentials for accessing protected files and registry keys.
To view your process token use --token,
> ls --token Token Privileges: SeShutdownPrivilege SeChangeNotifyPrivilege ENABLED_BY_DEFAULT|ENABLED SeUndockPrivilege SeIncreaseWorkingSetPrivilege SeTimeZonePrivilege Token Groups: None MANDATORY|ENABLED_BY_DEFAULT|ENABLED Everyone MANDATORY|ENABLED_BY_DEFAULT|ENABLED Administrators USE_FOR_DENY_ONLY Users MANDATORY|ENABLED_BY_DEFAULT|ENABLED INTERACTIVE MANDATORY|ENABLED_BY_DEFAULT|ENABLED Authenticated Users MANDATORY|ENABLED_BY_DEFAULT|ENABLED This Organization MANDATORY|ENABLED_BY_DEFAULT|ENABLED S-1-5-...-2069193 MANDATORY|ENABLED_BY_DEFAULT|ENABLED|LOGON_ID LOCAL MANDATORY|ENABLED_BY_DEFAULT|ENABLED NTLM Authentication MANDATORY|ENABLED_BY_DEFAULT|ENABLED Medium Mandatory Level INTEGRITY|INTEGRITY_ENABLED Token User: Alan Token Source: 0x00000000001F92ED User32 Token Origin: SYSTEM Terminal Services Session ID: 2 Token Elevation Type: Limited Token has been filtered (restricted). File/Registry virtualization is allowed. Token Integrity Level: Medium Mandatory Level Token has TOKEN_MANDATORY_POLICY_NO_WRITE_UP. Token has TOKEN_MANDATORY_POLICY_NEW_PROCESS_MIN. Owner of new objects: Alan
The above is an example of a restricted (filtered) token, i.e., one that is not elevated.
To get an elevated command console click on
Start (lower-left corner). In the Vista or Windows 7 search box
type cmd.
While holding down the Shift and Control keys press the Enter key.
This will open a command console in elevated mode. You can verify
that the console is elevated by looking for the word “Administrator”
in the title bar.
The following is an example of an elevated token:
> ls --token Token Privileges: SeIncreaseQuotaPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeSystemProfilePrivilege SeSystemtimePrivilege SeProfileSingleProcessPrivilege SeIncreaseBasePriorityPrivilege SeCreatePagefilePrivilege SeBackupPrivilege SeRestorePrivilege SeShutdownPrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeChangeNotifyPrivilege ENABLED_BY_DEFAULT|ENABLED SeRemoteShutdownPrivilege SeUndockPrivilege SeManageVolumePrivilege SeImpersonatePrivilege ENABLED_BY_DEFAULT|ENABLED SeCreateGlobalPrivilege ENABLED_BY_DEFAULT|ENABLED SeIncreaseWorkingSetPrivilege SeTimeZonePrivilege SeCreateSymbolicLinkPrivilege Token Groups: None MANDATORY|ENABLED_BY_DEFAULT|ENABLED Everyone MANDATORY|ENABLED_BY_DEFAULT|ENABLED Administrators MANDATORY|ENABLED_BY_DEFAULT|ENABLED|OWNER Users MANDATORY|ENABLED_BY_DEFAULT|ENABLED INTERACTIVE MANDATORY|ENABLED_BY_DEFAULT|ENABLED Authenticated Users MANDATORY|ENABLED_BY_DEFAULT|ENABLED This Organization MANDATORY|ENABLED_BY_DEFAULT|ENABLED S-1-5-...-2069193 MANDATORY|ENABLED_BY_DEFAULT|ENABLED|LOGON_ID LOCAL MANDATORY|ENABLED_BY_DEFAULT|ENABLED NTLM Authentication MANDATORY|ENABLED_BY_DEFAULT|ENABLED High Mandatory Level INTEGRITY|INTEGRITY_ENABLED Token User: Alan Token Source: 0x00000000001F92ED User32 Token Origin: SYSTEM Terminal Services Session ID: 2 Token Elevation Type: Full Token Integrity Level: High Mandatory Level Token has TOKEN_MANDATORY_POLICY_NO_WRITE_UP. Owner of new objects: Administrators
When using UAC ls will show the current running token and also the associated (linked) non-elevated token.
The NTFS file system supports encryption on files. Files
can be encrypted using Windows Explorer or the command-line utility
CIPHER.EXE.
ls indicates encrypted files
with a capital E in the mode string.
> ls -l -rwE-----a 1 Alan 24 Jan 31 21:44 myfile.txt
To view the names of users who possess an encryption key for the file, use
the option --encryption-users.
> ls -l --encryption-users
> ls --en
-rwE-----a 1 Alan 24 Jan 31 21:44 myfile.txt
Encryption key: Alan(Alan@GOLLUM)
Encryption key: Ginger(Ginger@GOLLUM)
Recovery Agent: Administrator
The second example above uses the abbreviation
--en and drops the
-l because it is implied.
In this example the users Alan and Ginger possess encryption keys for the file. The user Administrator is designated as a recovery agent. A recovery agent can recover the contents of the file if the original user forgets his password.
Upon recovery all encryption keys are erased. You can detect that
the administrator recovered your file
if --enc shows that your encryption key
is no longer listed. (This is because nobody has access to your
encryption key except yourself, not even system administrators.)
If you no longer see your name or group listed, it means that
someone with a Recovery Agent password has forced (recovered) access to your
private encrypted file.
The NTFS file system uses object tracking identifiers to
track files and directories. They are invisible to most applications.
To view the object tracking identifier on a file or folder,
use the option --object-id.
> ls -l --object-id
> ls --obj
drwxr-x--- 1 Alan 0 Nov 4 12:59 File1.txt
drwxr-x--- 1 Alan 0 Nov 5 18:24 File2.txt
Object ID: 9f 87 14 e4 cf 8b dc 11 b1 fc 00 50 56 c0 00 01
70 6b 86 38 56 ac 92 4d b1 e0 79 a6 7b de 93 55
9f 87 14 e4 cf 8b dc 11 b1 fc 00 50 56 c0 00 01
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ObjectID: {e414879f-8bcf-11dc-b1fc-005056c00001}
BirthVolumeID: {38866b70-ac56-4d92-b1e0-79a67bde9355}
BirthObjectID: {e414879f-8bcf-11dc-b1fc-005056c00001}
The example above uses the abbreviation
--obj and drops the
-l because it is implied.
In the example the file named File2.txt has an object tracking
ID. The object tracking information is always exactly 48 bytes long.
By convention the data is grouped into four 16-byte Globally Unique
Identifiers (GUIDs). The first GUID is uniquely identifies the file,
the second GUID identifies the Volume ID where the file was
originally created (“born”), the third GUID is the
ID that was originally assigned when the file was born,
and the fourth GUID identifies the network domain (if any).
The data can be interpreted in any
way by the application. Object IDs are typically used by the Windows Shell
to track the movement
of the target of a file shortcut (.LNK suffix).
The Distributed Link Tracking Service on a file server
maintains a database of object IDs to permit tracking of
orphan .LNK targets across the network. Finally, the
NT File Replication Service (NTFRS) uses object IDs on the SYSVOL
volume to track the
replication of files between domain controllers.
Some types of extended information will cause ls to run slowly
if they are used on slow media such as network folders, diskettes,
or CD-ROMs. The --fast option limits the reporting of
extended information on slow media.
The following types of extended information are considered "slow":
--acls
--sids and --gids
--streams
--encryption-users
--object-id
--inode
If neither
--slow nor
--fast are specified,
the --fast option is implied by default
unless you include one one of the slow options listed above
(--acls, --sids, etc).
If you explicitly add --fast on the
command line, it disables
all slow options when used on slow media,
regardless of the inclusion any slow options on the command line.
If you explicitly add the --slow option
on the command line, it will report all extended information
regardless of the type of media.
You can force ls to use either option by appending
--fast
or --slow to the LS_OPTIONS environment
variable. See customizing ls.
These options determine which files ls lists information for. By
default, all files and the contents of all directories listed
on the command line are shown. When showing the contents of directories,
files beginning with . (dot) are skipped.
-a
--all
.. -A
--almost-all
. and
... -B
--ignore-backups
~, unless they are given on
the command line. -d
--directory
List just the names of directories, as with other types of files, rather than listing their contents.
-I PATTERN
--ignore=PATTERN
. in a file name does not match a
wildcard at the start of pattern. Sometimes it is useful to give
this option several times. For example, ls --ignore ".??*" --ignore ".[^.]" --ignore "#*"
The first option ignores names of length 3 or more that start with
., the second ignores all two-character names that start with
. except .., and the third ignores names that start
with #.
-L
--dereference
-R
--recursive
List the contents of all directories recursively.
--virtual
On Windows Vista or Windows 7 show the virtual view of files and registry keys. This option has no effect on older operating systems. See Vista File and Registry Virtualization.
--32
On a 64-bit operating system show the 32-bit view of files and registry keys. The option has no effect on 32-bit operating systems.
--64
On a 64-bit operating system show the 64-bit view of files and registry keys. This is the default on 64-bit operating systems. The option has no effect on 32-bit operating systems.
ls is aware of 64-bit operating systems. ls
is not fooled by 32-bit/64-bit folder direction. For
example if you attempt to view the
folder \Windows\System32 on a 64-bit operating system,
ls will show the actual contents of the folder. It will not
show the 32-bit shadow folder \Windows\SysWOW64.
To show the "redirected" view of the file tree
(that is, the view as seen by 32-bit
applications) use the option --32.
If you view the contents of a
registry key with the -K option,
ls will show the real registry contents. For example if you attempt to
view the Software registry key HKLM\Software,
ls will show you the actual contents of the key. It will not
show (as 32-bit apps would)
the redirected shadow key
HKLM\Software\WOW6432Node.
To show the "redirected" view of the registry tree
(that is, the view as seen by 32-bit
applications) use the option -K --32.
ls is aware of file virtualization and registry virtualization that was introduced in Windows Vista.
Virtualization is triggered whenever you run a legacy pre-Vista application in non-elevated mode. Virtualization fools these legacy applications into believing they can install files in C:\Program Files and registry values in HKEY_LOCAL_MACHINE\Software.
Instead the files are redirected to C:\Users\<username>\AppData\Local\VirtualStore\Program Files. The registry values are redirected to HKEY_CURRENT_USER\Software\ VirtualStore\MACHINE\Software.
To show the virtual view of the file tree or registry tree
(that is, the view as seen by legacy
applications not running in elevated mode) use the option
--virtual.
Files and registry values that are virtual are indicated by
a capital V in the mode string:
> ls -l --virt "C:\Program Files"
drwxr-x--V 1 Alan 0 Oct 2 18:48 MyApplication
dr-xr-x--- 1 TrustedInstaller 0 Sep 21 20:01 Common Files
dr-xr-x--- 1 TrustedInstaller 0 Aug 15 23:47 Internet Explorer
dr-xr-x--- 1 SYSTEM 0 Sep 6 11:45 Microsoft Office
dr-xr-x--- 1 TrustedInstaller 0 Sep 11 23:40 Windows Mail
dr-xr-x--- 1 TrustedInstaller 0 Nov 2 2006 Windows Photo Gallery
dr-xr-x--- 1 TrustedInstaller 0 Nov 2 2006 Windows Sidebar
In the above example MyApplication is a virtual folder.
Registry keys work similarly.
> ls -K -l --virt HKLM\Software\Algin
dr-xr-x--- 1 Administrators 0 Aug 16 01:19 License
-rwx------ 1 SYSTEM 19 Oct 3 10:10 PathWWWRoot
REG_SZ="C:\Inetpub\wwwroot"
-rwx-----V 1 SYSTEM 4 Oct 3 10:10 MyValue
REG_DWORD=1 (0x00000001)
In the above example MyValue is a virtual registry value.
These options change the order in which ls sorts the information it outputs. By default, sorting is done in the order of the user's default code page (e.g., ISO-8859-1 for the Western Latin character set).
-c
--time=ctime
-l, -o) is
being used, print the creation time
instead of the modification time. When explicitly sorting by time
(--sort=time or
-t) or when not using a long listing
format, sort according to the creation time. -f
-U but also enable
-a (list
all files) and disable -l,
--color, and
-s (if they were specified before
the -f). -r
--reverse
-S
--sort=size
-t
--sort=time
mtime in the inode), newest
first. -u
--time=atime
--time=access
--format=long or -l) is being
used, print the last access time (the atime in the inode). When
explicitly sorting by time
(--sort=time or -t) or
when not using a long listing format, sort according to the access time. -U
--sort=none
-v
--sort=version
-X
--sort=extension
.); files with no extension are sorted first.
--sort=case
The version sort takes into account the fact that file names frequently include indices or version numbers. Standard sorting functions usually do not produce the ordering that people expect because comparisons are made on a character-by-character basis. The version sort addresses this problem, and is especially useful when browsing directories that contain many files with indices/version numbers in their names:
> ls -1 > ls -1v
foo.zml-1.gz foo.zml-1.gz
foo.zml-100.gz foo.zml-2.gz
foo.zml-12.gz foo.zml-6.gz
foo.zml-13.gz foo.zml-12.gz
foo.zml-2.gz foo.zml-13.gz
foo.zml-25.gz foo.zml-25.gz
foo.zml-6.gz foo.zml-100.gz
Numeric parts with leading zeroes are considered a fraction:
> ls -1 > ls -1v
abc-1.007.tgz abc-1.007.tgz
abc-1.012b.tgz abc-1.01a.tgz
abc-1.01a.tgz abc-1.012b.tgz
These options affect the appearance of the overall output.
-1
--format=single-column
--ansi-cp
--oem-cp.
You may need to explicitly specify --ansi-cp
in order to display files that contain CJK (Chinese/Japanese/Korean)
characters in a console window running under the Multilingual User Interface
(MUI) editions of Windows. This is because in the MUI editions of Windows
the default console OEM character set is always US-English, which is
incorrect for the display of CJK file names.
-C
--format=vertical
-D
--dired
This option is used only within the
EMACS text editor. With the long listing (-l) format, print an additional line
after the main output:
//DIRED// beg1 end1 beg2 end2 ...
The begN and endN are unsigned integers that record the byte position of the beginning and end of each file name in the output. This makes it easy for EMACS to find the names, even when they contain unusual characters such as space or newline, without fancy searching.
If directories are being listed recursively (-R), output a
similar line after each subdirectory:
//SUBDIRED// format beg1 end1 ...
Finally, output a line of the form:
//DIRED-OPTIONS// --quoting-style=wordwhere word is the quoting style (see Formatting the file names).
-F
--classify
--indicator-style=classify
Append one of the characters *\@$ to
indicate the file type. The characters denote an executable
file *, a directory \, a
symbolic link @, or a hidden stream $,
respectively.
-h
-H
--human-readable
Append a size letter such as M for megabytes to each size.
Powers of 1024 are used, not 1000; M stands for 1,048,576 bytes.
Use the --si option if you prefer powers of 1000.
--si
Append a size letter such as M for megabytes to each size.
(SI is the International System of Units, which defines these letters as
suffixes.) Powers of 1000 are used, not 1024; M stands for
1,000,000 bytes. Use the -h or
--human-readable
option if you prefer powers of 1024.
--indicator-style=word
Append a character indicator with style word to entry names.
none -
Do not append any character indicator; this is the default.
file-type -
Append \ for directories, @ for symbolic
links, $ for a hidden stream, and nothing for
regular files. This is the same as the -p or
--file-type option.
classify -
Append * for executable regular files, otherwise behave as
for file-type. This is the same as the -F or
--classify option.
-k
--kilobytes
-m
--format=commas
, (a comma and a space).
-M
--moremore: ls | more.
This option was added to the
Windows version of ls to work around the problem.
-n
--numeric-uid-gid
List the numeric UID and GID instead of the names.
--oem-cp
Display the output using the OEM code page. This is the
default when displaying the output to a console window that is
using a raster font (not a TrueType font).
See --ansi-cp.
-p
--file-type
--indicator-style=file-type
Append a character to each file name indicating the file type. This is
like -F, except that executables are not marked.
-x format
--format=across
--format=horizontal
List the files in columns, sorted horizontally.
-T cols
--tabsize=cols
Assume that each tabstop is cols columns wide. The default is eight characters. ls uses tabs where possible in the output, for efficiency. If cols is zero, do not use tabs at all.
-w cols
--width=cols
Assume the screen is cols columns wide. The default is taken
from the terminal settings if possible; otherwise the environment variable
COLUMNS is used if it is set; otherwise the default is 80.
ls can display file sizes in "blocks". You can adjust the block size to make file sizes easier to read. The block size used for display is independent of any filesystem block size.
Normally, disk usage sizes are rounded up, disk free space sizes are rounded down, and other sizes are rounded to the nearest value with ties rounding to an even value.
The default block size is chosen by examining the following environment variables in turn; the first one that is set determines the block size.
LS_BLOCK_SIZE
POSIXLY_CORRECT
LS_BLOCK_SIZE is not set, but this variable is set, the block
size defaults to 512. If none of the above environment variables are set, the block size defaults to 1024 bytes.
A block size specification can be a positive integer specifying the number of
bytes per block, or it can be human-readable or si to
select a human-readable format.
With human-readable formats, output sizes are followed by a size letter such
as M for megabytes. LS_BLOCK_SIZE=human-readable uses
powers of 1024; M stands for 1,048,576 bytes.
LS_BLOCK_SIZE=si is similar, but uses powers of 1000; M
stands for 1,000,000 bytes. (SI, the International System of Units, defines
these power-of-1000 suffixes.)
An integer block size can be followed by a size letter to specify a multiple
of that size. When this notation is used, the size letters normally stand for
powers of 1024, and can be followed by an optional B for "byte";
but if followed by D (for "decimal byte"), they stand for powers of
1000. For example, LS_BLOCK_SIZE=4MB is equivalent to
LS_BLOCK_SIZE=4194304, and LS_BLOCK_SIZE=4MD is equivalent
to LS_BLOCK_SIZE=4000000.
The following size letters are defined. Large sizes like 1Y may
be rejected by your computer due to limitations of its arithmetic.
k
human-readable, or 10^3 = 1000 for
si. M
G
T
P
E
Z
Y
Block size defaults can be overridden by an explicit
--block-size=size
option. The -k or
--kilobytes
option is equivalent to --block-size=1k,
which is the default unless the POSIXLY_CORRECT environment
variable is set. The -h or
--human-readable option is
equivalent to --block-size=human-readable. The
--si
option is equivalent to --block-size=si.
By default, file timestamps are listed in abbreviated form. Most locales use a timestamp like ‘2002-03-30 23:45’. However, the default POSIX locale uses a date like ‘Mar 30 2002’ for non-recent timestamps, and a date-without-year and time like ‘Mar 30 23:45’ for recent timestamps.
A timestamp is considered to be recent if it is less than six
months old, and is not dated in the future. If a timestamp dated
today is not listed in recent form, the timestamp is in the future,
which means you probably have clock skew problems which may break
programs like nmake that rely on file timestamps.
The following option changes how file timestamps are printed.
--full-time
List times using full precision, rather than using an abbreviation. This is useful when you need to know the exact file time down to the nearest second. For example, this can help when you have a Makefile that is not regenerating files properly.
--time-style=styleList timestamps in style style. The style should be one of the following:
strftime().
For example, --time-style="+%Y-%m-%d %H:%M:%S" causes
ls to list timestamps like ‘2002-03-30 23:45:56’.
If format contains two format strings separated by a
an exclamation sign (!),
the former is used for non-recent files and the latter for recent
files. If you want output columns to line up, you may need to insert
spaces in one of the two formats.
full-isolong-isoiso- List ISO 8601 dates for non-recent timestamps (e.g.,
‘2002-03-30 ’), and ISO 8601 month, day, hour, and
minute for recent timestamps (e.g., ‘03-30 23:45’). These
timestamps are uglier than ‘long-iso’ timestamps, but they carry
nearly the same information in a smaller space and their brevity helps
ls output fit within traditional 80-column output lines.
The following two invocations are equivalent:
ls -l --time-style="+%Y-%m-%d!%m-%d %H:%M"
ls -l --time-style="iso"
locale- List timestamps in a locale-dependent form. For example, a Finnish
locale might list non-recent timestamps like ‘maalis 30 2002’
and recent timestamps like ‘maalis 30 23:45’. Locale-dependent
timestamps typically consume more space than
iso timestamps and
are harder for programs to parse because locale conventions vary so
widely, but they are easier for many people to read.
The default POSIX locale uses timestamps like ‘Mar 30 2002’ and ‘Mar 30 23:45’; in this locale, the following two
ls invocations are equivalent:
ls -l --time-style="+%b %d %Y!%b %d %H:%M"
ls -l --time-style="locale"
You can specify the default value of the --time-style option
with the environment variable TIME_STYLE. If TIME_STYLE is not set
the default style is locale.
These options change how file names themselves are printed.
-b
--escape
--quoting-style=escape
Quote nongraphic characters in file names using alphabetic and octal backslash sequences like those used in the C programming language.
--color [=when]
none - Do not use color at all. This is the default.
auto - Only use color if standard output is a command console.
always - Always use color.
To customize the choice of colors use the dircolors utility.
Specifying --color
without when is equivalent to
--color=always.
Due to a design mistake by Microsoft in the way that the Windows console works,
--color=always
has no affect when piping a colorized listing through a pager
like more (for example ls | more). Instead the
-M (or --more) option was added to the
Windows version of ls to work around the problem.
See --more.
--compressed
Show compressed files with a distinct color.
Implies --color.
-N
--literal
-q
--hide-control-chars
-Q
--quote-name
--quoting-style=c
Enclose file names in double quotes. Quote nongraphic characters as in the C programming language.
--quoting-style=word
literal
shell
shell-always
c
-Q or --quote-name option. escape
c except omit the surrounding double-quote
characters; this is the same as the -b or --escape
option. clocale
c except use quotation marks appropriate for
the locale. locale
clocale, but quote `like this' instead of
"like this" in the default C locale. This looks nicer on many
displays. You can specify the default value of the --quoting-style
option with the environment variable QUOTING_STYLE.
--recent [=n]
Show files that have changed within the last n minutes
using a distinctive color marking. When n is omitted the default
is the last 60 minutes. Implies --color.
When using a 'smart' console window such as
xterm, rxvt, or
EMACS the name of the
file is underlined. When using a DOS console window ls
displays intense white letters; for special files it displays the special
color of the file inverted with the background color.
--show-control-chars
Use the environment variable LS_OPTIONS to set default options.
The author recommends the following settings for LS_OPTIONS:
-bhAC --more --color=auto --recent --streams
You can set LS_OPTIONS as part of a your DOS console initialization. In your DOS console shortcut, right-click on Properties and set the Target to
%SystemRoot%\system32\cmd.exe /K C:\lbin\console.bat
Then put the following information in the file C:\lbin\console.bat:
@echo off rem rem Set options for ls rem set LS_OPTIONS=-bhAC --more --color=auto --recent --streams
Another method is to set the LS_OPTIONS environment variable
using the Control Panel.
(The following instructions will vary slightly depending on the
version of Microsoft Windows.)
Click on Control Panel -> System.
Click on the Advanced tab and the button Environment Variables.
Click on the button New. For the Variable Name type LS_OPTIONS.
For the Variable Value type
-bhAC --more --color=auto --recent --streams
Note: If you put "slow" options in LS_OPTIONS, it will
not force the activation
of "slow mode". For example,
if you put --streams
into LS_OPTIONS, it does not force the use of slow mode when viewing
files over a network.
If you do want to use slow mode all the time,
you must explicitly add --slow in LS_OPTIONS.
For more information on performance issues,
see Performance: --slow vs --fast.
dircolors outputs a sequence of shell commands to set up the terminal for color output from ls.
If file is specified, dircolors reads it to determine
which colors to use for which file types and extensions. Otherwise, a
precompiled database is used. For details on the format of these files, run
dircolors --print-database.
The output is a shell command to set the LS_COLORS environment
variable. You can specify the shell syntax to use on the command line, or
dircolors will guess it from the value of the SHELL
environment variable.
The program accepts the following options.
-b
--sh
--bourne-shell
SHELL environment variable is set and does not end with
csh or tcsh. -c
--csh
--c-shell
SHELL ends
with csh or tcsh. --dos
--dos-shell
SHELL
is missing. -p
--print-database
#
# Configuration file for dircolors, a utility to help you set the
# LS_COLORS environment variable used by GNU ls with the --color option.
# The keywords COLOR, OPTIONS, and EIGHTBIT (honored by the
# slackware version of dircolors) are recognized but ignored.
# Below, there should be one TERM entry for each termtype that is colorizable
TERM console
TERM xterm
TERM xterm-debian
TERM rxvt
TERM screen
TERM screen-w
TERM vt100
# Below are the color init strings for the basic file types. A color init
# string consists of one or more of the following numeric codes:
# Attribute codes:
# 00=none 01=bold 04=underscore 05=blink 07=reverse 08=concealed
# Text color codes:
# 30=black 31=red 32=green 33=yellow 34=blue 35=magenta 36=cyan 37=white
# Background color codes:
# 40=black 41=red 42=green 43=yellow 44=blue 45=magenta 46=cyan 47=white
NORMAL 00 # global default, although everything should be something.
FILE 00 # normal file
DIR 01;32 # directory
LINK 01;34 # symbolic link. (If you set this to 'target' instead of a
# numerical value, the color is as for the file pointed to.)
FIFO 40;33 # pipe
SOCK 01;35 # socket
DOOR 01;35 # door
BLK 40;33 # block device driver
CHR 40;33 # character device driver
ORPHAN 40;31;01 # symlink to nonexistent file
# This is for files with execute permission:
EXEC 01;33
# Highlight recently modified files - underscore
RECENT ;04 # leading semicolon required
# Highlight compressed files - bright cyan
COMPRESSED ;01;36 # leading semicolon required
# Highlight files with embedded streams - blue
STREAMS ;01;34 # leading semicolon required
# List any file extensions like '.gz' or '.tar' that you would like ls
# to colorize below. Put the extension, a space, and the color init string.
# (and any comments you want to add after a '#')
# DOS-style suffixes:
.cmd 01;33 # executables (bright yellow)
.bat 01;33
.exe 01;33
.com 01;33
#.dll 01;33
#.sys 01;33
.tar 01;36 # archives or compressed (bright cyan)
.tgz 01;36
.arj 01;36
.taz 01;36
.lzh 01;36
.zip 01;36
.z 01;36
.Z 01;36
.gz 01;36
.bz2 01;36
.deb 01;36
.rpm 01;36
# image formats (magenta)
.jpg 01;35
.png 01;35
.gif 01;35
.bmp 01;35
.ppm 01;35
.tga 01;35
.xbm 01;35
.xpm 01;35
.tif 01;35
.cdr 01;35
.mpg 01;35
.wmv 01;35
.avi 01;35
.fli 01;35
.gl 01;35
.dl 01;35
Given this file as input, dircolors will print the following output:
@echo off rem rem Batch script for setting file colors for ls.exe rem set LS_COLORS=no=00:fi=00:di=01;32:ln=01;34:pi=40;33:so=01;35:do=01;35: bd=40;33:cd=40;33:or=40;31;01:ex=01;33:re=;04:co=;01;36:st=;01;34: *.cmd=01;33:*.bat=01;33:*.exe=01;33:*.com=01;33:*.tar=01;36: *.tgz=01;36:*.arj=01;36:*.taz=01;36:*.lzh=01;36:*.zip=01;36: *.z=01;36:*.Z=01;36:*.gz=01;36:*.bz2=01;36:*.deb=01;36:*.rpm=01;36: *.jpg=01;35:*.png=01;35:*.gif=01;35:*.bmp=01;35:*.ppm=01;35:*.tga=01;35: *.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.cdr=01;35:*.mpg=01;35: *.wmv=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:
(Splice the set line together so that it forms
a single line.) You can run this batch script from your shortcut icon:
cmd.exe /K c:\lbin\console.bat
Or cut-and-paste the
above string (starting with "no=00:...") into the Environment Settings dialog for the System
applet in the Control Panel, using the environment variable
name LS_COLORS.
msls, aka Windows ls, was adapted from GNU ls,
written by Richard Stallman and David MacKenzie. The Microsoft Windows
extensions were written by Alan Klietz.
This document was adapted from the GNU fileutils
documentation for ls, originally written
written by David MacKenzie and Jim Meyering.
Please send feedback and bug reports regarding the Windows version of ls (msls)
to msls@u-tools·.
Microsoft Windows modifications copyright © U-Tools Software LLC.
Distributed under GNU General Public License version 2.