How to unmask hidden files on USB drives on Windows

Written by  Luis Adame  on 16 Nov, 2017

Suddenly, a few days ago, someone asked me for my flash drive and he was acquaintance of me so I gracefully handed it, furthermore it seemed that he was in a rush so I didn’t carefully thought about it.

Half an hour past that event I asked him for the usb because I noticed he wasn’t using it anymore. I took the usb and inserted onto a machine (not my personal one, thankfully) and weirdly all of the files on the drive had the appearance of a shortcut icon. At first I didn’t care pretty much because I was able to browse my files perfectly. Although when I opened these on my machine Windows threw an error:

F:\Manuel.doc does not exists

These could only meant one thing, when I open one of those “shortcuts” something in the background runs before opening the files and directories. Note: When I opened the directories these were opened in a new window. So I inspect the properties of the shortcuts and the target was a command and was referencing other file to execute which was a vscript. I couldn’t find that script that according to the shortcut properties was located in my flash drive.

I ran an scan through the drive and some kind of worm was detected which the antivirus handled the deletion of it. These part was critical because now there wasn’t an script running in the background doing whatever malicious actions it would do. However the shortcuts were still there, I opened a command window and inspected the content of the drive (showing also the hidden files) and they were there. So I did some little research and found that there is a command, like in unix systems: chmod, that handles the permissions of the files which in Windows is: attrib.

So the attrib syntax looks like this: attrib [{+r|-r}] [{+a|-a}] [{+s|-s}] [{+h|-h}] [[Drive:][Path] FileName] [/s[/d]]

You can read more about this command here.

After reading how this command worked I ran the following:

attrib -h -s "." /s /d

This means: remove hidden and system file attributes to every file and folder.

According to the source linked above these options do:

  • /s: Applies attrib and any command-line options to matching files in the current directory and all of its subdirectories.
  • /d: Applies attrib and any command-line options to directories.

The proccess actually took a while because changed the attributes on a lot of files that were stored on the drive, but at the end of the day it solved the problem which is what matters.