snipz

cheat sheet

attrib

View and modify Windows file attributes (hidden, read-only, system, archive) from the command line. Covers all attribute flags, recursive operations, and practical recipes for unhiding malware-hidden files and managing backups.

#attrib#windows#cli#filesystem#scriptingupdated 05-26-2026

attrib — File Attribute Manager

What it is

attrib is a built-in Windows command-line utility — present in every version of Windows since MS-DOS — that reads and writes the NTFS/FAT attribute bits stored on files and folders: hidden, read-only, system, archive, and several others. It ships with cmd.exe and runs unchanged in PowerShell; no installation is needed. Reach for it when you need scriptable, batch-friendly attribute control; for richer attribute work from PowerShell, prefer Set-ItemProperty or the [System.IO.FileAttributes] enum instead.

Availability

attrib is a built-in Windows command. It requires no installation and is available in all Windows versions from Windows 95 onward, including Windows 10, 11, and Windows Server editions.

cmd
attrib /?

Output:

css
Displays or changes file attributes.

ATTRIB [+R | -R] [+A | -A] [+S | -S] [+H | -H] [+O | -O] [+I | -I] [+X | -X] [+P | -P] [+U | -U]
       [+B | -B] [drive:][path][filename] [/S [/D] [/L]]

Syntax

attrib takes an optional sequence of + (set) or - (clear) attribute codes, followed by a file or wildcard target. Multiple attribute codes can be combined in a single call; without any code, the command displays current attributes.

cmd
attrib [+|- ATTR ...] [drive:][path][filename] [/S [/D] [/L]]

Output: (none — exits 0 on success when modifying; displays attribute list when viewing)

Attribute reference

Each attribute is represented by a single letter. attrib can read all of them but can only set or clear R, A, S, H, I, O, X, P, and U; the Compressed (C) and Encrypted (E) bits are managed by the filesystem and cannot be changed with attrib.

CodeAttributeDescription
RRead-onlyPrevents modification or deletion of the file
AArchiveSet when file is new or modified; cleared by backup tools after a backup
SSystemMarks OS-critical files; hidden from normal dir listing by default
HHiddenFile is invisible in Explorer and dir without /A
INot Content IndexedExcludes file from Windows Search indexing
OOfflineData is not immediately available (HSM / cloud tiering)
XNo ScrubSkipped by Storage Spaces integrity scans
PPinnedKept locally cached (OneDrive / cloud storage)
UUnpinnedReleased to cloud-only storage
BSMR BlobShingled Magnetic Recording (SMR) blob — used by storage providers to tag data tiered to host-managed SMR disks
LReparse pointSymbolic link or junction (read-only; cannot be set with attrib)
CCompressedNTFS compressed (cannot be set with attrib)
EEncryptedEFS encrypted (cannot be set with attrib)

Viewing attributes

Running attrib without + or - modifiers prints the current attribute set for each matched file. The output shows codes in a fixed-width column; a space in that position means the attribute is not set.

cmd
attrib C:\Windows\System32\notepad.exe

Output:

css
A          C:\Windows\System32\notepad.exe
cmd
attrib C:\Users\alice\Documents\*

Output:

less
A    H      C:\Users\alice\Documents\desktop.ini
A            C:\Users\alice\Documents\report.docx
A            C:\Users\alice\Documents\budget.xlsx
cmd
rem Show attributes recursively in a folder
attrib C:\Projects\myapp\* /S /D

Output:

less
A            C:\Projects\myapp\README.md
A            C:\Projects\myapp\src\main.py
A     H      C:\Projects\myapp\.git

Setting attributes

Prefix an attribute code with + to enable it. Attributes can be stacked in any order; attrib applies them all in one pass.

cmd
rem Make a file read-only
attrib +R C:\Data\config.ini

Output: (none — exits 0 on success)

cmd
rem Make a file hidden
attrib +H C:\Backup\backup_key.txt

Output: (none — exits 0 on success)

cmd
rem Set multiple attributes at once
attrib +R +H C:\System\bootstrap.dat

Output: (none — exits 0 on success)

cmd
rem Add the archive bit to every .log file in a folder
attrib +A C:\Logs\*.log

Output: (none — exits 0 on success)

Clearing attributes

Prefix with - to remove an attribute. This is the most common use case when files have been hidden by malware or locked as read-only.

cmd
rem Remove read-only
attrib -R C:\Data\config.ini

Output: (none — exits 0 on success)

cmd
rem Unhide a file
attrib -H C:\Backup\backup_key.txt

Output: (none — exits 0 on success)

cmd
rem Clear all common restrictive attributes in one command
attrib -R -A -S -H C:\Quarantine\suspect.exe

Output: (none — exits 0 on success)

Recursive operations

The /S switch extends the operation to all matching files in subdirectories. Adding /D also applies the change to the subdirectory entries themselves, not only the files inside them. /L operates on the symbolic link itself rather than its target.

cmd
rem View attributes for all files recursively
attrib C:\Users\alicedev\Documents\* /S

Output:

less
A            C:\Users\alicedev\Documents\notes.txt
A            C:\Users\alicedev\Documents\Archive\old.docx
cmd
rem Clear the read-only flag on every file in a project tree
attrib -R C:\Projects\myapp\* /S

Output: (none — exits 0 on success)

cmd
rem Include directories themselves in the attribute change
attrib -H C:\Projects\myapp\* /S /D

Output: (none — exits 0 on success)

cmd
rem Clear archive bit on all .bak files recursively (backup script reset)
attrib -A C:\Backups\*.bak /S

Output: (none — exits 0 on success)

Hidden files and folders

The hidden attribute (H) causes Windows Explorer and dir to omit a file from listings by default. Combined with the system attribute (S), a file disappears even from dir /A:H in some contexts. This is a common malware technique — and the reason attrib -H -S is the first step when recovering files hidden by a virus.

cmd
rem Reveal all hidden files in the current directory
attrib -H *

Output: (none — exits 0 on success)

cmd
rem Reveal hidden files recursively (common after USB-worm infection)
attrib -H -S * /S /D

Output: (none — exits 0 on success)

cmd
rem Check if a specific file is hidden
attrib C:\Users\alicedev\AppData\Local\Temp\suspicious.exe

Output:

sql
   SH        C:\Users\alicedev\AppData\Local\Temp\suspicious.exe

Read-only files

The read-only attribute (R) prevents write and delete operations on a file but does not block administrators from removing it (unlike NTFS permissions, which are enforced differently). It is the right tool for config files and templates you want to protect from accidental edits.

cmd
rem Lock a config template
attrib +R C:\Apps\myapp\defaults.ini

Output: (none — exits 0 on success)

cmd
rem Unlock an entire folder of config files for editing
attrib -R C:\Apps\myapp\*.ini

Output: (none — exits 0 on success)

cmd
rem Make all files in a folder read-only
attrib +R C:\Releases\v1.0\* /S

Output: (none — exits 0 on success)

Archive bit and backup scripts

The archive attribute (A) is automatically set by Windows when a file is created or modified. Backup software conventionally clears A after it copies a file, providing a simple changed-file filter. You can reset it manually to force files into the next incremental backup or clear it to exclude files.

cmd
rem Force all .docx files to appear changed to the backup tool
attrib +A C:\Users\alicedev\Documents\*.docx /S

Output: (none — exits 0 on success)

cmd
rem Clear archive bit after manual backup (mark as backed up)
attrib -A C:\Backups\manual\* /S

Output: (none — exits 0 on success)

cmd
rem List only files that have been modified since last backup (archive bit set)
dir /A:A C:\Projects\myapp\* /S /B

Output:

makefile
C:\Projects\myapp\src\main.py
C:\Projects\myapp\README.md

Common pitfalls

  1. System attribute blocks removalattrib -H file may leave S set; always clear both: attrib -H -S file. Files with S set can still appear hidden in Explorer.

  2. /S without a wildcard skips subfoldersattrib +R C:\Folder /S only changes Folder itself; use attrib +R C:\Folder\* /S to include contents.

  3. attrib cannot set Compressed or Encrypted — these are NTFS metadata, not attribute bits. Use compact or cipher respectively.

  4. Read-only ≠ NTFS write-denyattrib +R sets a soft flag that cmd/Explorer honours; applications calling the Win32 API with the right flags can still write past it. For real enforcement, use NTFS ACLs (icacls).

  5. UAC / admin rights needed for system files — modifying attributes on files under C:\Windows or C:\Program Files requires an elevated prompt. Opening CMD as Administrator silently suppresses the "Access is denied" error.

  6. Wildcards don't match across drive rootsattrib * /S from C:\ does not recurse into every folder on the drive; run from the specific root you mean to target.

Real-world recipes

Recover files hidden by a USB worm

Malware (notably autorun-based worms) hides user files and replaces them with shortcuts, using attrib +H +S. This restores them.

cmd
rem Run from the affected drive root (e.g. E:\)
attrib -H -S -R * /S /D

Output: (none — exits 0 on success)

After running this, the hidden files reappear and the shortcut files can be deleted.

Protect a release folder from accidental edits

cmd
rem Lock all files after building a release
attrib +R C:\Releases\v2.1\* /S

rem Verify
attrib C:\Releases\v2.1\* /S

Output:

arduino
 AR          C:\Releases\v2.1\setup.exe
 AR          C:\Releases\v2.1\README.txt

Force a full backup on next run

cmd
rem Mark every file in a project as "changed" so the backup tool picks them up
attrib +A C:\Projects\critical-data\* /S

Output: (none — exits 0 on success)

Hide a local secrets file from casual browsing

cmd
attrib +H +S C:\Users\alicedev\.env

Output: (none — exits 0 on success)

The file is invisible in Explorer and dir but still accessible by path in scripts and editors.

Batch-clear attributes before deleting a stubborn folder

cmd
rem Some tools refuse to delete hidden/read-only/system files; clear first
attrib -R -H -S C:\Temp\stubborn\* /S /D
rmdir /S /Q C:\Temp\stubborn

Output: (none — exits 0 on success)

Attribute storage internals

NTFS stores file attributes in the $STANDARD_INFORMATION attribute of every MFT (Master File Table) record. The attrib command exposes only a subset of the bit-field stored there; the full Win32 FILE_ATTRIBUTE_* constants (defined in winnt.h) include DIRECTORY, DEVICE, NORMAL, TEMPORARY, SPARSE_FILE, REPARSE_POINT, COMPRESSED, OFFLINE, NOT_CONTENT_INDEXED, ENCRYPTED, INTEGRITY_STREAM, VIRTUAL, NO_SCRUB_DATA, RECALL_ON_OPEN, and RECALL_ON_DATA_ACCESS. Each is a single bit; attrib shows letters for the bits it knows how to manipulate.

cmd
rem Inspect the raw attribute bitmask with PowerShell
powershell -Command "(Get-Item C:\Windows\System32\notepad.exe -Force).Attributes.value__"

Output:

code
32

The decimal value 32 corresponds to Archive (bit 5 = 0x20). Hidden is bit 1 (0x02), System is bit 2 (0x04), ReadOnly is bit 0 (0x01). A file with all four set reads 39 (0x27).

cmd
rem Translate a numeric attribute mask into named flags via PowerShell
powershell -Command "[Enum]::Format([System.IO.FileAttributes], 39, 'g')"

Output:

scss
ReadOnly, Hidden, System, Archive

PowerShell equivalents

PowerShell exposes file attributes as a [System.IO.FileAttributes] flags enum on every FileInfo or DirectoryInfo object. The cmdlets Get-Item, Get-ChildItem, and Set-ItemProperty work with these flags directly — preferring (Get-Item).Attributes over shelling out to attrib.exe is the modern idiom in scripts that already live in PowerShell. The cmdlets are also pipeline-aware, locale-independent, and surface clearer errors than attrib.

powershell
# View attributes (current directory, including hidden)
Get-ChildItem -Force | Select-Object Name, Attributes

Output:

scss
Name             Attributes
----             ----------
.gitignore       Archive, Hidden
desktop.ini      Archive, Hidden, System
report.docx      Archive
src              Directory
powershell
# Set hidden + read-only on a single file
Set-ItemProperty -Path C:\Data\secret.txt -Name Attributes -Value 'Hidden, ReadOnly'

Output: (none)

powershell
# Bitwise-OR add the Hidden flag without disturbing existing flags
$f = Get-Item C:\Data\secret.txt -Force
$f.Attributes = $f.Attributes -bor [System.IO.FileAttributes]::Hidden

Output: (none)

powershell
# Bitwise-AND-NOT clear the ReadOnly flag
$f = Get-Item C:\Data\secret.txt -Force
$f.Attributes = $f.Attributes -band -bnot [System.IO.FileAttributes]::ReadOnly

Output: (none)

powershell
# Recursive unhide of every file under a tree (USB-worm recovery)
Get-ChildItem E:\ -Recurse -Force |
    Where-Object { $_.Attributes -band [System.IO.FileAttributes]::Hidden } |
    ForEach-Object {
        $_.Attributes = $_.Attributes -band -bnot ([System.IO.FileAttributes]::Hidden -bor [System.IO.FileAttributes]::System)
    }

Output: (none — exits 0 on success)

powershell
# Filter by attribute: list every hidden file under a path
Get-ChildItem C:\Users\alicedev -Recurse -Force -Attributes Hidden

Output:

diff
    Directory: C:\Users\alicedev

Mode    LastWriteTime     Length Name
----    -------------     ------ ----
-a-h-    4/27/2026  9:15      26 .gitconfig
powershell
# Multi-flag filter — files that are Hidden AND System (suspicious)
Get-ChildItem C:\Users\alicedev -Recurse -Force -Attributes Hidden,System

Output:

css
-a-hs-   4/26/2026  9:15      26 desktop.ini

Attribute filter syntax

The -Attributes parameter of Get-ChildItem accepts a flags expression with ! for negation and + for OR. This is more expressive than attrib's positional codes.

PowerShell expressionMeaning
-Attributes Hiddenfiles that have Hidden set
-Attributes !Hiddenfiles that do not have Hidden
-Attributes Hidden+Systemfiles with either Hidden OR System
-Attributes Hidden,Systemfiles with Hidden AND System
-Attributes !Directoryfiles only (no folders)
-Attributes ReadOnly+Hidden+Systemfiles matching any of those
powershell
# Find non-hidden, non-system, archive-bit-set files (typical for backup)
Get-ChildItem -Recurse -Attributes Archive+!Hidden+!System

Output: (matching listing)

Reading attributes from .NET / cmd interop

attrib always reads from the same NTFS $STANDARD_INFORMATION field that .NET's File.GetAttributes() reads. The two tools never disagree, but their output formats differ. The Attributes enum in .NET is the source of truth; attrib's letter codes are a presentation layer over it.

cmd
rem cmd output
attrib C:\Data\report.docx

Output:

css
A          C:\Data\report.docx
powershell
# Same file via .NET API
[System.IO.File]::GetAttributes('C:\Data\report.docx')

Output:

code
Archive

Working with reparse points and junctions

Files and directories marked with the L (reparse point) attribute are symbolic links, directory junctions, or filesystem-driver hooks (such as OneDrive placeholder files). attrib cannot toggle the L bit — it is set by the filesystem when a reparse point is created with mklink or New-Item -ItemType SymbolicLink. The /L switch tells attrib to act on the link itself rather than its target.

cmd
rem Create a junction to inspect
mklink /J C:\Link C:\Projects\myapp

rem View the link's attributes (not the target's)
attrib /L C:\Link

Output:

css
A   L      C:\Link
cmd
rem Without /L, attrib follows the link and reports the target's attributes
attrib C:\Link

Output:

css
A          C:\Link
powershell
# PowerShell — distinguish link from target
Get-Item C:\Link | Select-Object Name, Attributes, Target

Output:

css
Name  Attributes                  Target
----  ----------                  ------
Link  Directory, ReparsePoint     {C:\Projects\myapp}

Offline, pinned, and cloud-tier attributes

Attributes O (Offline), P (Pinned), U (Unpinned), and the related RecallOnOpen / RecallOnDataAccess flags are managed by cloud storage providers (OneDrive, SharePoint, third-party HSM systems) to mark files that exist locally as placeholders. attrib +U triggers OneDrive's "Free up space" behaviour — the file remains visible but its bytes are released. attrib +P reverses that, forcing local caching.

cmd
rem Free up local space — file becomes cloud-only
attrib +U "C:\Users\alicedev\OneDrive\big-archive.zip"

Output: (none — exits 0 on success)

cmd
rem Pin the file locally so it is always available offline
attrib +P "C:\Users\alicedev\OneDrive\important.docx"

Output: (none — exits 0 on success)

cmd
rem Free up an entire folder (recursively)
attrib +U "C:\Users\alicedev\OneDrive\Archive\*" /S

Output: (none — exits 0 on success)

[!WARN] +P and +U are mutually exclusive. Setting both in the same call leaves the file in an inconsistent state until OneDrive reconciles it. Run them one at a time.

Content indexing exclusion (I)

The I attribute ("Not Content Indexed") removes a file from the Windows Search index. Useful for source-control checkouts, build artefacts, and large binary trees that you never want to appear in Start-menu searches but cannot move out of an indexed folder like Documents.

cmd
rem Exclude a build output folder from search
attrib +I C:\Projects\myapp\dist\* /S /D

Output: (none — exits 0 on success)

cmd
rem Re-enable indexing for a finished release folder
attrib -I C:\Projects\myapp\release\* /S /D

Output: (none — exits 0 on success)

powershell
# PowerShell equivalent (use the explicit enum name)
Get-ChildItem C:\Projects\myapp\dist -Recurse -Force | ForEach-Object {
    $_.Attributes = $_.Attributes -bor [System.IO.FileAttributes]::NotContentIndexed
}

Output: (none)

After flipping the bit, re-trigger the search indexer with Start-Process control.exe -ArgumentList 'srchadmin.dll' or via Settings → Searching Windows → Advanced Search Indexer Settings.

Storage Spaces and integrity (X)

The X ("No Scrub Data") attribute exempts a file from the integrity scrubbing that ReFS/Storage Spaces performs on parity volumes. Set it for files where you accept the risk of latent corruption in exchange for not paying the scrub cost — typically transient build outputs on a ReFS scratch volume.

cmd
attrib +X D:\ScratchBuild\* /S /D

Output: (none — exits 0 on success)

On NTFS volumes the bit is silently stored but unused — there is no harm in setting it. On ReFS volumes with integrity streams enabled it has real performance implications.

Compressed and encrypted bits

attrib displays the C (Compressed) and E (Encrypted) attributes but refuses to set or clear them — these are managed by separate utilities. Use compact.exe for NTFS file compression and cipher.exe for EFS encryption. Trying to set them with attrib +C or attrib +E produces "Parameter format not correct" rather than a clear error.

cmd
rem Compress a folder with NTFS compression (the "C" attribute)
compact /C /S C:\Logs\Archive\*

rem Decompress
compact /U /S C:\Logs\Archive\*

rem Encrypt a single file with EFS (the "E" attribute)
cipher /E C:\Data\confidential.txt

rem Decrypt
cipher /D C:\Data\confidential.txt

Output (compact /C):

yaml
Compressing files in C:\Logs\Archive\
1 file in 1 directory was compressed.
Total bytes of data: 12,345
Total bytes of storage: 4,096
Compression ratio: 3.0:1

Output (cipher /E):

css
Encrypting files in C:\Data\

confidential.txt    [OK]

1 file(s) [or directorie(s)] within 1 directorie(s) were encrypted.

Once those bits are set, attrib will display C or E alongside the other attributes:

cmd
attrib C:\Logs\Archive\*

Output:

c
A  C       C:\Logs\Archive\old.log
A  C       C:\Logs\Archive\older.log

Attribute precedence and Explorer behaviour

Windows Explorer's "Show hidden files" toggle controls visibility of the H attribute. The "Hide protected operating system files" toggle additionally hides files with H+S set — even when "Show hidden files" is on. This is why files hidden by malware (which sets both H and S) remain invisible in Explorer until you uncheck both options or use attrib -H -S from the command line.

Explorer settingsFiles visible
Default (hide hidden, hide protected)Plain files only
Show hidden ON, hide protected ONPlain + Hidden files
Show hidden ON, hide protected OFFAll files including H+S

The dir /A command always shows everything, bypassing Explorer's UI toggles entirely. From cmd.exe:

cmd
rem Verify a "hidden" file exists by listing with attributes
dir /A C:\Users\alicedev\.gitconfig

Output:

swift
27/04/2026  09:15                 26 .gitconfig

attrib vs icacls — soft flag vs hard permission

The R (read-only) attribute is a soft hint that cmd.exe, Explorer, and many applications honour but the underlying NTFS layer does not enforce. A program calling CreateFile with GENERIC_WRITE access and FILE_ATTRIBUTE_NORMAL will succeed on a read-only file. For real write-deny enforcement, use NTFS ACLs via icacls, which set a deny ACE in the file's security descriptor that the kernel checks before granting handle access.

Propertyattrib +Ricacls /deny User:W
Stored where$STANDARD_INFORMATION$SECURITY_DESCRIPTOR
Enforced byCmd, Explorer, polite appsNT kernel access check
Bypassed byAdmin? No. Win32 flags? Yes.Admin? Yes (with takeown).
Backup compatibilityPreserved by xcopy /K, robocopy /COPY:APreserved by robocopy /COPY:S
GranularityBoolean per filePer-user, per-group, per-permission
cmd
rem Soft lock — anyone can still write via API
attrib +R C:\Data\config.ini

rem Hard lock — kernel rejects writes from alicedev
icacls C:\Data\config.ini /deny alicedev:W

rem Inspect both
attrib C:\Data\config.ini
icacls C:\Data\config.ini

Output (icacls):

arduino
C:\Data\config.ini BUILTIN\Administrators:(F)
                   MYHOST\alicedev:(DENY)(W)
                   MYHOST\alicedev:(R)

Long-path and UNC support

attrib natively supports the \\?\ extended-length prefix to bypass the legacy 260-character MAX_PATH limit. Without the prefix, files at deeper paths produce "The system cannot find the path specified". UNC paths (\\myhost\share\file.txt) work with all switches but require the prefix \\?\UNC\myhost\share\... for the long-path variant.

cmd
rem Short path — fails on deep tree
attrib C:\Users\alicedev\Documents\Projects\verylongproject\src\components\NavigationDrawer\subdir\deeplynested\file.txt

Output:

lua
The system cannot find the path specified - file.txt
cmd
rem Extended-length prefix — succeeds
attrib "\\?\C:\Users\alicedev\Documents\Projects\verylongproject\src\components\NavigationDrawer\subdir\deeplynested\file.txt"

Output:

css
A          \\?\C:\Users\...
cmd
rem UNC path with extended-length prefix
attrib "\\?\UNC\myhost\share\verylong\...\file.txt"

Output: (none — exits 0 on success)

For repeated work with long paths, enable the LongPathsEnabled registry flag system-wide:

cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v LongPathsEnabled /t REG_DWORD /d 1 /f

Output:

code
The operation completed successfully.

Performance considerations

attrib issues a FindFirstFile/FindNextFile enumeration per directory and a SetFileAttributes per modified file — both are synchronous Win32 calls. On a tree of 100,000 files on an SSD, expect roughly 1–5 seconds; on a network share, expect 30 seconds to several minutes depending on round-trip latency. There is no built-in parallelism — attrib is single-threaded.

For large recursive runs, prefer PowerShell parallelism (PS 7+):

powershell
# PowerShell 7 — parallel attribute clearing across 8 threads
Get-ChildItem C:\BigTree -Recurse -Force | ForEach-Object -Parallel {
    $_.Attributes = $_.Attributes -band -bnot [System.IO.FileAttributes]::ReadOnly
} -ThrottleLimit 8

Output: (none)

Or batch with robocopy in list-only mode plus attrib per file:

cmd
rem Use robocopy to enumerate then pipe into attrib
robocopy C:\BigTree NUL /L /S /NJH /NJS /NDL /FP /NP /BYTES > files.txt
for /f "tokens=*" %f in (files.txt) do attrib -R "%f"

Output: (none — exits 0 on success)

robocopy /L is significantly faster than dir /S /B for enumerating massive trees because it uses asynchronous I/O and ignores reparse points by default.

Exit codes and scripting

attrib always exits with code 0 on success. It does not distinguish "no files matched" from "all attributes set successfully" via exit code — both yield 0. To detect "no files matched", inspect stderr or pre-check with dir. For batch scripts that must know whether any file changed, redirect output and count lines.

cmd
@echo off
attrib +H C:\NoSuchDir\* /S 2> attrib.err
if exist attrib.err (
    for /f %%c in ('find /c /v "" ^< attrib.err') do (
        if not "%%c"=="0" echo Errors: %%c
    )
)

Output: (if errors)

makefile
Errors: 1
powershell
# PowerShell — capture and inspect
$result = & attrib +R C:\Data\* /S 2>&1
if ($LASTEXITCODE -ne 0) { Write-Host "attrib failed: $result" }

Output: (none on success)

Common scenarios

Unhide a recovered USB drive

cmd
rem Drive letter E: — clear hidden, system, and read-only on everything
attrib -H -S -R E:\* /S /D
dir E:\

Output: (full listing of restored files)

Reset attributes after restoring from backup

powershell
# Strip read-only on every file copied back from a network archive
Get-ChildItem C:\Restored -Recurse -Force |
    Where-Object { $_.Attributes -band [System.IO.FileAttributes]::ReadOnly } |
    ForEach-Object {
        $_.IsReadOnly = $false
    }

Output: (none)

Prepare a folder for git initialisation

cmd
rem Some IDE-generated folders end up with read-only files that block git add
attrib -R C:\Projects\newproject\* /S /D
git -C C:\Projects\newproject init

Output: (git init output)

Build an "untouchable" archive

cmd
rem Lock and hide a finished archive so it survives accidental browsing
attrib +R +H +S C:\Archives\2025-final\* /S /D

rem Reverse later
attrib -R -H -S C:\Archives\2025-final\* /S /D

Output: (none — exits 0 on success)

Find every file with the archive bit set (changed since last backup)

cmd
dir /A:A /B /S C:\Projects\myapp > pending_backup.txt
type pending_backup.txt

Output:

makefile
C:\Projects\myapp\main.py
C:\Projects\myapp\README.md

Reset the archive bit on a folder after a manual backup

cmd
attrib -A C:\Projects\myapp\* /S /D

Output: (none — exits 0 on success)

This pattern (archive-bit-as-changed-flag) is the foundation of how xcopy /M and Windows Backup distinguish incremental files. See xcopy.md for the copy side of that workflow.

Sources

Microsoft Learn — attrib command — Official syntax, the full attribute switch set (including +B for the SMR Blob attribute), recursion flags /S /D /L, and examples.

Tips

attrib is non-recursive by default. Add /S /D whenever you want a change to apply to a whole tree including subdirectory entries themselves, not just files inside them.

Prefer PowerShell's (Get-Item).Attributes with bitwise operators (-bor, -band -bnot) in modern scripts — it composes cleanly, surfaces clear errors, and works on long paths and reparse points without special flags.

Always pair -H with -S when recovering files hidden by malware. The system attribute alone keeps a file invisible in Explorer even after clearing the hidden bit.

[!WARN] attrib +R is a polite hint, not an access-control mechanism. Files with R set can still be modified by any application that opens them with explicit write flags. Use icacls for enforced read-only.

[!WARN] Modifying attributes on C:\Windows, C:\Program Files, or other protected paths requires an elevated CMD prompt. Without elevation attrib silently skips those files and reports success.