attrib command in Windows: view and change file attributes

The attrib command has been part of Windows since the DOS era, but it still solves problems that modern GUI tools handle poorly or not at all. When files go missing after a malware infection, when a script fails silently because a config file is read-only, or when Explorer shows nothing in a folder you know is not empty — attrib is usually the right starting point.

This article focuses on real admin scenarios: what breaks, why attrib fixes it, and what it quietly fails to do.

Quick answer

attrib -H -S -R "C:\path\to\file.txt"

Removes the hidden, system, and read-only attributes from a file. The most common single-line fix when a file is not visible or not editable.

What it does

attrib reads and modifies the FAT-level attributes stored with every file and directory on Windows. These are separate from NTFS permissions and ownership.

Syntax:

attrib [+R | -R] [+A | -A] [+S | -S] [+H | -H] [+I | -I] [drive:][path][filename] [/S] [/D] [/L]

Attributes:

Switch	Attribute	Meaning
`R`	Read-only	Prevents modification or deletion
`H`	Hidden	Not shown in Explorer or `dir` by default
`S`	System	Marks file as a system file
`A`	Archive	Indicates file has changed since last backup
`I`	Not content indexed	Excludes file from Windows Search indexing

Switches:

Switch	Meaning
`/S`	Apply to all matching files in current folder and subfolders
`/D`	Include directories themselves, not just their contents
`/L`	Work on the symbolic link itself rather than its target

Works on NTFS, FAT32, and exFAT. Requires elevation when modifying system-attributed files.

Practical examples

1. Files are not visible after a malware infection

The problem: A user reports that their Documents folder appears empty. You check with Explorer — nothing. You run dir — nothing. A known malware pattern is to set +H +S on all user files to make them appear deleted while keeping the data intact.

The solution: Strip the hidden and system attributes recursively from the affected folder to restore visibility.

:: Remove hidden and system flags from all files and subfolders
:: /S applies to all files in subfolders
:: /D applies the change to the directories themselves as well
attrib -H -S /S /D "C:\Users\USERNAME\Documents\*"

After running this, refresh Explorer. Files should reappear. If they do not, check NTFS permissions separately — attrib only controls FAT-level attributes.

Warning: This command affects every file and directory under the path recursively. Verify the path carefully before running. On a shared or domain-joined machine, run from an elevated CMD prompt.

2. A file refuses to be edited or deleted

The problem: A config file, log, or leftover installer artifact cannot be modified or deleted. Explorer shows “Access denied” or the file simply does not respond to edit attempts. The file is not locked by a process — it has the read-only attribute set.

The solution: Remove the read-only flag so the file behaves normally again.

:: Check current attributes first
attrib "C:\bat\test\config.ini"

:: Remove the read-only flag
attrib -R "C:\bat\test\config.ini"

Run attrib without any flags first to confirm the attributes before changing them. This avoids surprises.

Note: If the file still cannot be modified after removing +R, the restriction is coming from NTFS permissions or file ownership — not from the attribute. Use icacls or the Security tab in file properties to investigate further.

3. Protect a config file from accidental overwrite by a script

The problem: A deployment script occasionally overwrites a manually maintained config file because it targets all files in a directory. You cannot change the script, and the file needs to survive re-deployments.

The solution: Mark the file as read-only. Most scripts that use standard file copy operations will skip or fail on read-only files, which is the desired behavior here.

:: Set read-only on a config file to protect it from overwrites
attrib +R "C:\bat\test\app.config"

Result: The file is now protected. Copy operations like xcopy and robocopy without the /A flag will report an error and skip it rather than overwriting silently.

Warning: The read-only flag does not protect against operations run with elevated privileges that explicitly override it. It is a soft guard, not a security boundary.

4. Diagnose why a folder is not visible in Explorer

The problem: You know a folder exists — a script created it, a log references it — but it does not appear in Explorer or in a standard dir listing. Before taking any action, you need to confirm which attributes are set.

The solution: Run attrib without any flags to read the current state of the folder.

:: View current attributes of a specific folder
attrib "C:\bat\test"

Output example:

    SH  C:\bat\test

The letters before the path indicate active attributes. In this case: S (system) and H (hidden). No letter means the attribute is not set.

Note: Explorer hides system-flagged items even when “Show hidden files” is enabled in Folder Options. To see system-flagged items in Explorer, you must also uncheck “Hide protected operating system files” — or use dir /A from CMD.

5. Manage the archive flag for incremental backup workflows

The problem: You are using a custom backup script that checks the archive flag (+A) to determine which files have changed since the last run. A file was restored manually and the flag was not reset, so the next backup run skips it. You need to force the flag back on.

The solution: Set the archive flag manually on the file so the backup agent picks it up on the next run.

:: Force the archive flag on a restored file so backup includes it
attrib +A "C:\bat\test\restored-report.xlsx"

:: To confirm the flag is now set
attrib "C:\bat\test\restored-report.xlsx"

Hidden gems

System and hidden flags must be removed together

If a file has both +H and +S set, removing only -H will not make it visible in Explorer. Windows treats the system flag as an additional visibility layer. You must remove both flags in the same command: attrib -H -S filename. Malware frequently uses this combination precisely because removing only -H appears to do nothing, leading admins to conclude the tool is not working.

Common mistake: Running attrib -H filename on a file with both +H and +S set produces no error and appears to succeed — but the file remains hidden. Always remove both flags together when dealing with suspected malware artifacts.

attrib does not bypass NTFS permissions

attrib only modifies FAT-level attributes. If a file is protected by NTFS permissions, ACLs, or file ownership settings, attrib will complete silently without producing an error — and nothing will change. This is the most common reason admins assume attrib is broken. It is not broken; it is operating on a different layer. Use icacls, takeown, or the Security tab to address permission-level restrictions.

Manipulating the archive flag affects incremental backups

Running attrib -A on a file clears the archive flag, which signals to backup software that the file has not changed. If your environment uses any backup solution that relies on this flag — including Windows Server Backup, older robocopy-based scripts, or third-party agents — clearing the archive flag manually will cause those files to be skipped in the next incremental backup run. Do not use attrib -A in production without understanding how your backup solution tracks changes.

PowerShell equivalent

PowerShell does not have a direct single-cmdlet equivalent for attrib, but the same attribute flags are available through the [System.IO.File] and [System.IO.FileAttributes] .NET classes.

View attributes:

(Get-Item "C:\bat\test\config.ini").Attributes

Remove read-only and hidden:

$file = Get-Item "C:\bat\test\config.ini"
$file.Attributes = $file.Attributes -band -bnot ([System.IO.FileAttributes]::ReadOnly -bor [System.IO.FileAttributes]::Hidden)

Set read-only:

(Get-Item "C:\bat\test\config.ini").Attributes += [System.IO.FileAttributes]::ReadOnly

Note: PowerShell attribute manipulation operates on the same FAT-level flags as attrib. The same limitations apply — NTFS permissions are a separate layer and are not affected.

Where this matters

Post-malware cleanup — After removing an infection, user files are often still hidden with +H +S. Running attrib recursively on affected folders restores visibility without touching file content or permissions.

Deployment pipelines — Read-only flags on config files act as a soft lock during automated deployments, preventing scripts from overwriting manually maintained settings.

Backup troubleshooting — When an incremental backup reports fewer changed files than expected, checking the archive flag with attrib is a fast first diagnostic step.

Diagnosing invisible folders — When a directory exists in logs but not in Explorer, attrib confirms in one command whether the folder is hidden or system-flagged.

Legacy script maintenance — Older batch scripts and backup tools frequently rely on archive flags. Understanding how attrib interacts with these flags prevents silent data loss in those workflows.

Official reference

attrib — Windows Commands | Microsoft Learn

Related guides

TITLE command in Windows