Windows 2000 file security with the Windows API

I'm the type of person who learns a lot by attacking problems and writing up the results. Recently I struggled to write a program which would revoke write access to a specified directory. Although I had a good idea of how to go about the task, I was baffled by the documentation in Microsoft's SDK. Once again, badly written, excessively verbose and confusing information about a perfectly logical subject left me scratching my head.

The purpose of this article, then, is twofold. First and foremost it is a chance for me to confirm that I really do understand this stuff by setting it out on the page. Secondly, I hope it might be useful to someone who was as baffled as I was by the SDK documentation.

The problem I was trying to solve

I wanted to programatically revoke write access to a specified directory. On Unix, this would be achieved by first getting the current permissions for the directory, constructing a new permission mask with the write bits unset and then applying the new mask to the directory.

struct stat st;
unsigned int perms;

/* First stat the directory and get the existing permissions */
if (stat(path, &st)) /* Error */
perms = st.st_mode % 010000;

/* Remove write permissions */
perms &= ~0222;

/* Apply new mask */
if (chmod(path, perms)) /* Error */

However, Windows 2000 supports access control lists controlling file permissions (as indeed do many flavours of Unix, either out of the box or with kernel patches). The problem on Windows 2000 is a little different:

Of course, I found all this out through trial and error and reading poorly documented Microsoft sample code (in Hungarian notation, blech).

The following pages will describe what I learned about