Windows 2000 file security: sample code

Here you can download source code to a small program which displays the ACL entries for a given file, much like the system command CACLS.

To compile viewacls.cpp with with Visual C++, you will need the Platform SDK installed. The command line below assumes you have installed it into c:\dev\sdk.

cl -I c:\dev\sdk viewacls.cpp /link advapi32.lib

The program works by

  1. Calling GetFileSecurity() to obtain a security descriptor for the target file.

  2. Extracting the discretionary access control list from the security descriptor with GetSecurityDescriptorDacl().

  3. Using GetAclInformation() to retrieve the number of access control entries in the ACL.

  4. Looping over the ACEs with GetAce().

  5. Calling LookupAccountSid() to find the accounts referenced by each ACE.

  6. Also using ConvertSidToStringSid() to convert the SID to a printable format to output along with the account name.

  7. Comparing values in the permissions bitmask to describe the control granted or revoked by the ACEs.

Sample usage:

E:\dev>viewacls c:\testfile.txt
2KPRO\testuser
S-1-5-21-1275210071-1844237615-725345543-1002
        Deny    FILE_WRITE_DATA
        Deny    FILE_APPEND_DATA
        Deny    FILE_WRITE_EA
        Deny    FILE_WRITE_ATTRIBUTES
BUILTIN\Administrators
S-1-5-32-544
        Allow   FILE_READ_DATA
        Allow   FILE_WRITE_DATA
        Allow   FILE_APPEND_DATA
        Allow   FILE_READ_EA
        Allow   FILE_WRITE_EA
        Allow   FILE_EXECUTE
        Allow   FILE_READ_ATTRIBUTES
        Allow   FILE_WRITE_ATTRIBUTES
        Allow   FILE_DELETE
        Allow   DELETE
        Allow   READ_CONTROL
        Allow   WRITE_DAC
        Allow   SYNCHRONIZE
Everyone
S-1-1-0
        Allow   FILE_READ_DATA
        Allow   FILE_READ_EA
        Allow   FILE_EXECUTE
        Allow   FILE_READ_ATTRIBUTES
        Allow   FILE_DELETE
        Allow   READ_CONTROL
        Allow   WRITE_DAC
        Allow   WRITE_OWNER
        Allow   SYNCHRONIZE