This is a progam that can display/edit the security descriptor of a
file/folder/drive. Although intended for users of Windows XP Home Edition,
it works in Windows 2000, XP Home, XP Professional, XP Media Center and
Server 2003. I'm using the software on a Windows XP Professional machine.
I will not support Windows NT 4.0, even if you installed SP6a and the SCE.
The program will probably never work in Win9x (since Win9x doesn't support
security or NTFS).
Once you have run the setup, the program should now be ready to use. If you
enabled the shell integration, Filepermsbox should now be appearing in the
file properties for the security tab.
Click on Filepermsbox tab, and then press the button at the bottom.
The coveted security tab is now shown. What you do now depends on how much
you know about the security tab.
If you integrated Filepermsbox into the shell, you should have a new
property sheet. Right click a file and click on Properties to bring up the
property sheet. Select the tab in properties, and Filepermsbox will now
become active. Filepermsbox will display the security descriptor for the
selected file (in SDDL syntax). If you need to know the format of SDDL,
take a look at the following MSDN article:
(The url above may wrap, and may be changed when Microsoft reorganise their
website, so do a search for SDDL).
At the bottom are two controls: a checkbox and a button. If you uncheck the
read only check-box, the security descriptor will then become editable
(think of it as a safety latch). The button (labelled Read or Edit) will
display the security tab for the object.
If you didn't install the shell extension, you'll need to use the frontend
program. This frontend program is located in the program directory.
The frontend itself is rather simple, just select your file/folder/drive,
and the security tab for that file/folder/drive is shown.
That's the easy bit of the program. The hard bit of the program is using
the security tab itself. The XP Help & Support Center has some information
on how to use the security tab, but for advanced users.
By default, you can only read the security descriptor of the file. To
change the security descriptor, you'll have to uncheck the read-only box
If you end up in a situation where you are locked from a folder, reboot to
safe mode, enter the security tab (using the shell), and reset the
If you are an advanced user of Windows, you may have noticed that if you
select multiple objects, then you can edit the security for all those
objects in one go. It can even fix the security if they have different
Filepermsbox also supports multiple objects, but only if they are of the
same type (just like windows).
The objects must reside in the same folder (windows doesn't have this
and must be on NTFS partitions (just like windows). Windows dislays a
message if the ACLs on the objects are disordered (Filepermsbox doesn't
care about ordering).
If the objects selected do not have the same security descriptor, Windows
asks you if you want to reset the security descriptors for the objects.
FilePermsbox also asks you this question, but resets the security in a
different way (Windows sets the security to the first object you've
selected), Filepermsbox resets all objects to a default security.
When you update multiple objects, Windows displays its progress in a
window. Filepermsbox does not display its progress, therefore it may appear
hanged when you update the security descriptor for these objects.
If you are denied access to the object (thanks to the ACLs) then the
Filepermsbox tab may not appear. To resolve this, you'll need to take
ownership of the object using another program.
How Does It Work?
Windows XP has always had the security tab to edit the ACLs of your files
(try editing the registry security if you don't believe me). For a reason
only known by Microsoft, they simply disabled the tab in XP Home Edition
(Windows checks if you're on XP Home or on Pro, then disables the tab if
you are on Home).
The problem is not with the ACL Editor itself. You can use the ACL Editor
to edit the security of a registry key (Regedit), kernel object (Process
Explorer), Service (QueryServiceConfig), or even a fictitious object. It's
just that the file security program was deliberately disabled (rshx32.dll).
Filepermsbox works almost exactly like QueryServiceConfig. But instead of
editing the security descriptor of a service, you are editing the security
of a file. However, because Windows 2000 supports inheritance for files, it
is more complex than the Service objects (which do not support
- Command Line support is rather limited (this is a GUI program, it doesn't
support console I/O). You should use programs like subinacl, setacl or
xcacls if you require command line scripting. Use /? for available
- The security tab doesn't work on unmapped network drives. You must map
the drives first.
- The access rights with Filepermsbox are different to what Windows gives
you. For example, Windows gives you "Read and Execute", Filepermsbox
gives you "Read" and "Execute").
- Filepermsbox includes a default button, which resets the entire security
descriptor to an auto-inherited descriptor. Do not use this button to
reset the security for System folders (like Windows or program files).
These folders have special permissions, and using the default button
will trash these permissions. This will open up a security hole, that
will require a reinstall to close. (If this problem gets bad enough, I may
add code to handle the system folders specially).
v1.11: -Fixed emergency bug where I treated files as folders and folders
-64-bit shell extension DLLs are now available (untested).
-Uses new CRT dlls.
v1.10: -The privilege code has been rewritten. This fixes the leaked
privilege bug. The privilege is now only enabled for very short
periods, and is no longer process wide.
-The progress dialog code has been rewritten to be more responsive
more accurate, and more stable.
-The sledgehammer algorithm has been rewritten. Win2k should be
much more stable.
-Updated the code to compile with VS2005.
-Started a developer API (you'll have to wait for .NET v2.0 to be
-The code no longer crashes if you have invalid filenames.
-Remote files now have their SIDs translated properly.
-Started to generalize the app (so it doesn't only work for files).
v1.09: -Upgraded the program from beta to production (not stable).
-Filepermsbox no longer walks down NTFS directory junctions.
-The shell extension no longer works for NTFS directory junctions.
You can still use the frontend to edit the security.
v1.08: -The About button now gets disabled whenever the ACL editor becomes
-Fixed the tab orders and keyboard shortcuts.
-A static url control for the homepage link is now used in the
-Added a progress dialog during long security write operations.
-Removed a dialog page.
-Fixed a subtle bug where the shell DLL would complain about
mismatched security descriptors even though you selected only one
-Fixed a buffer overflow in the "Inherited From" column.
v1.07: -Added a zapper utility program to remove ghost setup entries from
-Added an about button.
-An hourglass is now displayed during long operations.
-The replace button bug has been patched in XP.
-Fixed a potential case where the system security of the object
could not be updated.
-Added some multithreading safety code to the shell extension
(rather pointless, since the DLL only runs in one thread anyway).
-The shell extension now refuses to install Or run under Win9x
(previously, it wouldn't install, but you could still run it
if you force installed it). Use the frontend instead (if it works).
v1.06: -Added a setup. /Silent and non-admin support is untested.
-Rewrote parts of the Shell DLL to facilitate setup.
-Added Regsvr32 /i support. Start the frontend with /? to see
what you can do with this.
-Updated the docs to reflect the new setup procedure.
v1.05: -Fixed a bug that prevented the Frontend from working.
-Added ** wildcard support.
-Fixed the root folder title bug.
-Documented source code and performed a minor code review.
-Increased the version number.
-If this version is bug free, I will start work on the setup
v1.04: -Added Multiple File support.
-You can use the * wildcard in the frontend to edit more than one
-The shell extension can now edit the security of more than one
-The shell extension now warns when you open 2 files with different
-Added some Memory Leak detection routines (C/C++ debug builds
v1.03: -Filepermsbox is now a shell extension DLL.
-Added DLL registration code (doesn't work silently).
-Moved the Frontend code into a separate program.
-Added skeleton framework code to handle multiple files/folders.
-The Effective Permissions tab is now working (Microsoft forgot to
document this one).
v1.02: -Added Inherit source ("Inherited From" no longer says Parent
Object, but tells you where the ACE came from).
-Added some untested "Effective Permissions" code.
-Fixed regression where inheritance could not be removed from a
-Separated core code from the frontend.
-Added some multithreaded safety features.
v1.01: -Corrected bug where changing the security meant replacing ACLs
instead of merging it.
v1.00: -Filepermsbox is a program that can view the ACLs of a file system
-QueryServiceConfig has been modified to be able to work with
If you want an old version, contact me via e-mail
By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.
If a file you wish to view isn't highlighted, and is a text file (not binary), please
let us know and we'll add colourisation support for it.
This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.
A list of licenses authors might use can be found here