Click here to Skip to main content
13,291,503 members (69,292 online)
Click here to Skip to main content


98 bookmarked
Posted 27 Jun 2005

The Windows Access Control Model Part 4

, 7 Sep 2005
The final article in the access control series presents a guide to the access control editor and its associated ISecurityInformation interface.
Filepermsbox v1.11

This is a progam that can display/edit the security descriptor of a
file/folder/drive. Although intended for users of Windows XP Home Edition,
it works in Windows 2000, XP Home, XP Professional, XP Media Center and
Server 2003. I'm using the software on a Windows XP Professional machine.

I will not support Windows NT 4.0, even if you installed SP6a and the SCE.
The program will probably never work in Win9x (since Win9x doesn't support
security or NTFS).


Once you have run the setup, the program should now be ready to use. If you
enabled the shell integration, Filepermsbox should now be appearing in the
file properties for the security tab.

Click on Filepermsbox tab, and then press the button at the bottom.
The coveted security tab is now shown. What you do now depends on how much
you know about the security tab.


If you integrated Filepermsbox into the shell, you should have a new
property sheet. Right click a file and click on Properties to bring up the
property sheet. Select the tab in properties, and Filepermsbox will now
become active. Filepermsbox will display the security descriptor for the
selected file (in SDDL syntax). If you need to know the format of SDDL,
take a look at the following MSDN article:
(The url above may wrap, and may be changed when Microsoft reorganise their
website, so do a search for SDDL).

At the bottom are two controls: a checkbox and a button. If you uncheck the
read only check-box, the security descriptor will then become editable
(think of it as a safety latch). The button (labelled Read or Edit) will
display the security tab for the object.

If you didn't install the shell extension, you'll need to use the frontend
program. This frontend program is located in the program directory.

The frontend itself is rather simple, just select your file/folder/drive,
and the security tab for that file/folder/drive is shown.

That's the easy bit of the program. The hard bit of the program is using
the security tab itself. The XP Help & Support Center has some information
on how to use the security tab, but for advanced users.


By default, you can only read the security descriptor of the file. To
change the security descriptor, you'll have to uncheck the read-only box
(not recommended).

If you end up in a situation where you are locked from a folder, reboot to
safe mode, enter the security tab (using the shell), and reset the
permissions there.

If you are an advanced user of Windows, you may have noticed that if you
select multiple objects, then you can edit the security for all those
objects in one go. It can even fix the security if they have different
security descriptors.

Filepermsbox also supports multiple objects, but only if they are of the
same type (just like windows).
The objects must reside in the same folder (windows doesn't have this
and must be on NTFS partitions (just like windows). Windows dislays a
message if the ACLs on the objects are disordered (Filepermsbox doesn't
care about ordering).
If the objects selected do not have the same security descriptor, Windows
asks you if you want to reset the security descriptors for the objects.
FilePermsbox also asks you this question, but resets the security in a
different way (Windows sets the security to the first object you've
selected), Filepermsbox resets all objects to a default security.

When you update multiple objects, Windows displays its progress in a
window. Filepermsbox does not display its progress, therefore it may appear
hanged when you update the security descriptor for these objects.

If you are denied access to the object (thanks to the ACLs) then the
Filepermsbox tab may not appear. To resolve this, you'll need to take
ownership of the object using another program.

How Does It Work?

Windows XP has always had the security tab to edit the ACLs of your files
(try editing the registry security if you don't believe me). For a reason
only known by Microsoft, they simply disabled the tab in XP Home Edition
(Windows checks if you're on XP Home or on Pro, then disables the tab if
you are on Home).

The problem is not with the ACL Editor itself. You can use the ACL Editor
to edit the security of a registry key (Regedit), kernel object (Process
Explorer), Service (QueryServiceConfig), or even a fictitious object. It's
just that the file security program was deliberately disabled (rshx32.dll).

Filepermsbox works almost exactly like QueryServiceConfig. But instead of
editing the security descriptor of a service, you are editing the security
of a file. However, because Windows 2000 supports inheritance for files, it
is more complex than the Service objects (which do not support


- Command Line support is rather limited (this is a GUI program, it doesn't
  support console I/O). You should use programs like subinacl, setacl or
  xcacls if you require command line scripting. Use /? for available
- The security tab doesn't work on unmapped network drives. You must map
  the drives first.
- The access rights with Filepermsbox are different to what Windows gives
  you. For example, Windows gives you "Read and Execute", Filepermsbox
  gives you "Read" and "Execute").
- Filepermsbox includes a default button, which resets the entire security
  descriptor to an auto-inherited descriptor. Do not use this button to
  reset the security for System folders (like Windows or program files).
  These folders have special permissions, and using the default button
  will trash these permissions. This will open up a security hole, that
  will require a reinstall to close. (If this problem gets bad enough, I may
  add code to handle the system folders specially).


v1.11:	-Fixed emergency bug where I treated files as folders and folders
         as files.
        -64-bit shell extension DLLs are now available (untested).
        -Uses new CRT dlls.

v1.10:  -The privilege code has been rewritten. This fixes the leaked
         privilege bug. The privilege is now only enabled for very short
         periods, and is no longer process wide.
        -The progress dialog code has been rewritten to be more responsive
         more accurate, and more stable.
        -The sledgehammer algorithm has been rewritten. Win2k should be
         much more stable.
        -Updated the code to compile with VS2005.
        -Started a developer API (you'll have to wait for .NET v2.0 to be
         released however).
        -The code no longer crashes if you have invalid filenames.
        -Remote files now have their SIDs translated properly.
        -Started to generalize the app (so it doesn't only work for files).

v1.09:  -Upgraded the program from beta to production (not stable).
        -Filepermsbox no longer walks down NTFS directory junctions.
        -The shell extension no longer works for NTFS directory junctions.
         You can still use the frontend to edit the security.
        -Code cleanup.

v1.08:  -The About button now gets disabled whenever the ACL editor becomes
        -Fixed the tab orders and keyboard shortcuts.
        -A static url control for the homepage link is now used in the
         About box.
        -Added a progress dialog during long security write operations.
        -Removed a dialog page.
        -Fixed a subtle bug where the shell DLL would complain about
         mismatched security descriptors even though you selected only one
        -Fixed a buffer overflow in the "Inherited From" column.

v1.07:  -Added a zapper utility program to remove ghost setup entries from
         the system.
        -Added an about button.
        -An hourglass is now displayed during long operations.
        -The replace button bug has been patched in XP.
        -Fixed a potential case where the system security of the object
         could not be updated.
        -Added some multithreading safety code to the shell extension
         (rather pointless, since the DLL only runs in one thread anyway).
        -The shell extension now refuses to install Or run under Win9x
         (previously, it wouldn't install, but you could still run it
         if you force installed it). Use the frontend instead (if it works).

v1.06:  -Added a setup. /Silent and non-admin support is untested.
        -Rewrote parts of the Shell DLL to facilitate setup.
        -Added Regsvr32 /i support. Start the frontend with /? to see
         what you can do with this.
        -Updated the docs to reflect the new setup procedure.

v1.05:  -Fixed a bug that prevented the Frontend from working.
        -Added ** wildcard support.
        -Fixed the root folder title bug.
        -Documented source code and performed a minor code review.
        -Increased the version number.
        -If this version is bug free, I will start work on the setup

v1.04:  -Added Multiple File support.
        -You can use the * wildcard in the frontend to edit more than one
        -The shell extension can now edit the security of more than one
        -The shell extension now warns when you open 2 files with different
         security descriptors.
        -Added some Memory Leak detection routines (C/C++ debug builds

v1.03:  -Filepermsbox is now a shell extension DLL.
        -Added DLL registration code (doesn't work silently).
        -Moved the Frontend code into a separate program.
        -Added skeleton framework code to handle multiple files/folders.
        -The Effective Permissions tab is now working (Microsoft forgot to
         document this one).

v1.02:  -Added Inherit source ("Inherited From" no longer says Parent
         Object, but tells you where the ACE came from).
        -Added some untested "Effective Permissions" code.
        -Fixed regression where inheritance could not be removed from a
        -Separated core code from the frontend.
        -Added some multithreaded safety features.

v1.01:  -Corrected bug where changing the security meant replacing ACLs
         instead of merging it.

v1.00:  -Filepermsbox is a program that can view the ACLs of a file system
        -QueryServiceConfig has been modified to be able to work with

If you want an old version, contact me via e-mail

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.


This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here


About the Author

Web Developer
United States United States
Mr. Shah is a reclusive C++/C# developer lurking somewhere in the depths of the city of London. He learnt physics at Kings' College London and obtained a Master in Science there. Having earned an MCAD, he teeters on the brink of transitioning from C++ to C#, unsure of which language to jump to. Fortunately, he also knows how to use .NET interop to merge code between the two languages (which means he won't have to make the choice anytime soon).

His interests (apart from programming) are walking, football (the real one!), philosophy, history, retro-gaming, strategy gaming, and any good game in general.

He maintains a website / blog / FAQ / junk at, where he places the best answers he's written to the questions you've asked. If you can find him, maybe you can hire Mr. Shah to help you with anything C++[/CLI]/C#/.NET related Smile | :) .

You may also be interested in...

Permalink | Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.171207.1 | Last Updated 7 Sep 2005
Article Copyright 2005 by oshah
Everything else Copyright © CodeProject, 1999-2017
Layout: fixed | fluid