Icacls - DOS/Command Prompt Reference
The Icacls program is utilized for displaying and modifying Access Control Lists (ACL) for files or directories. It is used for the purpose of managing access rights, audit settings, and other configurations from the command line.
* Executing commands to change permissions or ownership requires having the permissions for the modification operations on each target file/directory.
Syntax
icacls[.exe] <name> /save <acl-file> [/T] [/C] [/L] [/Q]
icacls[.exe] <directory> /restore <acl-file> [/substitute <old-sid> <new-sid> [...]] [/C] [/L] [/Q]
icacls[.exe] <name> /setowner <user> [/T] [/C] [/L] [/Q]
icacls[.exe] <name> /findsid <sid> [/T] [/C] [/L] [/Q]
icacls[.exe] <name> /verify [/T] [/C] [/L] [/Q]
icacls[.exe] <name> /reset [/T] [/C] [/L] [/Q]
icacls[.exe] <name> [/grant[:r] <sid>:<perm>[...]] [/deny <sid>:<perm>[...]] [/remove[:g|:d] <sid>[...]] [/setintegritylevel [(CI)][(IO)][(OI)][(NP)]<level>[...]] [/inheritance:<e|d|r>] [/T] [/C] [/L] [/Q]
Options
- Common options
<name> or <directory> Specifies the target file name or directory name for the operation (Wildcards can be used, but for /restore only the directory name can be used (see below)).
* Even when specifying an alternate data stream, operations are performed on the original file name.
/T Includes all files and subdirectories within the directory as part of the target if <name> is a directory. /C Continues without interruption even if an error occurs during the operation. /L If the target is a symbolic link, the operation applies to the link itself rather than the files/directories they point to.
* This option has no effect on junction points or hard links.
/Q Suppresses messages during the operation.
* The completion message will be displayed, but it appears that the file count within that message is shown as 0 (which may be differ from the actual number of processed items).
- /save <acl-file>
- Saves the information of the Access Control List (ACL) to the specified file.
<name> If specifying a directory, ending the path with ‘\’ will result in saving the file with a relative path based on that directory when storing information. <acl-file> Specifies the file name to save (output) the information of the ACL. A text file using SDDL (Security Descriptor Definition Language) will be generated.
※ The file is saved in UTF-16 (LE) format with a BOM.
- /restore <acl-file>
- Applies (restores) the Access Control List (ACL) information saved in the specified file to the files within the directory. The ACL information previously set on the files before restoration will be replaced.
<directory> For /restore only the directory name can be specified in place of <directory>. This directory is treated as the parent directory for each file described (expressed in relative paths) within the <acl-file> file.
* Individual files/directories cannot be specified here to restore information. In that case, you should modify the data within <acl-file> to include only the information for the individual file/directory. and specify the parent directory as <directory>.
* If you cannot specify the parent directory to <directory> when restoring information for an individual directory (such as when it is the root directory), set the file name part in <acl-file> to ‘.’, and specify the target directory itself to <directory>.<acl-file> Specifies the file name (input file) that holds the information to restore the ACL. Specifies the text file that uses the SDDL (Security Descriptor Definition Language).
* The file needs to be in UTF-16 (LE) format (it seems that BOM is not required).
/substitute <old-sid> <new-sid> [...] During restoration, if the information to be restored includes the user/identifier indicated by <old-sid> , it will be replaced with the user/identifier specified by <new-sid>. Both <old-sid> and <new-sid> must be specified in the format ‘domain-name\user-name’ (‘domain-name\’ can be omitted) or in the form ‘*S-1-...’ by combining the ‘*’ character and the SID string.
‘/substitute <old-sid> <new-sid>’ can be specified multiple times.
* The placeholder names are ‘old-sid’ and ‘new-sid’, but if you are directly specifying the SID, you must prefix it with the ‘*’ character.
* If the permissions of the user/identifier indicated by <old-sid> are inherited from a parent object, the inheritance remains intact, and the permissions are copied as they are assigned to the user/identifier indicated by <new-sid>. In that case, the permissions for <old-sid> will remain as they are, preserving the inheritance state.- /setowner <user>
- Changes the owner of the file/directory. (Unlike Takeown, it can be set for users other than the current user, but forced changes are not possible.)
<user> Specifies the username/identifier of the new owner. <user> will be the format ‘domain-name\user-name’ (‘domain-name\’ can be omitted), but you can also combine the ‘*’ character with the SID string like ‘*S-1-...’. - /findsid <sid>
- Searches for files where permissions are explicitly defined for the user/identifier specified by <sid>. If a wildcard is used in <name> or the /T option is used, the search will include multiple corresponding files/directories.
<sid> Specifies the user.<user> will be the format ‘domain-name\user-name’ (‘domain-name\’ can be omitted), or the form ‘*S-1-...’ by combining the ‘*’ character and the SID string.
* The placeholder name is ‘sid’, but if you are directly specifying the SID, you must prefix it with the ‘*’ character.
- /verify
- Verifies the ACL. It checks whether there are any issues with the state of the ACL, such as due to filesystem corruption.
- * While Chkdsk performs checks on security identifiers, it does not check the ACL itself. Therefore, Icacls is necessary for checking the state of ACLs.
- /reset
- Removes individually set ACLs and applies only the inherited ones.
- [/grant[:r]] [/deny] [/remove] [/setintegritylevel] [/inheritance]
- Sets permissions for the target file. If none of the options such as /grant, /deny, /remove, /setintegritylevel, or /inheritance is specified, Icacls will display (output to the screen) the permissions set on the target file.
- * In cases where permission settings for the same user/identifier overlap with options ‘/grant’ and ‘/deny’, the overlapping portion is prioritized based on the options specified later.
/grant[:r] <sid>:<perm>[...] Grants permissions (allow permissions, Allow ACE) to the specified user/identifier. When ‘/grant:r’ option is specified, existing permissions for the specified user/identifier are replaced. If ‘/grant’ option is used, permissions are added without replacing existing ones.
For ‘<sid>’, specifies the string representing the target user/identifier in the form ‘domain-name\user-name’ (‘domain-name\’ can be omitted) or in the form ‘*S-1-...’ (combining the ‘*’ character with the SID string).
For ‘<perm>’, specifies the desired permission as a string. For the format of this string, please see Strings for ‘perm’ below.
‘/grant’ can be specified multiple times. (If you want to grant permissions to multiple user/identifier pairs, include a corresponding number of ‘/grant’ options.)
Note that there must be no space between <sid> and <perm> and a colon (‘:’) serves as the delimiter (in the form ‘User:perm’).
/deny <sid>:<perm>[...] Grants ‘deny’ permissions (explicit deny ACE) to the specified user/identifier. The format ‘<sid>:<perm>’ is same for /grant, and it is also possible to specify multiple /deny entries.
When using /deny to grant ‘deny’ permissions, any existing ‘allow’ permissions for the same rights are removed.
/remove[:g|:d] <sid>[...] Removes all permission settings for the specified user/identifier. If specified with ‘/remove:g’, it removes all ‘allow’ permissions. If specified with ‘/remove:d’, it removes all ‘deny’ permissions. Simply using ‘/remove’ without specifying ‘g’ or ‘d’ removes both types of permissions.
The value specified for ‘<sid>’ is the same as in /grant or /deny.
/setintegritylevel [(CI)][(IO)][(OI)][(NP)]<level> Sets the ‘Integrity Level’ for the file. Specifies either ‘Low’, ‘Medium’, ‘High’, or their respective initials for <level>. Note that setting the integrity level with Icacls on the command line is limited to ‘NW’ (SYSTEM_MANDATORY_LABEL_NO_WRITE_UP), and it cannot be unset (it won't be removed with /reset or /restore).
If <name> is a directory, you can specify one or more of ‘(CI)’, ‘(IO)’, ‘(OI)’, ‘(NP)’ just before ‘<level>’ (The specifications like ‘(CI)’, ‘(IO)’, etc., can be specified similarly to the ‘Strings for "perm"’)。
* The Icacls help mentions ‘<level>:<policy>’, but currently, only <level> is used, and if it starts with ‘L’, ‘M’, or ‘H’, any characters after that, excluding spaces, are ignored.
* While ‘/setintegritylevel’ can be specified multiple times, only the last specification takes effect.
* To remove it, you need to recreate the file/directory or use a tool that handles integrity levels./inheritance:<e|d|r> Configures inheritance for permission data (ACE data). After ‘:’ specify either e, d, or r, and their meanings are as follows:
/inheritance:e Inherits permissions from the parent object. /inheritance:d Does not inherit permissions from the parent object. Instead, copies the permissions from the parent and assigns them to oneself. /inheritance:r Does not inherit permissions from the parent object and removes them. Permissions already individually assigned remain unchanged regardless of their similarity.
Details
In the security system of Windows, the abstract concept of ‘Objects’ is associated with a ‘security descriptor’, within which resides an ‘Access Control List’ (ACL) containing multiple ‘Access Control Entries’ (ACE). The ACL consists of two types within the security descriptor: the ‘Discretionary ACL (DACL)’ and the ‘System ACL (SACL)’. Typically, access control and similar operations are managed by appropriately configuring the DACL.
Files and directories correspond to the ‘objects’ in this system, each having a security descriptor, ACL, and ACE. By configuring ACLs for files and directories, permissions such as read, write, and execute are controlled. The Icacls program is provided as a command-line tool to manipulate ACLs (DACL) control for these files and directories.
* Additionally, the registry is also included as an ‘object’, and processes and threads are treated as ‘objects’ during creation and execution, distinct from files.
* Until Windows XP, the Cacls program was provided, but currently, the use of the Icacls program is recommended (although Cacls can still be used).
Strings for ‘perm’
In the ‘/grant’, ‘/deny’, and ‘/remove’ options, ‘<perm>’ can specify simple permissions or provide detailed permissions within ‘( )’ separated by commas. For directories, you can also combine permissions related to inheritance.
- Simple permissions
- Specifies the following characters either individually or concatenated (such as ‘RWRX’). However, ‘N’ must be specified individually.
N No access rights F Full control M Change R Read (only) RX Read and Execute W Write (only) D Delete - * Since there is no specific permission characters to allow access rights changes, except for Full control, when dealing with permission changes, you need to use the following detailed permission settings.
- Detailed permissions
- Specifies the following characters individually or separated by commas, and enclose the entire set in parentheses ‘( )’ for specification (e.g. ‘(RD,WD,AD)’).
RD Read data, or list the items (retrieve/enumerate) within a directory RA Read attributes REA Read extended attributes RC Read access rights GR General ‘Read’ permission (a combination of RD, RA, RC, and REA) WD Write data, or add a file to a directory AD Append data, or add a subdirectory to a directory WA Write (modify) attributes WEA Write (modify) extended attributes GW General ‘Write’ permission (a combination of WD, AD, WA, and WEA) X Execute a file, or scan (traverse) a directory GE General ‘Execute’ permission (a combination of RA, RC, and X) DE Delete DC Delete children WO Write (modify) an owner WDAC Write (modify) DAC(access control setting) GA General full access rights (Full control) AS Modify System ACL (SACL) (Access System Security) S Use for synchronization (e.g. waiting functions) MA Maximum allowed permissions (Maximum Allowed) - * The modification of attributes that can be changed with Attrib is controlled by ‘WA’, but however, even without ‘RA’, obtaining these attributes is still possible.
* Many applications require ‘GW’ (GENERIC_WRITE; WD + AD + WA + WEA) for file writing. In such cases, if any of WD, AD, WA, WEA is missing, writing will not be possible.
* The ‘Scan (traverse) a directory’ permission is set to be ignored by default user permissions.
* The specification of ‘MA’ (Maximum Allowed) is used when requesting access permissions and does not have any meaning when specified as access rights for files, directories, etc.(ref: [MS-DTYP]: ACCESS_MASK)
* ‘AS’ (Access System Security) does not have any effect on files or directories. - Permissions related to inheritance
- If the target is a directory, you can additionally specify whether the specified permissions can be inherited by children. Specifies one or more followings, enclosed in parentheses ‘( )’, before the simple or detailed permissions mentioned above. (e.g. ‘(OI)(CI)F’, ‘(OI)(IO)(GR,GE)’)
(OI) Inherit to child objects (files) (CI) Inherit to child containers (subdirectories or subfolders) (IO) Perform inheritance only, without granting permissions to itself (NP) Inherit to immediate objects (files) or containers (subdirectories/subfolders), but do not inherit to objects or containers further down (grandchildren) - * The specification of ‘(NP)’ corresponds to the setting in the Explorer's file security advanced settings (Access Control Entry): ‘Apply these permissions to objects and/or containers within this container only’.
* ‘(I)’ (Inherit from parent) is indicated when displaying the current state, but it cannot be included in the configuration parameters (use ‘/inheritance’ instead).
Security Descriptor Definition Language (SDDL)
The Security Descriptor Definition Language (SDDL) is a language that defines security descriptors, including information such as access rights, as strings. (The string format is referred to as the ‘Security Descriptor String Format’.) For the /save and /restore options in Icacls, the file specified must follow a pattern where odd-numbered lines contain the file (or directory) names, and even-numbered lines contain the corresponding security descriptors in SDDL format.
For an overview of SDDL, you can refer to Microsoft Learn's ‘Security Descriptor Definition Language’, and to understand the specific format of the strings, you can check Microsoft Learn's ‘Security Descriptor String Format’.
* Security Descriptor String Format is used in the input and output of Win32 API functions such as ConvertStringSecurityDescriptorToSecurityDescriptor function and ConvertSecurityDescriptorToStringSecurityDescriptor function.
Integrity level
Icacls allows limited setting of ‘Integrity Level’. Integrity Level is set using stages (Low, High, etc.) and combinations of permissions such as ‘NO_WRITE_UP’ or ‘NO_EXECUTE_UP’. When accessing permissions corresponding to the Integrity Level set to ‘High’, elevation of privileges through UAC may be required, and accessing permissions set to ‘Medium’ may be denied to users or processes in Protected Mode (equivalent to Low). This allows for a different form of permission management compared to regular permission settings. Also, programs set to ‘Low’ cannot write to files with integrity levels of ‘Medium’ or higher, or those that are not set. (This is used to prevent unintentional execution of programs, such as browsers, to enhance security).
* The ‘%USERPROFILE%\AppData\LocalLow’ directory has a Low integrity level, allowing write operations from programs with Low integrity levels. (This is useful in scenarios where programs with Low integrity levels need to write data, distinguishing it from the ‘%USERPROFILE%\AppData\Local’ directory.)
Samples
Sample 1
icacls MyFile.txt
Displays the access control information (entries stored in the ACL) for ‘MyFile.txt’ on the screen.
Sample 2
icacls . /reset /T /C /L /Q
Reset the ACLs of the current directory and its files/directories (including subdirectories) to inherit permissions from the parent directory. This command can be used to reset the permissions within a directory if unintended permissions are set. Additionally, /C option is added to continue the operation even if errors occur during the reset.
* If there are files or directories that do not have the permission to change access rights and are not owned by the current session user, resetting them will result in an error.
Sample 3
icacls PrivateSchedule /reset icacls PrivateSchedule /grant:r Luminas:F /grant:r BUILTIN\Administrators:F /inheritance:r
After resetting the ACL of ‘PrivateSchedule’, grant full control access to ‘Luminas’ and ‘BUILTIN\Administrators’ (System's built-in Administrators group) (No permissions are set for other users or groups). Also, configure not to inherit or apply permissions from the parent directory. In other words, users or groups other than those specified with ‘/grant’ will have no permissions.
* If you omit the first line of resetting, existing individual ACEs set for ‘PrivateSchedule’ will remain, and with the specification on the second line, unintended permissions may persist.
Sample 4
icacls ProtectedDir /setintegritylevel (OI)(CI)Low
start ProtectedDir\MyProgram.exe
Sets the integrity level of the ‘ProtectedDir’ directory to ‘Low’ (inheriting the configuration through ‘(OI)’ and ‘(CI)’). Programs in this directory and its subdirectories will run at the Low integrity level, so ‘ProtectedDir\MyProgram.exe’ will typically only have write access to files and directories with a Low integrity level.
* [Windows 8 or later] When Windows SmartScreen is enabled (enabled by default), a confirmation dialog will be displayed when running a program at the Low integrity level.
Sample 5
icacls MyDir\. /save MyDirAcls.dat
Saves the ACL data for the directory ‘MyDir’ to the file ‘MyDirAcls.dat’. To restore it, use the following command:
icacls MyDir /restore MyDirAcls.dat
* For ‘MyDir\.’ in the /save command, using ‘MyDir\’ instead will result in a blank space in the file ‘MyDirAcls.dat’ where the file or directory name is. This will cause a parsing error during /restore. Using ‘MyDir\.’ ensures that this part is not left blank but contains a period, allowing successful parsing with /restore.
The saving and restoring of ACL data can also be accomplished with the following command:
(save)
icacls MyDir /save MyDirAcls.dat
(restore)
icacls . /restore MyDirAcls.dat
* For ‘MyDir\.’ in the first sample of /save, using ‘MyDir’ instead will result that the entry in ‘MyDirAcls.dat’ will have ‘MyDir’ as the file or directory name. In this case, when using /restore, the directory to be specified is not ‘MyDir’ but its parent directory, denoted as ‘.’. This is because, during the file parsing process in /restore, the names of files and directories are treated relative to the directory specified in /restore.