Re: GetNamedSecurityInfo VS GetFileSecurity

From: Pavel Lebedinsky [MSFT] (
Date: 06/30/05

Date: Wed, 29 Jun 2005 21:38:56 -0700

Get/SetFileSecurity (as well as RegSetKeySecurity) are older APIs
that are not aware of ACE inheritance (which was introduced in
Win2K). If you want to work with inherited ACEs you should use
SetSecurityInfo/SetNamedSecurityInfo or their Get counterparts.

This posting is provided "AS IS" with no warranties, and confers no
"Frederic P." wrote:
> I am trying to read the security on different files and folders but I am
> getting different results depending on the method I use to get the 
> security
> descriptor:
> "GetFileSecurity", "GetKernelObjectSecurity", and "GetUserObjectSecurity"
> all return the same security descriptor which doesn't have any inherited 
> aces
> in it (INHERITED_ACE is never set on any aces).
> On the other hand, if I use "GetNamedSecurityInfo", I get the expected
> results which is a security descriptor containing aces with the 
> flag set. Sometimes, even the number of aces are different.
> I can get the problem with newly created files/folders with default ACL or
> older files/folders (even c:\CONFIG.sys). Some files work, others don't???
> The freeware "SetAcl" also returns explicit aces when listing the security
> descriptor of the files so I don't think the problem is in my code (SetAcl
> uses "GetKernelObjectSecurity" to access the security descriptors).
> If I call "ConvertToAutoInheritPrivateObjectSecurity" on the files/folders
> with the problem, everythings goes back to normal; all 4 methods return 
> the
> same security descriptor.
> Questions:
> What is the difference behind "GetNamedSecurityInfo" and 
> "GetFileSecurity"?
> Why am I getting only explicit aces on certain files/folders when using
> "GetFileSecurity"?