Re: Utility to show ACL information?

From: OShah (
Date: 09/19/05

Date: Mon, 19 Sep 2005 04:16:16 -0700

=?Utf-8?B?U2NvdHQgQnVzc2luZ2Vy?= <Scott> wrote in

> Can anyone suggest a tool (GUI or command line) that displays only the
> ACLs assigned specifically on an entire directory tree (i.e. not showing
> inherited items)?
> To explain, on my system "C:\Program Files" has (among other things) an
> ACL that allows administrators full control, power users modification
> control, and regular users read only access. What I'd like is a display
> showing that such and such an ACL is applied at this level and then
> changed here and amended there.
> We're writing some code that manipulates ACLs and would like an easier
> way to verify the results. Utilities like CACLS show you the effective
> details for any file/folder but I'd like to see a higher level report on
> the file access configuration. Surely someone must have written a
> utility (or there's a way to coerce some other tool) to show this?
> Thanks for any ideas!

The utility you are looking for could be AccessEnum from .

Though I suppose you can also pipe the output from cacls/subinacl/setacl
to findstr (or fc) to find discrepancies.

subinacl [watch wrap on this link]


Please note however, that some of the subfolders are supposed to have
differing ACLs from "Program Files" (Common Files springs to mind). If you
clobber the security descriptor for Common files (or any of the other
folders), then you will end up breaking some programs in unpredictable
manners. Even if the differing ACL belongs to a third party program, it
could have been altered by the program's setup, and not some hacker.

oshah [shexec32]
Control Panel -> System -> Advanced -> Error Reporting -> Choose Programs
-> Do not report errors for these programs: