Re: Can't set a DACL on a folder that was NULLed.

Oops. I followed up in the wrong thread.

My mistake was assuming that removing entries using explorers securities
properties dialog was the same as setting a NULL DACL. It is not. I suspect
it sets a non-NULL but empty DACL which would not give anyone access.
That said however, the linked MSDN article clearly implies the owner should
be able to open the folder with WRITE_DACL and READ_CONTROL - I don't know
how explorer shows the rights with an empty DACL - It clearly succeeds where
my code fails. Nonetheless, thats not the problem I needed to fix.

My 'repair' code is correctly opening and setting a DACL back on the
previously NULL DACL folders so my real issue is resolved.

That said, I am still interested in why explorer can read the rights of the
folder, and my code, running as the owner, cant open the folder for

"Paul Baker [MVP, Windows - SDK]" <paulrichardbaker@xxxxxxxxxxxxxxxx> wrote
in message news:OZLTO5VfIHA.4260@xxxxxxxxxxxxxxxxxxxxxxx

My theory is the same as yours - some unnoticed silliness - so I don't
know where to go next and I am hoping you can find that silliness?


"Chris Becke" <chris.becke@xxxxxxxxx> wrote in message
"Paul Baker [MVP, Windows - SDK]" <paulrichardbaker@xxxxxxxxxxxxxxxx>
wrote in message news:uFVdyOxeIHA.4144@xxxxxxxxxxxxxxxxxxxxxxx

If it's a NULL DACL, the only access is READ_CONTROL|WRITE_DACL for the
owner. I assume you are running it under the owner's account.

There are several accounts on the debug machine, and I belive(ed) that I
could reliably choose which user I wqas debugging some code under.
However when I run the debugee under my standard user account - the same
account listed as the items owner, I am unable to open a handle to the

Is it a privilege issue? I do not understand what the documentation is
saying about privileges when FILE_BACKUP_SEMANTICS is used:

All that I know is that all the mskb and msdn samples and help insist
that FILE_BACK_SEMANTICS is mandatory if one wishes to open a handle to a
directory using CreateFile.

I would check your parameters using a folder that is not affected to
make sure you're doing it the right way.

Ha. The code in question is the same code that previously, erronously,
removed the DACL from the folder :P

Does pszDirectory have a trailing backslash? I think it should not.


You are not specifying a file sharing mode. If there is a chance
anything else has the directory open, you might consider

0 was workinf fine in the previous run before I removed the use rights
from the folder.

Are you missing an OPEN_EXISTING parameter there?

Oops. Typo copying the code. There is in fact an OPEN_EXISTING there.

Hopefully it will be pretty easy to solve if you can reproduce it and
debug it on your development machine.

At the moment Im pretty confused. On my dev machine, I can debug the the
failure - and see that CreateFile fails and GetLastError is 5 :(

According to MSDN, as the owner, I MUST be able to open the folder for
I suspect that there is some fundamental sillyness I am overlooking.