Set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc).
Syntax SetObjectSecurity.exe objType objName SDDL [...] Key: objType Values include: file, FILE, key, KEY, eventlog, printer, service, share, kobject, process, thread, or regbinary. (All-caps FILE or KEY uses pre-Windows 2000 APIs to avoid applying inheritance.) objName The name of the object (quoted if it contains spaces); or a Process ID (PID) or Thread ID (TID) in decimal if objType is “process" or "thread"; or a registry value name if objType is "regbinary" SDDL The security descriptor to apply, in Security Descriptor Definition Language -v Report verbose diagnostic output to stderr (optional). -q Do not display the startup banner and copyright message (optional).
SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.
Use cases include:
SetObjectSecurity.exe is a 32-bit standalone executable that needs no installer, has no dependencies on redistributable DLLs, and works on all supported x86 and x64 versions of Windows. (x64 systems must support WOW64) e.g. WinPE doesn't have WOW64.
file/FILE - absolute or relative path to local or remote file or folder; or a device name: C:\TestFolder\Sample.dat C:\TestFolder Sample.dat ..\Sample.dat \\ComputerName\Share\Sample.dat \\.\CdRom0 key/KEY - accepts these forms for hive roots: HKLM, HKLM:, HKEY_LOCAL_MACHINE: HKLM\Software\MyApp HKCU:\Software\MyApp HKEY_CLASSES_ROOT\.abc eventlog: Application Microsoft-Windows-AppLocker/EXE and DLL printer: MyPrinter \\ComputerName\MyPrinter service: MyService \\ComputerName\MyService share: MyShare \\ComputerName\MyShare kobject - named instance of a semaphore, event, mutex, waitable timer, or file mapping; prepend "Global\" for global namespace objects: MyEvent Local\MyEvent (same as "MyEvent") Global\MyEvent process - PID in decimal: 3022 thread - TID in decimal: 2044 regbinary: see example below
SDDL examples (these usually must be quoted in PowerShell):
Admins+System, File-All-Access, protected, inherited by all children: D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY) The above with Users, File-Read: D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FR;;;BU) Interactive Users, Generic-All: D:(A;;GA;;;IU) Everyone full control but deny List permission: D:P(D;;CC;;;WD)(A;;FA;;;WD) Empty DACL (no access, no inherited ACEs): D:P Reset inherited DACL (empty DACL but unprotected): D: Inherited DACL, Low IL (Vista and newer): D:S:(ML;;NW;;;LW) Inherited DACL, remove IL (Vista and newer): D:S: NULL DACL (all access): "" Set owner to BUILTIN\Administrators, leave DACL intact: O:BA Set SACL to audit Success and Failure for everything for Everyone: S:(AU;SAFA;GA;;;WD)
Note that event log security descriptors must explicitly specify an owner SID and a group SID. If you set event log permissions with either missing, owner will be set to BA and group SID to SY.
SetObjectSecurity.exe regbinary SrvsvcSec O:SYG:SYD:(A;;CCSDRCWDWO;;;BA)(A;;CCSDRCWDWO;;;SY) outputs this, which can be incorporated into a .reg file: "SrvsvcSec"=hex:01,00,04,80,48,00,00,00,54,00,00,00,00,00,00,00,14,00,00,00,02,00,34,00,..
Restore Windows 10 default permissions on the C:\ root directory Using the ALL-CAPS "FILE" option to avoid propagating inherited permissions:
C:\> SetObjectSecurity.exe FILE C:\ "O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)S:P(ML;OINPIO;NW;;;HI)"
CACLS - Change file and folder permissions (ACLs).
iCACLS - Change file and folder permissions (ACLs).
XCACLS - Display or modify Access Control Lists (ACLs) for files and folders.
AccessChk -L - Get the SDDL representing an object’s current security descriptor (Sysinternals).
Equivalent bash command (Linux): cp - Copy one or more files to another location.