SetObjectSecurity.exe (Security Compliance Toolkit)

Set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc).

Syntax
      SetObjectSecurity.exe objType objName SDDL [...]
Key:
   objType   Values include: file, FILE, key, KEY, eventlog, printer, service, share, kobject, process, thread, or regbinary.
             (All-caps FILE or KEY uses pre-Windows 2000 APIs to avoid applying inheritance.)

   objName   The name of the object (quoted if it contains spaces); or a Process ID (PID) or Thread ID (TID)
             in decimal if objType is “process" or "thread"; or a registry value name if objType is "regbinary"

   SDDL      The security descriptor to apply, in Security Descriptor Definition Language

   -v         Report verbose diagnostic output to stderr (optional).

   -q         Do not display the startup banner and copyright message (optional).

SetObjectSecurity.exe enables you to set the security descriptor for just about any type of Windows securable object (files, directories, registry keys, event logs, services, SMB shares, etc). For file system and registry objects, you can choose whether to apply inheritance rules. You can also choose to output the security descriptor in a .reg-file-compatible representation of the security descriptor for a REG_BINARY registry value.

Use cases include:

• Restoring default security descriptor on the file system root directory (which sometimes gets misconfigured by some system setup tools).
• Restricting access to sensitive event logs that grant access too broadly (examples include AppLocker and PowerShell script block logs that grant read or read-write to NT AUTHORITY\INTERACTIVE).
• Locking down (or opening access to) file shares, directories, registry keys.

SetObjectSecurity.exe is a 32-bit standalone executable that needs no installer, has no dependencies on redistributable DLLs, and works on all supported x86 and x64 versions of Windows. (x64 systems must support WOW64) e.g. WinPE doesn't have WOW64.

Object examples:

  file/FILE - absolute or relative path to local or remote file or folder; or a device name:
        C:\TestFolder\Sample.dat
        C:\TestFolder
        Sample.dat
        ..\Sample.dat
        \\ComputerName\Share\Sample.dat
        \\.\CdRom0
  key/KEY - accepts these forms for hive roots: HKLM, HKLM:, HKEY_LOCAL_MACHINE:
        HKLM\Software\MyApp
        HKCU:\Software\MyApp
        HKEY_CLASSES_ROOT\.abc
  eventlog:
        Application
        Microsoft-Windows-AppLocker/EXE and DLL
  printer:
        MyPrinter
        \\ComputerName\MyPrinter
  service:
        MyService
        \\ComputerName\MyService
  share:
        MyShare
        \\ComputerName\MyShare
  kobject - named instance of a semaphore, event, mutex, waitable timer,
            or file mapping; prepend "Global\" for global namespace objects:
        MyEvent
        Local\MyEvent  (same as "MyEvent")
        Global\MyEvent
  process - PID in decimal:
        3022
  thread - TID in decimal:
        2044
  regbinary: see example below  

SDDL examples (these usually must be quoted in PowerShell):

  Admins+System, File-All-Access, protected, inherited by all children:
        D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)
  The above with Users, File-Read:
        D:P(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;FR;;;BU)
  Interactive Users, Generic-All:
        D:(A;;GA;;;IU)
  Everyone full control but deny List permission:
        D:P(D;;CC;;;WD)(A;;FA;;;WD)
  Empty DACL (no access, no inherited ACEs):
        D:P
  Reset inherited DACL (empty DACL but unprotected):
        D:
  Inherited DACL, Low IL (Vista and newer):
        D:S:(ML;;NW;;;LW)
  Inherited DACL, remove IL (Vista and newer):
        D:S:
  NULL DACL (all access):
        ""
  Set owner to BUILTIN\Administrators, leave DACL intact:
        O:BA
  Set SACL to audit Success and Failure for everything for Everyone:
        S:(AU;SAFA;GA;;;WD)

Note that event log security descriptors must explicitly specify an owner SID and a group SID. If you set event log permissions with either missing, owner will be set to BA and group SID to SY.

regbinary example:

  SetObjectSecurity.exe regbinary SrvsvcSec O:SYG:SYD:(A;;CCSDRCWDWO;;;BA)(A;;CCSDRCWDWO;;;SY)
outputs this, which can be incorporated into a .reg file:
  "SrvsvcSec"=hex:01,00,04,80,48,00,00,00,54,00,00,00,00,00,00,00,14,00,00,00,02,00,34,00,..

Example:

Restore Windows 10 default permissions on the C:\ root directory
Using the ALL-CAPS "FILE" option to avoid propagating inherited permissions:

C:\> SetObjectSecurity.exe FILE C:\ "O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464D:PAI(A;OICI;FA;;;BA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)S:P(ML;OINPIO;NW;;;HI)"

Related commands

CACLS - Change file and folder permissions (ACLs).
iCACLS - Change file and folder permissions (ACLs).
XCACLS - Display or modify Access Control Lists (ACLs) for files and folders.
AccessChk -L - Get the SDDL representing an object’s current security descriptor (Sysinternals).
Equivalent bash command (Linux): cp - Copy one or more files to another location.