M
MarcinBa
I noticed different behaviour of icacls.exe on two machines with Windows 10:
Windows 10 Version 1809 (OS Build 17763.678)
> echo "test" > file
> icacls.exe file
file NT AUTHORITY\SYSTEM
F)
BUILTIN\AdministratorsF)
W10A\devF)
Successfully processed 1 files; Failed processing 0 files
> Get-Acl file | Format-List
Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\dev\file
Owner : W10A\dev
Group : W10A\None
Access : NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
W10A\dev Allow FullControl
Audit :
Sddl : O:S-1-5-21-3626095386-1962481266-1351198716-1003G:S-1-5-21-3626095386-1962481266-1351198716-513DA;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-3626095386-1962481266-1351198716-1003)
Windows 10 Version 1803 (OS Build 17134.950)
> echo "test" > file
> icacls.exe file
file NT AUTHORITY\SYSTEMI)(F)
BUILTIN\AdministratorsI)(F)
W10B\devI)(F)
Successfully processed 1 files; Failed processing 0 files
> Get-Acl file | Format-List
Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\dev\file
Owner : W10B\dev
Group : W10B\None
Access : NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
W10B\dev Allow FullControl
Audit :
The file is local in both cases. Get-Acl shows that entries are inherited (ID) as expected. Why does icacls hide the information on the former machine? Interestingly, in the former case if I add any entry to the ACL (e.g. deny access to user X), the next call to icacls.exe shows (I) flags.
Continue reading...
Windows 10 Version 1809 (OS Build 17763.678)
> echo "test" > file
> icacls.exe file
file NT AUTHORITY\SYSTEM
F)BUILTIN\Administrators
F)W10A\dev
F)Successfully processed 1 files; Failed processing 0 files
> Get-Acl file | Format-List
Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\dev\file
Owner : W10A\dev
Group : W10A\None
Access : NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
W10A\dev Allow FullControl
Audit :
Sddl : O:S-1-5-21-3626095386-1962481266-1351198716-1003G:S-1-5-21-3626095386-1962481266-1351198716-513D
A;ID;FA;;;SY)(A;ID;FA;;;BA)(A;ID;FA;;;S-1-5-21-3626095386-1962481266-1351198716-1003)Windows 10 Version 1803 (OS Build 17134.950)
> echo "test" > file
> icacls.exe file
file NT AUTHORITY\SYSTEM
I)(F)BUILTIN\Administrators
I)(F)W10B\dev
I)(F)Successfully processed 1 files; Failed processing 0 files
> Get-Acl file | Format-List
Path : Microsoft.PowerShell.Core\FileSystem::C:\Users\dev\file
Owner : W10B\dev
Group : W10B\None
Access : NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
W10B\dev Allow FullControl
Audit :
The file is local in both cases. Get-Acl shows that entries are inherited (ID) as expected. Why does icacls hide the information on the former machine? Interestingly, in the former case if I add any entry to the ACL (e.g. deny access to user X), the next call to icacls.exe shows (I) flags.
Continue reading...
