Icacls command usage ?

Page 2 of 2 FirstFirst 12

  1. Posts : 85
    Windows10
    Thread Starter
       #11

    icacls "C:\Program Files (x86)\...\...\..." /remove:g
    Correct; if so I'm getting a Invalid Parameter error !
      My Computer


  2. Posts : 5,478
    2004
       #12

    If that is what you entered it is not correct. You haven't specified who you are trying to remove the authority for. You need to enter it exactly as in post #2.

    For example adding full control (commands in bold) using %USERDOMAIN%\%USERNAME% adds the current user (shown in red after granting the authority and displaying it)
    Code:
    Microsoft Windows [Version 10.0.11082]
    (c) 2016 Microsoft Corporation. All rights reserved.
    
    C:\Windows\system32>mkdir "C:\Program Files\Test\Test\Test"
    
    C:\Windows\system32>icacls "C:\Program Files\Test\Test\Test" /grant "%USERDOMAIN%\%USERNAME%":(F) /t
    processed file: C:\Program Files\Test\Test\Test
    Successfully processed 1 files; Failed processing 0 files
    
    C:\Windows\system32>icacls "C:\Program Files\Test\Test\Test"
    
    C:\Program Files\Test\Test\Test WINDOWS-VM2\Hali:(F)
                                    NT SERVICE\TrustedInstaller:(I)(F)
                                    NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                    NT AUTHORITY\SYSTEM:(I)(F)
                                    NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                    BUILTIN\Administrators:(I)(F)
                                    BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                    BUILTIN\Users:(I)(RX)
                                    BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                    CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                    APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                    APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
    
    Successfully processed 1 files; Failed processing 0 files
    now remove again and specify the same user the current user that was in red is then removed.
    Code:
    C:\Windows\system32>icacls "C:\Program Files\Test\Test\Test" /remove:g "%USERDOMAIN%\%USERNAME%" /t
    processed file: C:\Program Files\Test\Test\Test
    Successfully processed 1 files; Failed processing 0 files
    
    C:\Windows\system32>icacls "C:\Program Files\Test\Test\Test"
    C:\Program Files\Test\Test\Test NT SERVICE\TrustedInstaller:(I)(F)
                                    NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                    NT AUTHORITY\SYSTEM:(I)(F)
                                    NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                    BUILTIN\Administrators:(I)(F)
                                    BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                    BUILTIN\Users:(I)(RX)
                                    BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                    CREATOR OWNER:(I)(OI)(CI)(IO)(F)
                                    APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
                                    APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
    
    Successfully processed 1 files; Failed processing 0 files
    Without saying from whom you want to remove the rights for you'll get an error.
    Code:
    C:\Windows\system32>icacls "C:\Program Files\Test\Test\Test" /remove:g
    Invalid parameter "/remove:g"
    
    C:\Windows\system32>
    Last edited by lx07; 27 Dec 2015 at 16:32.
      My Computer


  3. Posts : 85
    Windows10
    Thread Starter
       #13

    A week ago I couldn't write to Program Files or Program Files (x86) even after providing the admin password. Yet,I only applied icacls to Program Files (x86) but I can write to Program Files as well by simply providing the Admin password as I run Windows10 as a standard user; this doesn't make sense.

    Can you by default write to Program Files or Program Files (x86) ?
      My Computer


  4. Posts : 5,478
    2004
       #14

    JerometheGiraff said:
    Can you by default write to Program Files or Program Files (x86) ?
    Only by running as administrator. I can make a new folder by clicking on the administrator shield to get administrator authority.

    Icacls command usage ?-capture1.png

    But can't save anything as my normal (Admin) user.

    Icacls command usage ?-capture2.png

    This is correct authorities and should look like this:
    Code:
    Microsoft Windows [Version 10.0.11082]
    (c) 2016 Microsoft Corporation. All rights reserved.
    
    C:\Windows\system32>icacls "C:\Program Files"
    C:\Program Files NT SERVICE\TrustedInstaller:(F)
                     NT SERVICE\TrustedInstaller:(CI)(IO)(F)
                     NT AUTHORITY\SYSTEM:(M)
                     NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
                     BUILTIN\Administrators:(M)
                     BUILTIN\Administrators:(OI)(CI)(IO)(F)
                     BUILTIN\Users:(RX)
                     BUILTIN\Users:(OI)(CI)(IO)(GR,GE)
                     CREATOR OWNER:(OI)(CI)(IO)(F)
                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
                     APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE)
    
    Successfully processed 1 files; Failed processing 0 files
    
    C:\Windows\system32>
      My Computer


  5. Posts : 85
    Windows10
    Thread Starter
       #15

    Hrm. The five levels deep sub-folder to which I wanted to grant write access; this is the info from icacls.

    Everyone(F)
    NT SERVICE\TrustedInstallerI)(F)
    NT SERVICE\TrustedInstallerI)(CI)(IO)(F)
    NT AUTHORITY\SYSTEMI)(F)
    NT AUTHORITY\SYSTEMI)(OI)(CI)(IO)(F)
    BUILTIN\AdministratorsI)(F)
    BUILTIN\AdministratorsI)(OI)(CI)(IO)(F)
    BUILTIN\UsersI)(RX)
    BUILTIN\UsersI)(OI)(CI)(IO)(GR,GE)
    CREATOR OWNERI)(OI)(CI)(IO)(F)
    I ran this command /remove:g %userdomain%\%username% on the 5 levels deep sub-folder as mentioned above. The result;
    Successfully processed 1 files; Failed processing 0 files

    When I ran strictly icacls on the 5 levels deep sub-folder after removing; there remains (F) full access ?

    The frown emicons are really suppose to be right bracket (
      My Computer


  6. Posts : 5,478
    2004
       #16

    OK, you've added Everyone - you can remove it with

    icacls "C:\Program Files\Test\Test\Test" /remove:g Everyone /t

    (Don't forget the /t to process subdirectories also.)

    The rest of it looks OK except you don't have All Application Packages at the bottom (unless it is cut off). That may cause problems for your store apps...

    BTW if you use [code] instead of [quote] tags it doesn't turn things into smileys...
    Code:
    :(
    Last edited by lx07; 27 Dec 2015 at 16:35. Reason: /t
      My Computer


  7. Posts : 85
    Windows10
    Thread Starter
       #17

    The rest of it looks OK except you don't have All Application Packages at the bottom (unless it is cut off). That may cause problems for your store apps...
    I don't understand ?

    Icacls is a command to give full access to a folder and or any sub-folders that is it's main purpose ?
      My Computer


  8. Posts : 5,478
    2004
       #18

    JerometheGiraff said:
    I don't understand ?

    Icacls is a command to give full access to a folder and or any sub-folders that is it's main purpose ?
    icacls is a command to change or display access. You noticed this earlier

    JerometheGiraff said:
    I found out you can simply type icacls {name of directory} and icacls will list permissions etc, which worked on a simple directory, new to me probably not news to you :)
    In post #15 you have indicated you have Everyone which you need to remove and you don't have ALL APPLICATION PACKAGES which you should (but perhaps you didn't copy/paste it all into the quote).

    The ALL APPLICATION PACKAGES SID is used by the modern Store Apps so if you are missing this SID in Program Files directory they will not work correctly.

    You need to compare what you have to the defaults which I posted in post #14.
      My Computer


  9. Posts : 85
    Windows10
    Thread Starter
       #19

    I don't have All Application Packages listed for the 5 level deep sub-folder ?

    Before running this command I couldn't write to any folder in Program Files, then I realized before successfully running the command that I could write to the folder Program Files, when previously even running explorer with admin privileges, I couldn't write to program files, what I find odd.

    Code:
    NT SERVICE\TrustedInstaller:(I)(F)
                                                             NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
                                                             NT AUTHORITY\SYSTEM:(I)(F)
                                                             NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
                                                             BUILTIN\Administrators:(I)(F)
                                                             BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
                                                             BUILTIN\Users:(I)(RX)
                                                             BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
                                                             CREATOR OWNER:(I)(OI)(CI)(IO)(F)
    It could also be that I'm not re-creating the problem and that is where icacls comes into help ? :) Anyhow I suppose I'll continue to understand this command. :)
    Last edited by JerometheGiraff; 28 Dec 2015 at 19:41.
      My Computer


 

  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 17:40.
Find Us




Windows 10 Forums