NTFS Documents (12)

Fine Happy

Authoreric   Category Related Resource   Comments0   Post Time 2007-09-20 03:54:55 -0400

6.4. ACL
Table 2.10. Layout of an ACL

 Offset Size Description
 0x00 1 ACL Revision
 0x01 1 Padding (0x00)
 0x02 2 ACL size
 0x04 2 ACE count
 0x06 2 Padding (0x0000)

The Access Control List (ACL) contains one or many ACEs.

The ACL revision is currently 0x02, on my machine.

The Win32 APIs suggest that 0x01 and 0x06 contain padding 0x00'sfor alignment purposes.

6.5. ACE
Table 2.11. Layout of an ACE

 Offset Size Description
 0x00 1 Type
 0x01 1 Flags
 0x02 2 Size
 0x04 4 Access mask
 0x08 V SID

6.5.1. Types
The currently implemented (in NT) Types are:
Table 2.12. ACE types

 Value Description
 0x00 Access Allowed
 0x01 Access Denied
 0x02 System Audit

6.5.2. Flags
Flags are a bit domain. The possible values of Flags depend on the value of Type.

When applied to a directory, Access Allowed or Access Denied can have flags of

Table 2.13. ACE flags

 Value Description
 0x01 Object inherits ACE
 0x02 Container inherits ACE
 0x04 Don't propagate 'Inherit ACE'
 0x08 Inherit only ACE

If the Type is System Audit, then the flags can be
Table 2.14. ACE audit flags

 Value Description
 0x40 Audit on Success
 0x80 Audit on Failure

6.5.3. Access Mask / Access Rights
The Access Mask / Rights are a bit domain enumerating all the allowed or disallowed actions.
Table 2.15. ACE access mask

 Bit(Range) Meaning Description / Examples
 0 - 15 Object Specific Access Rights Read data, Execute, Append data
 16 - 22 Standard Access Rights Delete, Write ACL, Write Owner
 23 Can access security ACL 
 24 - 27 Reserved 
 28 Generic ALL (Read, Write, Execute) Everything below
 29 Generic Execute All things necessary to execute a program
 30 Generic Write All things necessary to write to a file
 31 Generic Read All things necessary to read a file

6.6. SID (Security Identifier)
A typical SID looks like: S-1-5-21-646518322-1873620750-619646970-1110
It's composed of 'S-p-q-r-s-t-u-v'
Table 2.16. SID contents

 S Security
 p Revision number (currently 1)
 q NT Authority. This number is divided into 6 bytes (48 bitbig-endian number).
 r-v NT Sub-authorities (there can be many of these)

On disk the SID is stored as follows:
In dec: S-1-5-21-646518322-1873620750-619646970-1110
In hex: S-1-5-15-26891632-6fad2f0e-24ef0ffa-456 (5Sub-authorities)
S means SID, 1 is version number, 5 is authorization identifier, 21 is sub-authorization, 646518322 is SA (Security Association), 1873620750 is domain ID, 619646970 also is SA, 1110 is User ID

Table 2.17.       SID example

 0x00 01 05 00 00 00 00 00 05
 0x08 15 00 00 00 32 16 89 26
 0x10 0e 2f ad 6f fa 0f ef 24
 0x18 56 04 00 00    

This is a variable length structure. They could have been more, or fewer, sub-authorities making the structure larger, or smaller.

Trackback URL Trackback: http://blog.easeus.com/action.php?action=tb&id=51

Tags Tags: windows,NTFS,xp,ntfs,acl

Comments List

Post a Comment

  • Name:
  • Email:
  • HomePage:
  • Comment:
  • Question:

Home | Solution | About Company | Contacts | Resource | Blog | Forum | Directory | Links | Sitemap

Copyright © 2005-2008 CHENGDU YIWO Tech Development Co., Ltd. ALL RIGHTS RESERVED.

Privacy Policy | License | Legal Counsel