Use icacls to make a directory read-only on Windows 7

windows-7 ntfs acl
5,672

If your user has administrative rights, he can always regain any permissions you revoke from him. Admin accounts on Windows are pretty much the same as root on Linux in this respect.

What you can do, though is create an ACL that will deny write access to Everyone. That's makes a folder as read-only as it can be on Windows.

icacls DIRECTORY /deny Everyone:(CI)(OI)W

Beware that deny ACLs always override allow ACLs, so even if someone is granted explicit access, his access will effectively still be denied.

Share:
5,672
Dave G
Author by

Dave G

Updated on September 18, 2022

Comments

  • Dave G
    Dave G over 1 year

    I'm attempting to test some filesystem exceptions in a Java based application.

    I need to find a way to create a directory that is located under %TMP% that is set to read-only.

    Essentially on UNIX/POSIX platforms, I can do a chmod -w and get this effect. Under Windows 7/NTFS this is of course a different story.

    I'm running into multiple issues on this. My user has "administrative" right (although this may not always be the case) and as such the directory is created with an ACL including:

    • NT AUTHORITY\SYSTEM
    • BUILTIN\Administrators
    • <my current user>

    Is there a way using icacls to essentially get this directory into a state where it is read-only PERIOD, do my test, then restore the ACL for removal?

    EDIT With the information provided by @Ansgar Wiechers I was able to come up with a solution.

    I used the following:

    icacls dirname /deny %username%:(WD)

    In the page located here I found this in the remarks section:

    icacls preserves the canonical order of ACE entries as:
  * Explicit denials
  * Explicit grants
  * Inherited denials
  * Inherited grants

    By performing the above icalcs command, I was able to set the current user's ability to write or append files (WD) to the directory to deny.

    Then it was a question of returning it to a state post test:

    icacls dirname /reset /t /c

    Done

  • Dave G
    Dave G over 11 years
    This is close enough to what I needed
  • Dave G
    Dave G over 11 years
    Thanks again for this. Basically I just needed this for a test with the current user, so setting for Everyone is a bit on the overkill side.
  • Pierre
    Pierre almost 3 years
    The given command prevents the user to go into the folder and to open any files in it.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cannot remove files on Windows
Unable to mount a partition of external 3TB hard drive..GPT warning
How to change NTFS ACLs on linux?
Windows can't access linux made folders in external hdd
Not mounting/finding 1TB NTFS drive
NTFS Corruption: Files created in Linux corrupted when Windows Boots
MFT is corrupt, cannot read its unmapped extend record
Partition suddenly became empty, any way to restore it?
How can I make Windows modify CIFS/ZFS ACLs 'correctly'
How to change permissions on a folder when the owner doesn't have read access and no one else has change permissions enabled?