Microsoft KB Archive/161722

= Explanation of Winperms.txt and Perms.inf =

Article ID: 161722

Article Last Modified on 11/1/2006

-

APPLIES TO


 * Microsoft Windows NT Advanced Server 3.1
 * Microsoft Windows NT Workstation 3.1
 * Microsoft Windows NT Advanced Server 3.1
 * Microsoft Windows NT Workstation 3.5
 * Microsoft Windows NT Workstation 3.51
 * Microsoft Windows NT Workstation 4.0 Developer Edition
 * Microsoft Windows NT Server 3.5
 * Microsoft Windows NT Server 3.51
 * Microsoft Windows NT Server 4.0 Standard Edition

-



This article was previously published under Q161722



SUMMARY
When you choose to install Windows NT to an NTFS partition during Setup, Windows NT installs to a FAT partition first, and then converts the partition to NTFS.

Windows NT needs a way of assigning default NTFS permissions to system files and folders. The Windows NT 3.5x Winperms.txt and Windows NT 4.0 Perms.inf files are used as templates to assign the correct permissions for built-in accounts (such as Server Operators, Backup Operators, Everyone, and so on) to the directory structure. These Access Control Entries (ACE) are pre-defined and cannot be used to add non-built-in user account permissions.

Windows NT 3.5x uses Setacl.exe to apply these default permissions. SetAcl.exe is a table driven program that reads the Winperms.txt file of the form:

  dir1\dir2\dir3  5,7 dir1\dir2\file1 1,2,3 file2 4,5

where the first column is a full pathname to either a file or a directory, and the list of integers represents an Access Control Entry (ACE) to be applied.

In Windows NT 3.51, ACE values ACE-0 through ACE-17 have the following definitions:
 * ACE-0 NULL ACE, used as a placeholder.
 * ACE-1 Placed on a directory. This ACE causes RWX access to be inherited by all new objects created in the directory and all new directories. For example, "Anyone can write".
 * ACE-2 Placed on a directory. This ACE is inherit only, so it is not evaluated when the directory is accessed. It propagates all access to containers and objects and substitutes the creator's SID when it is propagated.
 * ACE-3 Used to implement RWXD to Administrators.
 * ACE-4 Used to grant RWXD to Server Operators.
 * ACE-5 Used for files being placed in a directory protected by an ACE of type 2 above (to make it look like the protection was inherited, even though it was not).
 * ACE-6 Placed on a directory to grant WORLD RX permission to the directory and all files and subdirectories.
 * ACE-7 Placed on a directory to grant Administrators All Access to the directory and all files and subdirectories.
 * ACE-8 Placed on a directory to grant Server Operators All Access to the directory and all files and subdirectories.
 * ACE-9 Used to grant WORLD RX access.
 * ACE-10 Used to grant WORLD RWX access.
 * ACE-11 Used to grant Account Operators RWXD permissions.
 * ACE-12 Used to grant Print Operators All Access to files and all subdirectories.
 * ACE-13 Used to grant Account Operators All Access to all subdirectories and objects created beneath it.
 * ACE-14 Used to grant Account Operators All Access.
 * ACE-15 Used to grant Print Operators All Access.
 * ACE-16 Used to grant Server Operatorss All Access.
 * ACE-17 Used to grant Administrators All Access.

The following are default ACE Assignments for specific rights:

  Anyone Can Write

Directories get 1,2,3, optionally 4 if Lanman product

Files get 5,10

Administrators Control

Directories get 6,2,7, optionally 8 if Lanman product

Files get 5,9,16,17

Administrators Exclusive

Directories get 9,2,7

Files get 5,17

Creator Exclusive

Directories get 10,2

Files get 5

Home Directory Parent

Directories get 9,3,11

No files

Administrators, server operators & print operators

Directories get 6,2,7, optionally 8,12

Files get 9,5,15,16,17

Administrators and Account Operators

Directories get 6,2,7, optionally 13

Files get 6,5,14,17

Windows NT 4.0 uses ACE-1 through ACE-18 and uses a different numbering scheme. The numbers in the Perms.inf file are simply used as indices to a table in code. There is no way to extend the table.

NOTE: Some of these are not applicable for Windows NT Workstation.

ACE codes:

  Index  Permission         Inherit -  1      AccountOpsRWXD     Containers 2     AdminAll           Containers, Objects 3     AdminRWXD          Containers 4     CreatorOwnerAll    Containers, Objects 5     NetUsersDenyAll    Containers, Objects 6     PrintOperatorsAll  Containers, Objects 7     ReplicatorRWXD     Containers, Objects 8     ReplicatorRX       Containers, Objects 9     SysOpsAll          Containers, Objects 10    SysOpsRWXD         Containers, Objects 11    WorldAll           Containers, Objects 12    WorldRWX           Containers 13    WorldRWXD          Containers, Objects 14    WorldRX            Containers 15    WorldRX            Containers, Objects 16    WorldRWX           Containers, Objects 17    SystemAll          Containers, Objects 18    PowerUsersRWXD     Containers, Objects

Use the chart below for predefined combinations of ACEs:

  d1 = 2,13,4,17 d2 = 2,4,14,17 d3 = 15,4,2,17 d4 = 15,4,2,13,17,18 d5 = 15,4,2,17,18 d6 = 2,4,15,17,18 d7 = 15,2,7,4,17 d8 = 14,3,17 d9 = 12,4,17 d10= 2,13,4,17

f1 = 2,15,17 f2 = 2,13,17 f3 = 2,15,17,18 f4 = 11



MORE INFORMATION
For additional information, please see the following article(s) in the Microsoft Knowledge Base:

ARTICLE-ID: 153094

TITLE : Restoring Default Permissions to Windows NT System Files

ARTILCE-ID: 157963

TITLE : SETACL.EXE not available in Windows NT 4.0

Fixacls.exe can be found in the Windows NT 4.0 Resource Kit Supplement 2.

When system permissions have been lost, FIXACLS can restore default permissions to the system files. For example, the Windows NT convert command only converts your file system to NTFS. It does not set the default permissions after the conversion. FIXACLS fills this gap.

To use FIXACLS, your user account needs "Backup files and folders" privileges on the computer where the files and folders are stored, and you must be logged on as a member of the Administrators group for the domain or computer where your user account is defined. Otherwise, "Access denied" error messages may occur.

FIXACLS sets the permissions to the values defined in %SYSTEMROOT%\Inf\Perms.inf. Therefore, access to this file is also required to run FIXACLS.

The self-extracting archive file, Fixacl1.exe, distributed by Microsoft Press, contains the executable and documentation for Fixacls.exe.

Fixacl1.exe is available for download from the following Microsoft FTP site:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/

Additional query words: fixacl reskit 4.00 prodnt

Keywords: kbsetup KB161722

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.