RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Retrieving NTFS Permissions with C++

There are plenty of handy things you can do if you have programmatic access to the permissions set in the NT File System. Learn to employ C++ and Win32 APIs to query the Access Control Lists that hold security settings for files or folders and use that information however you like.


icrosoft originally designed NTFS (New Technology File System) for its NT series of operating systems. Over time, NTFS was improved and it is now being used on the newer server OSs: Windows 2000/XP/2003. Compared to FAT32, NTFS opened up a whole new world of file management.

One of the key features of NTFS is the ability to define access control information for each file system object—NTFS security. By applying different security policies, you may allow or deny access to files and folders for particular users or groups.

In this article, I will show how to use appropriate Win32 APIs to programmatically query NTFS security information, which you can then use in your applications however you like.

Storing and Managing Permissions
The file system driver is the nucleus of any file system. It manages all file system requests—creating new files, opening existing files, writing to files etc. The file system driver is a mediator between the operating system and the storage device drivers.

The NTFS driver controls access to the file system according to specified permissions. These permissions are expressed by Access Control Lists (ACLs). There are two types of ACLs: security and discretionary. The former (SACL) deals with permissions for auditing secured objects and is out of scope of this article. The latter (DACL) is designed to specify permissions on different objects such as files, folders etc. In this article, we will work with DACLs only. ACLs are composed of Access Control Entries (ACEs). Each ACE allows or denies specific permissions (for example, by user or group) to or from a secure entity. ACE uses Security Identifiers (SIDs) that uniquely identify any user or group in an NT-based system or network.

Windows provides an easy and intuitive GUI for setting permissions. You may view the specified permissions for any file or folder in the Security tab of the Properties dialog box in Windows Explorer (see Figure 1).

Thanks for your registration, follow us on our social networks to keep up-to-date