Windows File Security Utility
Link To Latest Binaries: Here
===============================================================================
= Repacls Version 2.1.0.1 by Bryan Berns
===============================================================================
repacls.exe /Path <Absolute Path> ... other options ....
Repacls was developed to address large scale migrations, transitions, health
checks, and access control optimizations. Repacls is multi-threaded and
employs account name caching to accelerate operation on large file servers
with millions of files. It was developed to address a variety of platform
limitations, resource consumption concerns, and bugs within xcacls, icacls,
setacl, and subinacl. Limited functionality is also provided for Active
Directory objects and registry.
Important: Unless otherwise specified, all repacls commands are recursive.
Repacls must be executed with administrator permissions and will attempt to
acquire the backup, restore, and take ownership privileges during its
execution.
Any command line parameter that accepts an account or domain name can also use
a SID string instead of the name. This may be necessary if working with an
account or domain that is no longer resolvable.
Global Options
==============
Global Options affect the entire command regardless of where they appear in the
passed command line. It is recommended to include them at the very beginning
or end of your command as to not confuse them with ordered parameters.
/Path <Path>
Specifies the file or directory to process. If a directory, the directory
is processed recursively; all operations specified affect the directory
and all files and folders under the directory (unless otherwise specified).
This parameter is mandatory. This command can be specified multiple times.
Enumerating registry paths and Active Directory containers is also supported
when /PathMode is set. Registry paths should be specified as HIVE\Key
(e.g., HKLM\Software). Active Directory scanning is supported but should
be limited to read-only operations since permissions targetted at specific
properties are not supported; Active Directory paths should be specified as
distinguished names (e.g., OU=Users,DC=Home,DC=Local)
/PathList <FileName>
Specifies a file that contains a list of paths to process. Each path
should be listed on a separate line and the file should be UTF-8 formatted.
Each path read from the file is processed the same as if it were passed
using /Path (see above).
/PathMode <File|Registry|ActiveDirectory>
Specifies the input format of any path specified by /Path and other ways
of providing paths. 'File' is the default if not specified.
/MaxDepth <NumberOfContainersDeep>
Specifies how deep the scan should go within the path. This default is
to be fully recursive (infinite). Specifying 0 will only enumerate the
root node. This does not limit the propogation of inheritable permissions
that could be set on children due to a change at a parent.
/SharePaths <ComputerName>[:AdminOnly|IncludeHidden|Match=<Str>|NoMatch=<Str>]
Specifies a server that has one or more shares to process. This command is
equivalent to specifying /Path for every share on a particular file server.
By default, only non-administrative, non-hidden shares are scanned.
To only scan administrative shares (e.g. C$), append :AdminOnly to the
computer name. To include hidden, non-administrative shares, append
:IncludeHidden to the computer name. By appending :Match= or :NoMatch=
with a literal string or regular expression, any share name that does not
match or mismatch the specified string, respectively, will be excluded.
/DomainPaths <DomainName>[:StopOnError|<See /SharePaths>]
Specifies a domain to scan for member servers that should be processed.
For each server that is found, a /SharePaths command is processed
for that particular server. This takes the same extra parameters as
/SharePaths including another option StopOnError to stop processing if
the shares of any particular computer cannot be read; if not specified
an error will be shown on the screen but processing will continue.
/DomainPathsWithSite <DomainName>[:StopOnError|<See /SharePaths>] [ADSite]
Same as /DomainPaths but will further filter to the specified Active
Directory site name of the device. ADSite can be a regular expression.
/Quiet
Hides all non-error output. This option will greatly enhance performance if
a large number of changes are being processed. Alternatively, it is
advisable to redirect console output to a file (using the > redirector) if
/Quiet cannot be specified.
/Threads <NumberOfThreads>
Specifies the number of threads to use while processing. The default value
of '5' is usually adequate, but can be increased if performing changes
over a higher-latency connection. Since changes to a parent directory
often affect the inherited security on children, the security of children
objects are always processed after the security on their parent objects
are fully processed.
/Log <FileName>
Specifies that messages written to the screen should also be written to the
designated file. The file is a comma separated value file.
/WhatIf
This option will analyze security and report on any potential changes
without actually committing the data. Use of /WhatIf is recommended for
those first using the tool.
/NoHiddenSystem
Use this option to avoid processing any file marked as both 'hidden' and
'system'. These are what Windows refers to 'operating system protected
files' in Windows Explorer.
Ordered Options
===============
Ordered Options are executed on each SID encountered in the security descriptor
in the order they are specified on the command line. Executing commands in
this way is preferable to multiple commands because the security descriptor is
only read and written once for the entire command which is especially helpful
for large volumes.
Commands That Do Not Alter Settings
-----------------------------------
/PrintDescriptor
Prints out the security descriptor to the screen. This is somewhat useful
for seeing the under-the-covers changes to the security descriptor before
and after a particular command.
/CheckCanonical
This command inspects the DACL and SACL for canonical order compliance
(i.e., the rules in the ACL are ordered as explicitly deny, explicitly
allow, inherited deny, inherited allow). If non-canonical entries are
detected, it is recommended to inspect the ACL with icacls.exe or Windows
Explorer to ensure the ACL is not corrupted in a more significant way.
/BackupSecurity <FileName>
Export the security descriptor to the file specified. The file is
outputted in the format of file|descriptor on each line. The security
descriptor is formatted as specified in the documentation for
ConvertDescriptorToStringSecurityDescriptor(). This command does
not print informational messages other than errors.
/FindAccount <Name|Sid>
Reports any instance of an account specified.
/FindDomain <Name|Sid>
Reports any instance of an account matching the specified domain.
/FindNullAcl
Reports any instance of a null ACL. A null ACL, unlike an empty ACL, allows
all access (i.e., similar to an ACE with 'Everyone' with 'Full Control')
/Locate <FileName> <FileRegularExpression>
This command will write a comma separated value file with the fields of
filename, creation time, file modified time, file size and file attributes.
The regular expression will perform a case insensitive regular expression
search against file name or directory name. For Active Directory scans, the
distinguished name is searched. For registry scans, the key name is searched
To report all data, pass .* as the regular expression.
/LocateHash <FileName> <FileRegularExpression>[:<SearchHash>[:<SearchSize>]]
Similar to /Locate, but the report file will also contain the SHA256 hash
of files that match the search criteria. The search criteria can optionally
include a SHA256 hash (in hex) and file size. Specifying file size can
dramatically increase search performance since only files with matching
sizes are read for hash comparison.
/Report <FileName> <AccountRegularExpression>
This command will write a comma separated value file with the fields of
filename, security descriptor part (e.g., DACL), account name, permissions,
and inheritance flags. The regular expression will perform a case
insensitive regular expression search against the account name in
DOMAIN\user format. To report all data, pass .* as the regular expression.
An optional qualifier after regular expression can be specified after the
regular expression to refine what part of the security descriptor to scan.
See Other Notes & Limitations section for more information.
Commands That Can Alter Settings (When /WhatIf Is Not Present)
--------------------------------
/GrantPerms <Name|Sid>:<Flags>
/DenyPerms <Name|Sid>:<Flags>
This command will ensure the account specified has the specified access to
the path and all containers/objects within the path either via explicit or
inherited permissions. The syntax of <Name|Sid>:<Flags> is the same of that
from ICACLS. For example, /GrantPerms SYSTEM:(F)(CI)(OI) will check if
SYSTEM has Full Control to all subdirectories and, if it does not, will add
full control with inheritance enabled. This command is often useful to
correct issues where a user or administrator has mistakenly removed an group
from subdirectories with broken inheritance.
/CanonicalizeAcls
This command will look for out-of-order ACEs within the DACL and reorder
them to be canonical. Canonical order is as follows: explicit deny, explicit
allow, inherited deny, inherited allow.
/Compact
This command will look for mergeable entries in the security descriptor and
merge them. For example, running icacls.exe <file> /grant Everyone:R
followed by icacls.exe <file> /grant Everyone:(CI)(OI)(R) will produce
two entries even though the second command supersedes the first one.
Windows Explorer automatically merges these entries when displaying security
information so you have to use other utilities to detect these
inefficiencies. While there's nothing inherently wrong with these
entries, it is possible for them to result in performance degradation.
/CopyDomain <SourceDomainName>:<TargetDomainName>
This command is identical to /MoveDomain except that the original
entry referring the SourceDomainName is retained instead of replaced.
This command only applies to the SACL and the DACL. If this command is
used multiple times, it is recommended to use /Compact to ensure there
are not any redundant access control entries.
/CopyMap <FileName>
This command will read in the specified file that contains a list of
account mappings in <SearchName>:<CopyName> format. This command only
affects the DACL and SACL. This common is similiar to the /ReplaceMap
command but it does not affect the owner and does not removed the original
account.
/MoveDomain <SourceDomainName>:<TargetDomainName>
This command will look to see whether any account in <SourceDomain>
has an identically-named account in <TargetDomain>. If so, any entries
are converted to use the new domain. For example,
'OldDomain\Domain Admins' would become 'NewDomain\Domain Admins'. Since
this operation relies on the names being resolvable, specifying a SID
instead of domain name for this command does not work.
/RemoveAccount <Name|Sid>
Will remove <Name> from the security descriptor. If the specified name
is found as the file owner, the owner is replaced by the built-in
Administrators group. If the specified name is found as the group owner
(a defunct attribute that has no function in terms of security), it is
also replaced with the built-in Administrators group.
/RemoveDomain <Domain|Sid>
Remove any account whose SID is derived from the <Domain> specified.
/RemoveOrphans <Domain|Sid>
Remove any account whose SID is derived from the <Domain> specified
and can no longer be resolved to a valid name.
/RemoveRedundant
This command will remove any explicit permission that is redundant of
the permissions it is already given through inheritance. This option
helps recover from the many individual explicit permissions that may
have been littered from the old cacls.exe command that didn't understand
how to set up inheritance.
/RemoveStreams
Removes any alternate data streams on targeted files.
/ReplaceAccount <SearchName|SearchSid>:<ReplaceName|ReplaceSid>
Search for an account and replace it with another account.
/ReplaceMap <FileName>
This command will read in the specified file that contains a list of
account mappings that are specified in the same format as /ReplaceAccount.
/RestoreSecurity <FileName>
The reverse operation of /BackupSecurity. Takes the file name and security
descriptors specified in the file specified and applies them to the file
system. This command does not print informational messages other than
errors.
/SetOwner <Name|Sid>
Will set the owner of the file to the name specified.
/UpdateHistoricalSids
Will update any SIDs that are present in the security descriptor and are
part of a SID history with the primary SID that is associated with an
account. This is especially useful after a domain migration and prior to
removing excess SID history on accounts.
Exclusive Options
=================
Exclusive options cannot be combined with any other security operations.
/Help or /? or /H
Shows this information.
/ResetChildren
This will reset all children of path to the to inherit from the parent. It
will not affect the security of the parent. This command does not affect
the security of the root directory as specified by the /Path argument.
/InheritChildren
This will cause any parent that is currently set to block inheritance to
start allowing inheritance. Any explicit entries on the children are
preserved. This command will not affect the security of the root directory
as specified by the /Path argument.
Other Notes & Limitations
=========================
- To only affect a particular part of a security descriptor, you can add on an
optional ':X' parameter after the end of the account name where X is a comma
separated list of DACL, SACL, OWNER, or GROUP. For example,
'/RemoveAccount "DOM\joe:DACL,OWNER"' will only cause the designated account
to be removed from the DACL and OWNER parts of the security descriptor.
- Since repacls is multi-threaded, any file output shown on the screen or
written to an output file may appear differently between executions. If this
is problematic for your needs, you can turn off multi-threading by setting
/Threads to '1' or, in the case of comparing files between runs, sort the
output before comparing with your favorite text editor.
- Antivirus applications can degrade performance tremendously if active while
running repacls. If performance is a concern and you are processing a large
volume, you may want to consider temporarily disabling real-time virus
scanning.
Examples
========
- Replace all instances of DOM\jack to DOM\jill in C:\test:
repacls.exe /Path C:\Test /ReplaceAccount "DOM\jack:DOM\jill"
- Migrate all permissions for all accounts with matching
names in DOMA with DOMB:
repacls.exe /Path C:\Test /MoveDomain DOMA:DOMB
- Update old SID references, remove any explicit permissions that are already
granted by inherited permissions, and compact all ACLs if not compacted:
repacls.exe /Path C:\Test /UpdateHistoricalSids /RemoveRedundant /Compact
Type 'repacls.exe /? | more' to scroll this documentation.