Using .NET you may think that determining which permissions are assigned to a directory/file should be quite easy, as there is a FileSystemRights Enum defined that seems to contain every possible permission that a file/directory can have and calling AccessRule.FileSystemRights returns a combination of these values. However, you will soon come across some permissions where the value in this property does not match any of the values in the FileSystemRights Enum.
The end result of this is that for some files/directories you cannot determine which permissions are assigned to them using this FileSystemRights enum alone. If you do AccessRule.FileSystemRights.ToString then for these values all you see is a number rather than a description (e.g Modify, Delete, FullControl etc). Common numbers you might see are:
-1610612736, –536805376, and 268435456
To work out what these permissions actually are, you need to look at which bits are set when you treat that number as 32 separate bits rather than as an Integer (as Integers are 32 bits long), and compare them to this diagram: http://msdn.microsoft.com/en-us/library/aa374896(v=vs.85).aspx
So for example, -1610612736 has the first bit and the third bit set, which means it is GENERIC_READ combined with GENERIC_EXECUTE. So now you can convert these generic permissions into the specific file system permissions that they correspond to.
You can see which permissions each generic permission maps to here: http://msdn.microsoft.com/en-us/library/aa364399.aspx. Just be aware that STANDARD_RIGHTS_READ, STANDARD_RIGHTS_EXECUTE and STANDARD_RIGHTS_WRITE are all the same thing (no idea why, seems strange to me) and actually all equal the FileSystemRights.ReadPermissions value.
So for example, GENERIC_READ (aka FILE_GENERIC_READ) maps to the following file system permissions: ReadAttributes + ReadData + ReadExtendedAttributes + ReadPermissions + Synchronize.
So I made the following two Enums to help keep track of this and help with converting these generic permissions to specific file permissions:
If you are not familiar with the bitwise operators in .NET then the second enum may seem a bit weird to you. As the FileSystemRights enum has the <Flags> attribute it means we can use the “OR” operator to combine multiple values together. So confusingly the OR operator here kind of means AND (or +) really, but bitwise operations are a whole other topic that there are plenty of articles on the web on. If you are not familiar with them though then I would recommend reading up on it as understanding this comes in handy quite often, like it has done here with this permissions problem.
So now if we wanted to see what our “unrecognised” permissions actually are, we can use a function like this:
This function takes the original FileSystemRights value (for example –1610612736) and checks to see if any of the generic bits are set. If they are then it sets the relevant bits for the specific permissions that this generic permission maps to and returns a new FileSystemRights value that just contains these specific permissions. So we can then use this function like so:
Now instead of seeing a value of –1610612736 we see the permissions it actually maps to, which in this example are: ReadAndExecute + Synchronize
Hope it helps others out, as it took me a while to figure out!🙂 I needed to get this working for my NTFS Permissions Reporter app, which you can find more information on here if you are interested.