Explanation of Winperms.txt and Perms.inf (161722)


The information in this article applies to:

  • Microsoft Windows NT Server 3.1
  • Microsoft Windows NT Workstation 3.1
  • Microsoft Windows NT Advanced Server 3.1
  • Microsoft Windows NT Workstation 3.5
  • Microsoft Windows NT Workstation 3.51
  • Microsoft Windows NT Workstation 4.0
  • Microsoft Windows NT Server 3.5
  • Microsoft Windows NT Server 3.51
  • Microsoft Windows NT Server 4.0
This article was previously published under Q161722

SUMMARY

When you choose to install Windows NT to an NTFS partition during Setup, Windows NT installs to a FAT partition first, and then converts the partition to NTFS.

Windows NT needs a way of assigning default NTFS permissions to system files and folders. The Windows NT 3.5x Winperms.txt and Windows NT 4.0 Perms.inf files are used as templates to assign the correct permissions for built-in accounts (such as Server Operators, Backup Operators, Everyone, and so on) to the directory structure. These Access Control Entries (ACE) are pre-defined and cannot be used to add non-built-in user account permissions.

Windows NT 3.5x uses Setacl.exe to apply these default permissions. SetAcl.exe is a table driven program that reads the Winperms.txt file of the form: 
   dir1\dir2\dir3  5,7
   dir1\dir2\file1 1,2,3
   file2 4,5

where the first column is a full pathname to either a file or a directory, and the list of integers represents an Access Control Entry (ACE) to be applied.

In Windows NT 3.51, ACE values ACE-0 through ACE-17 have the following definitions:
  • ACE-0 NULL ACE, used as a placeholder.
  • ACE-1 Placed on a directory. This ACE causes RWX access to be inherited by all new objects created in the directory and all new directories. For example, "Anyone can write".
  • ACE-2 Placed on a directory. This ACE is inherit only, so it is not evaluated when the directory is accessed. It propagates all access to containers and objects and substitutes the creator's SID when it is propagated.
  • ACE-3 Used to implement RWXD to Administrators.
  • ACE-4 Used to grant RWXD to Server Operators.
  • ACE-5 Used for files being placed in a directory protected by an ACE of type 2 above (to make it look like the protection was inherited, even though it was not).
  • ACE-6 Placed on a directory to grant WORLD RX permission to the directory and all files and subdirectories.
  • ACE-7 Placed on a directory to grant Administrators All Access to the directory and all files and subdirectories.
  • ACE-8 Placed on a directory to grant Server Operators All Access to the directory and all files and subdirectories.
  • ACE-9 Used to grant WORLD RX access.
  • ACE-10 Used to grant WORLD RWX access.
  • ACE-11 Used to grant Account Operators RWXD permissions.
  • ACE-12 Used to grant Print Operators All Access to files and all subdirectories.
  • ACE-13 Used to grant Account Operators All Access to all subdirectories and objects created beneath it.
  • ACE-14 Used to grant Account Operators All Access.
  • ACE-15 Used to grant Print Operators All Access.
  • ACE-16 Used to grant Server Operatorss All Access.
  • ACE-17 Used to grant Administrators All Access.
The following are default ACE Assignments for specific rights: 
   Anyone Can Write

      Directories get 1,2,3, optionally 4 if Lanman product

      Files get 5,10

   Administrators Control

      Directories get 6,2,7, optionally 8 if Lanman product

      Files get 5,9,16,17

   Administrators Exclusive

      Directories get 9,2,7

      Files get 5,17

   Creator Exclusive

      Directories get 10,2

      Files get 5

   Home Directory Parent

      Directories get 9,3,11

      No files

   Administrators, server operators & print operators

      Directories get 6,2,7, optionally 8,12

      Files get 9,5,15,16,17

   Administrators and Account Operators

      Directories get 6,2,7, optionally 13

      Files get 6,5,14,17

Windows NT 4.0 uses ACE-1 through ACE-18 and uses a different numbering scheme. The numbers in the Perms.inf file are simply used as indices to a table in code. There is no way to extend the table.

NOTE: Some of these are not applicable for Windows NT Workstation.

ACE codes: 
   Index  Permission         Inherit
   ---------------------------------
   1      AccountOpsRWXD     Containers
   2      AdminAll           Containers, Objects
   3      AdminRWXD          Containers
   4      CreatorOwnerAll    Containers, Objects
   5      NetUsersDenyAll    Containers, Objects
   6      PrintOperatorsAll  Containers, Objects
   7      ReplicatorRWXD     Containers, Objects
   8      ReplicatorRX       Containers, Objects
   9      SysOpsAll          Containers, Objects
   10     SysOpsRWXD         Containers, Objects
   11     WorldAll           Containers, Objects
   12     WorldRWX           Containers
   13     WorldRWXD          Containers, Objects
   14     WorldRX            Containers
   15     WorldRX            Containers, Objects
   16     WorldRWX           Containers, Objects
   17     SystemAll          Containers, Objects
   18     PowerUsersRWXD     Containers, Objects

Use the chart below for predefined combinations of ACEs: 
   d1 = 2,13,4,17
   d2 = 2,4,14,17
   d3 = 15,4,2,17
   d4 = 15,4,2,13,17,18
   d5 = 15,4,2,17,18
   d6 = 2,4,15,17,18
   d7 = 15,2,7,4,17
   d8 = 14,3,17
   d9 = 12,4,17
   d10= 2,13,4,17

   f1 = 2,15,17
   f2 = 2,13,17
   f3 = 2,15,17,18
   f4 = 11

MORE INFORMATION

For additional information, please see the following article(s) in the Microsoft Knowledge Base:

ARTICLE-ID: 153094
TITLE : Restoring Default Permissions to Windows NT System Files

ARTILCE-ID: 157963
TITLE : SETACL.EXE not available in Windows NT 4.0


Fixacls.exe can be found in the Windows NT 4.0 Resource Kit Supplement 2.

When system permissions have been lost, FIXACLS can restore default permissions to the system files. For example, the Windows NT convert command only converts your file system to NTFS. It does not set the default permissions after the conversion. FIXACLS fills this gap.

To use FIXACLS, your user account needs "Backup files and folders" privileges on the computer where the files and folders are stored, and you must be logged on as a member of the Administrators group for the domain or computer where your user account is defined. Otherwise, "Access denied" error messages may occur.

FIXACLS sets the permissions to the values defined in %SYSTEMROOT%\Inf\Perms.inf. Therefore, access to this file is also required to run FIXACLS.

The self-extracting archive file, Fixacl1.exe, distributed by Microsoft Press, contains the executable and documentation for Fixacls.exe.

Fixacl1.exe is available for download from the following Microsoft FTP site:

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/reskit/nt40/i386/

Modification Type:MinorLast Reviewed:10/13/2004
Keywords:kbsetup KB161722
©2004 Microsoft Corporation. All rights reserved.