Access control

Every secured object carries a security descriptor evaluated by a single function — AccessCheck.

The structure of a security descriptor — owner, group, DACL, and SACL — and how objects receive one.

DACLs control who can access an object, SACLs control auditing and integrity policy.

The single function that evaluates every access decision — from file opens to signal delivery.

How the 32-bit access mask encodes specific, standard, and generic rights for every object type.

Why the order of ACEs in a DACL determines the outcome, and the canonical ordering rules.

A null DACL grants all access to everyone; an empty DACL denies all access — opposite meanings.

What the owner SID grants by default, how OWNER RIGHTS overrides it, and how ownership is transferred.

How ACEs propagate from parent directories to children using CI, OI, NP, and IO inheritance flags.

How to use sd show to inspect the owner, group, DACL, and SACL on files, registry keys, and processes.

How to use sd set to replace explicit ACEs on an object while preserving inherited ACEs.

How to add and remove individual allow and deny ACEs from an existing DACL using sd add and sd remove.

How to disconnect an object from its parent's DACL by breaking, clearing, or re-enabling inheritance.

How to view, transfer, or take ownership of an object, and the recovery path for locked-out objects.

How to use the OWNER RIGHTS ACE (S-1-3-4) to override the default rights granted to an object's owner.

How to use sd explain to trace each stage of an AccessCheck evaluation and diagnose access problems.

How file and directory security descriptors are stored as filesystem extended attributes.

Access is evaluated once at file open and the granted rights are cached on the handle for its lifetime.

Reference table of file and directory specific rights, standard rights, and generic-to-specific mappings.

The complete AccessCheck evaluation algorithm — every function, every step, no omissions.