We help IT Professionals succeed at work.

Restoring Windows 7 ACLs on C:\

Scurfy asked
Long story, I'll make it short(er). I inadvertently changed ACLs on C:\ (ie, the root directory of the C: drive) and want to get them set back to how they were when the OS was installed.  Tried lots of things. Lastest is to use icacls /save to save the ACLs from another machine I know is correct, and then icacls /restore to restore, on the target machine, those ACLs from the previously saved file.  (i.e., save to file icacls.ssp, copy icacls.ssp to target machine,
restore on target machine).

I:\>icacls C:\ /restore icacls.ssp
C:\D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)S:(ML;OINPIO;NW;;;HI): The filename, directory name, or volume label syntax is incorrect.
Successfully processed 0 files; Failed processing 1 files


Not sure if there's a problem with my command line, or the ACL file from the other system, so as a test I /saved and then tried to immediately /restore, BOTH SAVE AND RESTORE ON THE TARGET SYSTEM, just to see if it would work.  It didn't:

I:\>icacls C:\ /save icacls.jmb
processed file: C:\
Successfully processed 1 files; Failed processing 0 files

I:\>icacls C:\ /restore icacls.jmb
The filename, directory name, or volume label syntax is incorrect.
Successfully processed 0 files; Failed processing 1 files

All of the above was done from the Command Prompt running as Administrator.

I would like to understand what's up with icalcs; but even more I'd like to get my ACLs  reset the way I want.  I've tried to do this using the GUI, with different problems:

Start -> Computer -> right click OS (C:) -> Properties -> Security -> Advanced -> Change Permissions  -> Add/Edit/Remove etc., but when I try to set permissions for a particular
user or group, and I specify  "Apply to: " "This folder only", it STILL tries to propagate
the setting to sub-folders!

I just want a simple, clean, reliable way to get my ACLs reset.
Watch Question

Top Expert 2012

Have you tried to initiate a Windows 7 System Restore to a point prior to the change?

How to Do a System Restore in Windows 7
Nope, but I thought about it.  In the research I did, I couldn't find any indication that permissions are saved when creating restore points, or that they would be restored.  So I opted not to go there.  As an update, I've recently had some success with using icacls in a different way than in my initial question.  For example, this works to correctly set permissions for Authenticated users:

icacls C:\ /grant "Authenticated Users":(OI)(CI)(IO)(DE,GE,GW,GR)

I'd attempted this earlier but hadn't gotten the syntax quite right in specifying inheritance rights.

Looks like I'll be able use this application of icacls to accomplish what I want.  Sure would be nice to know why icacls /save & /restore wasn't doing what I expected, and why setting permissions from the GUI was causing propagation even when I explicitly specified "This folder only".
Top Expert 2012

"So I opted not to go there."

In the future, keep in mind that you don't lose or overwrite any user data files when you execute a System Restore.  It is a very low-risk procedure, and it may resolve the problem at hand.
Top Expert 2009

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.