{"id":18894110,"url":"https://github.com/trailofbits/windows-acl","last_synced_at":"2026-02-26T16:46:43.074Z","repository":{"id":37470586,"uuid":"129290685","full_name":"trailofbits/windows-acl","owner":"trailofbits","description":"Rust crate to simplify Windows ACL operations","archived":false,"fork":false,"pushed_at":"2023-06-09T18:42:36.000Z","size":672,"stargazers_count":19,"open_issues_count":4,"forks_count":7,"subscribers_count":32,"default_branch":"master","last_synced_at":"2025-04-06T07:18:41.333Z","etag":null,"topics":["access-control","acl","windows"],"latest_commit_sha":null,"homepage":"https://blog.trailofbits.com/2018/08/23/introducing-windows-acl-working-with-acls-in-rust/","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trailofbits.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-04-12T17:50:47.000Z","updated_at":"2024-11-17T02:12:49.000Z","dependencies_parsed_at":"2022-08-31T02:00:42.475Z","dependency_job_id":null,"html_url":"https://github.com/trailofbits/windows-acl","commit_stats":null,"previous_names":[],"tags_count":6,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fwindows-acl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fwindows-acl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fwindows-acl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trailofbits%2Fwindows-acl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trailofbits","download_url":"https://codeload.github.com/trailofbits/windows-acl/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248395562,"owners_count":21096790,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","acl","windows"],"created_at":"2024-11-08T08:18:06.694Z","updated_at":"2026-02-26T16:46:38.018Z","avatar_url":"https://github.com/trailofbits.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# windows-acl\n\n[![CI](https://github.com/trailofbits/windows-acl/actions/workflows/ci.yml/badge.svg)](https://github.com/trailofbits/windows-acl/actions/workflows/ci.yml)\n[![Crates.io](https://img.shields.io/crates/v/windows-acl)](https://crates.io/crates/windows-acl)\n\nRust library to simplify Windows ACL operations.\n\n## Using windows-acl\nFirst, add the following line to the dependencies section of the project’s `Cargo.toml` file.\n\n```\nwinapi = “0.3.5”\nwindows-acl = “0.3.0”\n```\n\nIn the main Rust source code file, add the _windows-acl_ external crate and import the symbols as follows:\n\n```rust\nextern crate winapi;\nextern crate windows_acl;\n\nuse winapi::um::winnt::{\n    PSID, FILE_GENERIC_READ, FILE_GENERIC_EXECUTE, FILE_GENERIC_WRITE,\n    FILE_ALL_ACCESS, SYSTEM_MANDATORY_LABEL_NO_WRITE_UP,\n    SYSTEM_MANDATORY_LABEL_NO_READ_UP, SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP\n};\nuse windows_acl::acl::ACL;\n```\n\n**NOTE:** Altering system ACL entries require either Administrator privileges or the ability to acquire the `SeSecurityPrivilege` privilege.\n\n### Adding a mandatory integrity label\n\n```rust\n    let high_integrity_level_sid = string_to_sid(\"S-1-16-12288\").unwrap();\n\n    let mut acl = ACL::from_file_path(\"C:\\\\Users\\\\andy\\\\work\\\\high_il\", true).unwrap();\n\n    // Set high_il to be a high integrity level directory\n    match acl.integrity_level(\n                high_integrity_level_sid.as_ptr() as PSID,\n                true,\n                SYSTEM_MANDATORY_LABEL_NO_WRITE_UP |\n                    SYSTEM_MANDATORY_LABEL_NO_READ_UP |\n                    SYSTEM_MANDATORY_LABEL_NO_EXECUTE_UP\n            ) {\n        Ok(status) =\u003e {\n            if !status {\n                println!(\"We had an internal issue trying to add high integrity level to high_il\");\n            }\n        },\n        Err(code) =\u003e {\n            println!(\"Failed to add high integrity level to high_il: error={}\", code);\n        }\n    }\n```\n\n### Adding an audit entry\n\n```rust\n    let world_sid = string_to_sid(\"S-1-1-0\").unwrap();\n\n    let mut acl = ACL::from_file_path(\"C:\\\\Users\\\\andy\\\\work\\\\sensitive_files\", true).unwrap();\n\n    // Audit every file operation in sensitive_files from anyone in the Everyone group\n    match acl.audit(\n                world_sid.as_ptr() as PSID,\n                true,\n                FILE_ALL_ACCESS,\n                true,\n                true\n            ) {\n        Ok(status) =\u003e {\n            if !status {\n                println!(\"We had an internal issue trying to add audit entry to sensitive_files\");\n            }\n        },\n        Err(code) =\u003e {\n            println!(\"Failed to add audit entry to sensitive_files: error={}\", code);\n        }\n    }\n```\n\n### Denying guest access to a directory\n\n```rust\n    let guests = string_to_sid(\"S-1-5-32-546\").unwrap();\n\n    let mut acl = ACL::from_file_path(\"C:\\\\Users\\\\andy\\\\work\\\\sensitive_files\", false).unwrap();\n\n    // Guests cannot read anything in this directory. However, they can still drop files there\n    match acl.deny(guests.as_ptr() as PSID, true, FILE_GENERIC_READ) {\n        Ok(status) =\u003e {\n            if !status {\n                println!(\"We had an internal issue trying to add a deny entry to sensitive_files\");\n            }\n        },\n        Err(code) =\u003e {\n            println!(\"Failed to add deny entry: error={}\", code);\n        }\n    }\n```\n\n### Removing entries\n\n```rust\n    let world_sid = string_to_sid(\"S-1-1-0\").unwrap();\n\n    let mut acl = ACL::from_file_path(\"C:\\\\Users\\\\andy\\\\work\\\\sensitive_files\", true).unwrap();\n\n    // Remove a SystemAudit entry; remove() can also remove DACL entries as well\n    match acl.remove(world_sid.as_ptr() as PSID, Some(AceType::SystemAudit), None) {\n        Ok(removed) =\u003e {\n            println!(\"Removed {} entries\", removed);\n        },\n        Err(code) =\u003e {\n            println!(\"Failed to remove entry: error={}\", code);\n        }\n    }\n```\n\n## Example Applications\nSee `query_acl.rs` in the `example/` directory.\n\n## Unit Tests\nThe current unit tests expect to be run in a single threaded environment with elevated privileges. By default, Rust executes unit tests with multiple threads. To successfully run tests, the following must be done:\n\n 1. Open an elevated privilege/Administrator Command Prompt or Powershell Terminal.\n 2. Set the `RUST_TEST_THREADS` environment variable to 1.\n 3. Run `cargo test`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Fwindows-acl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrailofbits%2Fwindows-acl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrailofbits%2Fwindows-acl/lists"}