Windows – What Does ‘ICACLS C:\Windows\winsxs’ Do?

cmd.exeicaclswindowswinsxs

Originally posted by me on Stack Overflow, reposted here because this seems like a more relevant site for this question. Some wording has been slightly edited and more information has been added.

When typing "icacls /?" into Windows command prompt, the documentation doesn't seem to explain what "icacls <folder/file>" does. According to docs.windows.com, the parameter "<filename>" "Specifies the file for which to display DACLs" and "<directory>" "Specifies the directory for which to display DACLs". According to ss64.com, the command "icacls "C:\demo\example"" is used to "View the permissions currently set on a folder".

Now, what is confusing, is that in an article which instructs how to solve a SFC /scannow windows resource protection issue, the 3rd repair suggestion, "Modify Security Descriptors in WinSXS Folder", suggests to use the command "ICACLS C:\Windows\winsxs" as a possible fix for the issue. The site tells about the background of why it might fix the issue:

"A lot of your Windows system updates and system files are stored in the WinSXS folder, and if your SFC utility tool cannot access this folder, it will fail and that is what prompts the error message. To get around this, you can modify the security descriptors of the folder."

Another article suggests the same fix:

"It is possible that System File Checker is failing to scan the system because it cannot access the WinSxS folder due to issues with the WinSxS folder's security descriptors. To run the ICALCS command, open Command Prompt with administrative privileges and execute the "ICACLS C:\Windows\winsxs" command."

However, both articles only instruct to enter the "ICACLS C:\Windows\winsxs" command and restart the computer and the issue might be fixed. This makes it sound like the command "ICACLS C:\Windows\winsxs" actually does something.

So I am wondering, have I misunderstood the instructions of the articles or is there something that I'm missing? Does the command "ICACLS C:\Windows\winsxs" actually do something else than just view the permissions of the folder? Is the command safe to execute and how does it affect the system, for example can it be a security risk of some kind?

Best Answer

That article is pure nonsense. icacls works on object.

The command icacls "C:\demo\example" does nothing else than display the permissions currently set on the folder. For example:

This means that the command ICACLS C:\Windows\winsxs does nothing that needs a reboot.

On another note, the folder C:\Windows\winsxs is an essential Windows folder and should absolutely not be touched as regarding permissions. Changing the permissions on this folder can cause serious problems in the future.

Conclusion: Better ignore that article (or at least that part of it).

Related Solutions

Why the /winsxs Folder Grows Large and How to Reduce Its Size

There is a nice command that cleans up after a Windows 7 SP1 installation (it saved me around 3 GB):

DISM /online /cleanup-Image /spsuperseded

^{Must be executed from an elevated command prompt}

Windows – How to recover from a corrupted mfc90.dll under WinSxS folder

First I dont know what I am doing, and have never pulled off this particular thing. I am not going to do it anyways :-) you are, if you want. But here are some of the aproaches, In no particular order, and just Psyco , with no fact based solution on a platter.

1) Is it corrupt file/place on disk?

1A) Run CHKDSK on the drive with a /r option.

1B) Backup the whole system partition using a image backup, you have to have one anyways to do all the evil things I will dream up to destroy this file anyways :-) Make sure you validate the backup and are positive of it.
Now restore that backup, this will force the re-write of the whole system.

1) With the above were sure of one thing, corruption is not in the way of the removal. You probably know if disk corruption is part of the problem. But the backup itself will still need to be done for survival.

2) shared dlls

2A) A proper uninstall will not occur for a "sharedDlls" that has a Use number greater than 1 , meaning it would be 0 on the last uninstall. One of the locations for these is HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\SharedDLLs.

2B) find the file in any of the shared dll locations in the registry and toss them all, why bother with the number if the point is to remove/replace .

2C) find it anywhere else in the registry and remove it anyways , This is an older dll, and is not part of the system itself, so who cares.

2) Were trying to get a re-install going of the re-distibutable so we might have to get agressive. You have the above backup, so rip-and tear.
This only is needed when your trying to uninstall and the Use Number is holding it up, using Proper uninstall methods.
There may be other locations in the registry that Identify that the redistributable is already installed, that could still be a problem when re-installing the redistributable.

3) Figure out its Linkage

3A) Install this hard link viewer thing, "HardLinkShellExt_X64" that will show you how many links there are (or not) pointing to the data on the disk location.

3B) remove all the links except for the last one (which would be deletion of the data itself)

3) I dont really know, but if you do manage to delete data on a disk, without the removal of the hard links themselves (not easily accomplished) you could end up with a pointer to nowhere. At least this thing will show what is going on, and what the links are (or arent).

4) Get vicious with removal

4A) Install the utility called "take ownership" this can mess with permission on the file/folder, so you can destroy things with permissions that stop the administrator from removing them. Run it on the file that your trying to remove if permissions are in the way of removal.

4B) Install "unlocker" this can unlock things that are using it, and even delete on re-boot. Also File assasin in MBAM would be able to do about the same thing. This can delete files that are obstinate. If permissions are in the way, you have to take care of them first.

5) somewhere in here we reinstall the original redistributable

5A) find the program that installed the thing to begin with search for Vcred*.* on the install disks . Often found in a redistributables folder on the programs disks. The idea here it not to re-install the whole program needlessly , but to just re-install that broken redist of it.

6) Retract the image backup, because I was wrong, and have now made things worse :-)

7) When a sfc scan does not complete the job of repairing the system, often a "lapped Install" can fix things. but this item is not part of the original windows 7 install.

Best Answer

Related Solutions

Why the /winsxs Folder Grows Large and How to Reduce Its Size

Windows – How to recover from a corrupted mfc90.dll under WinSxS folder

Related Question