> For the complete documentation index, see [llms.txt](https://infra.newerasec.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://infra.newerasec.com/infrastructure-testing/privilege-esclation/windows/icacls.md).

# icacls

icacls is a command-line utility that can be used to modify NTFS file system permissions in Windows Server 2003 SP2, Windows Server 2008, Windows Vista and Windows 7. It builds on the functionality of similar previous utilities, including cacls, Xcacls.exe, Cacls.exe, and Xcacls.vbs.   

**example**: 

```
PS htb\amanda@SIZZLE documents> icacls clean.bat 
clean.bat NT AUTHORITY\SYSTEM:(I)(F) 
          BUILTIN\Administrators:(I)(F) 
          HTB\Administrator:(I)(F) 
          HTB\amanda:(I)(F) 
```

**Change permissions:** 

icacls C:\PS /grant  John:M 

**Remove permissions:** 

icacls C:\PS /remove John 

Opposed to each group and the user’s access level is specified. Access rights are indicated using abbreviations. Consider the permissions for the user CORP\someusername. The following permissions are assigned to this user: 

* (OI) — object inherit 
* (CI) — container inherit 
* (M) —  modify access 

This means that this user has the rights to write and modify data in this directory. These rights are inherited to all child objects in this directory. 

Below is a complete list of permissions that can be set using the icacls utility: 

iCACLS inheritance settings: 

* (OI)  —  object inherit 
* (CI)  —  container inherit 
* (IO)  —  inherit only 
* (NP)  —  don’t propagate inherit 
* (I)  — permission inherited from parent container 

List of basic access permissions: 

* D  —  delete access 
* F  —  full access 
* N  —  no access 
* M  —  modify access 
* RX  —  read and eXecute access 
* R  —  read-only access 
* W  —  write-only access 

Detailed permissions: 

* DE  —  delete 
* RC  —  read control 
* WDAC  —  write DAC 
* WO  — write owner 
* S  —  synchronize 
* AS  —  access system security 
* MA  —  maximum allowed permissions 
* GR  —  generic read 
* GW  —  generic write 
* GE  —  generic execute 
* GA  —  generic all 
* RD  —  read data/list directory 
* WD  —  write data/add file 
* AD  — append data/add subdirectory 
* REA  —  read extended attributes 
* WEA  —  write extended attributes 
* X  —  execute/traverse 
* DC  —  delete child 
* RA  —  read attributes 
* WA  —  write attributes 


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://infra.newerasec.com/infrastructure-testing/privilege-esclation/windows/icacls.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.