Restoring security descriptors from a backup with Icacls command

Intro

I totally fucked up. Recently, due to improper handling I reinit security descriptors of a file share…

Thanks to god we can quite easily restore security descriptors with the icacls command and complete backup.

I personnaly restored security descriptors from a windows snapshot (and with the dosdev utility) but we can do it from any backup.

If, as myself, you want to use windows snapshot, we first need to mount backup as a drive letter, backup security descriptors to a file with icacls then restore security descriptors.

Mount vss snapshot

We will see here how to mount a snapshot as H: drive.

• Open PowerShell console with administrator rights :

• List snapshots for D: drive :

PS C:\> vssadmin list shadows /for=D:

• Identify snaphost you want to mount :

• Download dosdev.zip, unzip the file then use the utility to mount snapshot to H: drive :

PS C:\> .\dosdev.exe H: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3

Restore security descriptors

• Go to H: and save ACLs for each folder with icacls command :

PS C:\> H:

PS H:\> cd .\Share\

PS H:\> icacls 01-Admin /save c:\BACKUPACL_01-Admin /T /C

PS H:\> icacls 02-Softwares /save c:\BACKUPACL_01-Softwares /T /C

PS H:\> icacls 03-Temp /save c:\BACKUPACL_03-Temp /T /C

• Restore ACLs for each folder with icacls command :

PS H:\> cd D:\Share

PS D:\> icacls .\ /restore c:\BACKUPACL_01-Admin /T /C

PS D:\> icacls .\ /restore c:\BACKUPACL_02-Admin /T /C

PS D:\> icacls .\ /restore c:\BACKUPACL_03-Admin /T /C

• Unmount H: drive :

PS D:\> .\dosdev.exe H: /D