Restoring security descriptors from a backup with Icacls command

Intro

I totally fucked up. Recently, due to improper handling I reinit security descriptors of a file share…

Thanks to god we can quite easily restore security descriptors with the icacls command and complete backup.

I personnaly restored security descriptors from a windows snapshot (and with the dosdev utility) but we can do it from any backup.

If, as myself, you want to use windows snapshot, we first need to mount backup as a drive letter, backup security descriptors to a file with icacls then restore security descriptors.

Mount vss snapshot

We will see here how to mount a snapshot as H: drive.

  • Open PowerShell console with administrator rights :
PowerShell | Open as administrator
  • List snapshots for D: drive :
PS C:\> vssadmin list shadows /for=D:
  • Identify snaphost you want to mount :
PowerShell | vssadmin list shadows result
  • Download dosdev.zip, unzip the file then use the utility to mount snapshot to H: drive :
PS C:\> .\dosdev.exe H: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy3
PowerShell | mount vss snapshot with dosdrive tool

Restore security descriptors

  • Go to H: and save ACLs for each folder with icacls command :
PS C:\> H:
PS H:\> cd .\Share\
PS H:\> icacls 01-Admin /save c:\BACKUPACL_01-Admin /T /C
PS H:\> icacls 02-Softwares /save c:\BACKUPACL_01-Softwares /T /C
PS H:\> icacls 03-Temp /save c:\BACKUPACL_03-Temp /T /C
PowerShell | icacls save ACLs
  • Restore ACLs for each folder with icacls command :
PS H:\> cd D:\Share
PS D:\> icacls .\ /restore c:\BACKUPACL_01-Admin /T /C
PS D:\> icacls .\ /restore c:\BACKUPACL_02-Admin /T /C
PS D:\> icacls .\ /restore c:\BACKUPACL_03-Admin /T /C
PowerShell | icacls restore ACLs
  • Unmount H: drive :
PS D:\> .\dosdev.exe H: /D
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :