To Main Page

View in Russian

How to check access rights to file/directory on NTFS volume in Windows NT/2000/XP

It is well-known that the simplest way to check file access rights is to try to use corresponding right. If attempt to access refused by system - that is current user hasn't this right. But sometimes this approach may be undesirable or impossible. For example, it is necessary to find out whether exists delete right to file without deleting it, or you want to clarify your rights to open file.

Windows NT/2000/XP has API function AccessCheck, which in fact checks access rights to every operating system object, which supports access rights. This function is called implicitly by system every time user accesses such object. To call AccessCheck function explicitly it is necessary to carry out a whole series of operations with data structures responsible for OS security and call some other functions.

To simplify working with access rights to objects of NTFS file system (files, directories) I have written CheckFileAccess function which assumes all this hard work.

Here is description of this function:

    CheckFileAccess(Filename As String, _
        ByVal DesiredAccess As Long) As Long,


    Filename      - file or directory full path.
                    Directory path must not end on "\" character.

    DesiredAccess - desired access rights bit mask.

The function returns bit mask which consists of those bits of desired bit mask, which correspond with allowed access rights. In case of access rights to given file or directory not supported, the function returns -1 value.

As desired access mask you may use any combination with OR operator of constants from the beginning of CheckFileAccess function listing. The most popular of them are:

    FILE_GENERIC_READ    - read access,

    FILE_GENERIC_WRITE   - write access,

    FILE_GENERIC_EXECUTE - execute access,

    DELETE               - delete access,

    WRITE_DAC            - change access rights access,

    WRITE_OWNER          - change owner access,

    FILE_ALL_ACCESS      - full access,

    MAXIMUM_ALLOWED      - maximal allowed access.

It is also possible to use constants, applicable to any secure OS objects:

    GENERIC_READ         - read access,

    GENERIC_WRITE        - write access,

    GENERIC_EXECUTE      - execute access,

    GENERIC_ALL          - full access,

but in this case the function returns correspondingly values FILE_GENERIC_READ, FILE_GENERIC_WRITE, FILE_GENERIC_EXECUTE, FILE_ALL_ACCESS (of course, if correspondent rights exist).

For example, to find out whether exists read and write access to the file "d:\Test.tmp", it is possible to use two ways:

Way 1:

Dim AccessRead As Boolean, AccessWrite As Boolean
    AccessRead = CheckFileAccess("d:\Test.tmp", _
    AccessWrite = CheckFileAccess("d:\Test.tmp", _

Way 2:

Dim AccessRead As Boolean, AccessWrite As Boolean
Dim AccessMask As Long
    AccessMask = CheckFileAccess("d:\Test.tmp", MAXIMUM_ALLOWED)
    AccessRead = (AccessMask _
    AccessWrite = (AccessMask _

In the first case call of CheckFileAccess function performs twice, in second case intermediate variable used.

To illustrate using of CheckFileAccess function I have written a sample program FilePerm.exe, which shows access rights to operating system file or directory.

The file or directory may be specified on command line, may be dragged from Explorer or may be entered to the corresponding text field. It is possible also to open the file by selecting it in browse window after clicking "..." button.

The source code of this program for Visual Basic 5.0 with detailed comments is attached.

See also Microsoft Knowledge Base Q115945.

Download source code of the program FilePerm.exe (19 kB, English interface)

This page has been updated last time on 25-Feb-2002
2002 Sergey Merzlikin
Write me: