A customer was trying to write to a file that was protected with an access control list that did not grant write access to anyone, not even administrators. They found that they couldn’t open the file with dwDesiredAccess equal to GENERIC_WRITE, not even if they ran the process elevated and enabled the SE_TAKE_OWNERSHIP_NAME privilege.

The SE_TAKE_OWNERSHIP_NAME privilege does not affect access control masks. The SE_TAKE_OWNERSHIP_NAME privilege controls whether you can call Set­Named­Security­Info with the OWNER_SECURITY_INFORMATION flag to change the owner of an object.

Taking ownership of an object still doesn’t grant you write access, though. What you do get from ownership is automatic READ_CONTROL and WRITE_DAC access: The permission to read and write permissions.

Gaining write access to a file starting from “take ownership” privilege is therefore a multi-step procedure.

First, enable the “take ownership” privilege. This makes it possible to change a file’s owner.

Next, call Set­Named­Security­Info with the OWNER_SECURITY_INFORMATION flag to set yourself as the file owner. This gives you permission to change permissions.

Next, call Set­Named­Security­Info again, this time with the DACL_SECURITY_INFORMATION flag, passing an access control list that grants you write access.

Now you have write access to the file and can open it for GENERIC_WRITE.