String comparisons against program output is not usually the best solution

Raymond Chen


A customer wanted to know whether the ICACLS program will be deprecated in Windows 10.

The reason is that they have a program that modifies file and directory permission, and the way it works is that the program runs the ICACLS program, then parses the output to see whether it succeeded. They are working on a new release and wanted to know what APIs they should be using, and whether their existing technique was still going to work.

As a general rule, programs are designed for human consumption, not programmatic consumption. (There are exceptions, like sort, or reporting tools that are designed to have their output parsed.) But if you’re going to be tied to the exact number of spaces between the date and the file size, or the user’s date and number formatting settings, or the letters A-c-c-e-s-s and d-e-n-i-e-d. then you’re going to run into trouble.

If you’re going to be manipulating file security, then you should be using functions like Set­Named­Security­Info, which are part of the formal and documented API surface of Windows.

I found this question surprising because it came from a German customer, so they were presumably doing string comparisons against “Zugriff verweigert“, and all their customers were in German-speaking countries. Either that, or they told their customers to install the English version of Windows.

Bonus chatter: One of my colleagues recommends Programming Windows Security for those who want to understand more on the topic. Just passing along the recommendation; I haven’t read the book myself.

Raymond Chen
Raymond Chen

Follow Raymond   


Comments are closed.