Quick links: Download InstallMate 9 | What's new in InstallMate 9 | Buy InstallMate 9 | Upgrading to InstallMate 9 | Recent news...

GiveAccess - Set access permissions on files, folders, and registry keys

GA.exe sets access permissions of one or more files or folders, or on registry keys. It is a small program (9 KB) that can be used to adjust permissions during installation by running it in a custom action (QuickInstall 2) or Run Program action (ExpertInstall 3, Installer 5, InstallMate 7, InstallMate 9).

Terms of use

This program is copyright © 1990-2016 Tarma Software Research Ltd.

You may freely use this program for personal or internal business uses only. You may not incorporate the program either wholly or in part into any product or publication, or otherwise distribute the program without express written permission from Tarma Software Research Ltd. However, you may provide links to this program's web page.

As a special exception, Tarma Software Research Ltd hereby allows you to incorporate and distribute GA.exe with installers that you create with InstallMate 9, InstallMate 7, Tarma Installer 5, Tarma ExpertInstall 3, or Tarma QuickInstall 2.

Tarma Software Research Ltd is not liable for errors or omissions in this program.

Download

The download archive contains the following versions of the GiveAccess tool:

File name Description
GA.exe 32-bit version of GiveAccess; intended for distribution and use on 32-bit Windows systems.
GA-Debug.exe 32-bit debug version of GiveAccess; intended for diagnostic and testing use (only) on 32-bit Windows systems. Not intended for redistribution.
GAx64.exe 64-bit version of GiveAccess; intended for distribution and use on x64 Windows systems (not suitable for IA64 systems).
GAx64-Debug.exe 64-bit debug version of GiveAccess; intended for diagnostic and testing use (only) on x64 Windows systems (not suitable for IA64 systems). Not intended for redistribution.

System requirements: Runs on Windows NT4, 2000, XP, Vista, 7, 8, their Server editions, and later, both 32-bit and 64-bit versions. It does not run on Windows 9x systems, because those systems have no concept of access permissions.

Syntax

GA
GA access name_or_SID path

The first form displays a syntax summary and exits. The second form applies the access permissions to path for the account name or SID name_or_SID.

Parameter Description
GA Name of the program; .exe is implied. You may have to use a fully qualified file path if GA.exe is located in a folder that does not appear in your PATH environment variable.
(none) Display a message box with version info and syntax summary; exit when the user closes the message box.
access

Desired access rights. This can be a combination of the following:

  • A - All rights. Use this parameter on its own to allow name_or_SID full access to the file, folder, or registry key.
  • D - Delete rights. This allows name_or_SID to delete the file, folder, or registry key.
  • O - Change ownership. This allows name_or_SID to take ownership of the file, folder, or registry key.
  • P - Change permissions. This allows name_or_SID to change the access permissions of the file, folder, or registry key.
  • R - Read rights. This allows name_or_SID to read the file or list the folder's or registry key's contents.
  • W - Write rights. This allows name_or_SID to take write to or replace the file, to add files or folders to the folder, or to add values and subkeys to the registry key.
  • X - Execute/Traverse rights. This allows name_or_SID to execute the file or traverse the folder or registry key. (Folder or registry key traversal allows an account to reach lower level folders, files, values, or subkeys, even if access to the folder or registry key itself is not allowed.)
name_or_SID

Name or SID (Security IDentifier) of the party to whom the rights are conveyed. This must be a name or SID of an existing built-in, local, or domain account.

  • A name can be something like Everyone, "Power Users" (the quotes are required if the name contains spaces), or B\Dave (i.e., the user Dave on the local machine or domain B). Note that built-in names such as Everyone, Administrator and "Power Users" are language-dependent: non-English versions of Windows may use different (translated) names instead. For that reason, we recommend that you use SIDs where possible.
  • A SID has the form S-1-xxx where xxx is a string of numbers separated by hyphens that designates the security authority, subauthority, and principal addressed by the SID. SIDs are particularly useful for built-in and other well-known entities, because they do not depend on the Windows language. The table below lists some commonly used SIDs.

If name_or_SID starts with the sequence S-, then GA interprets it as a security identifier; else it's assumed to be an account name. This implies that GA will fail if you are trying to use an account name that starts with S-.

path

Path to the file or folder, or to a registry key.

  • If you are specifying a file or folder path, the path may contain wildcards; in that case, GA will set the permissions on all matching files or folders.
  • If you are specifying a registry key path, the path must start with one of the following:
    CLASSES_ROOT\ or HKEY_CLASSES_ROOT\
    CURRENT_USER\ or HKEY_CURRENT_USER\
    MACHINE\ or HKEY_LOCAL_MACHINE\
    and may not contain wildcards.

Be sure to "quote" the path if it contains spaces.

Exit codes

When the GA.exe process terminates, it returns 0 (zero) if it was successful, or a nonzero Windows error code if the operation failed. For a list of Windows error codes, see System error codes on the MSDN web site.

Note: Exit codes are returned as 32-bit unsigned integers (DWORD or UINT) as per Windows convention in ExitProcess() and GetExitCodeProcess(). However, some tools erroneously interpret or display them as 32-bit signed integers instead. This means that any exit codes > 2,147,483,647 are displayed as negative numbers by those tools. If that happens, you should convert them to the equivalent 32-bit unsigned number using 2-complement arithmetic, or by rewriting them as hexadecimal numbers, in order to get the correct value.

Well-known SIDs

The following table lists some well-known security identifiers that you can use for name_or_SID. Consult the MSDN documentation for more.

English name SID Description
Everyone S-1-1-0 The Everyone group; allows access to all users and groups.
Creator Owner S-1-3-0 Pseudo-identifier that represents the account that created the file or folder.
Interactive S-1-5-4 Users who are logged in for an interactive session.
Authenticated S-1-5-11 All authenticated users.
Users S-1-5-32-545 Local Users group. Note that this is not to the same as Everyone; the Users group only includes accounts that are explicitly added to it (usually designated restricted users).
Power Users S-1-5-32-547 Local Power Users group.
Administrators S-1-5-32-544 Local Administrators group.
Guests S-1-5-32-546 Local Guests group.

Remarks

  • GA adds the permissions to any existing or inherited permissions. If the target is a folder or a registry key, then the additional permissions will be inherited by files and subfolders in the folder (in the case of a folder) or the subkeys (in case of a registry key).
  • Registry values (as opposed to registry keys) do not have access controls themselves. Access to registry values is determined solely by the access rights that apply to their parent key.
  • File and folder permissions are only supported on Windows NT-based systems (i.e., NT4, 2000, XP, Vista, 7, 8, and later) that use NTFS as their file system. Registry key permissions are only supported on Windows NT-based systems.
  • On 64-bit Windows systems you must use the x64 version of GA.exe to access the 64-bit view of the registry. If you use the 32-bit version of GA.exe on a 64-bit Windows system, the tool will try to modify the 32-bit registry keys, not the 64-bit keys.
  • GA.exe will not run on Windows 9x systems (i.e., Windows 95, 98, Me) and if you use GA.exe in an installer action, then you should make sure that GA.exe is not run on these systems (for example, by clearing the action's Platforms boxes for Windows 95, 98, Me).

Examples

Here are some usage examples.

GA
Displays a message box with the syntax summary and version info, and exits when the message box is closed.
GA A Everyone *.*
Gives full access to all files and folders in the current folder.
GA A S-1-1-0 *.*
Does the same, but in a language-independent way.
GA RW S-1-5-32-547 Data.mdb
Gives users in the Power Users group read/write access to the file Data.mdb.
GA A S-1-1-0 "<CommonProductAppDataFolder>\Data.mdb"
Gives everyone full access to the Data.mdb file in the product's application data folder. Note the use of quotes to catch any spaces that might result from the expansion of <CommonProductAppDataFolder>.
GA A S-1-1-0 MACHINE\Software\Microsoft\Windows\CurrentVersion
Gives everyone full access to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion registry key and all of its subkeys (unless a subkey has permissions that block propagation of inherited access rights). Note that this is not recommended and only used here as an example of a registry key modification.
GA A S-1-1-0 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
Equivalent to previous example.