I recently redesigned the security on a file server of ours, marking most of what was Full Control to be Modify. Now my developers are telling me that whenever they use GENERIC_ALL to open a file (with CreateFile() for instance), they receive an access denied message.
After research, nothing seemed to indicate that GENERIC_ALL was any more than GENERIC_EXECUTE + GENERIC_WRITE + GENERIC_READ; however, this seems not to be the case, since a developer was able to add the three constant values, and use this to CreateFile().
So, I ask… what does GENERIC_ALL really do?
Thanks,
Matt
The
GENERIC_ALLaccess rights include every possible access right, including such things asWRITE_DAC(to change permissions) andWRITE_OWNER(to change owner). The File Security and Access Rights page shows how theGENERIC_*access rights map to specific access rights for files. The File Access Rights Constants page shows all the possible access rights for files (which presumably would all be requested whenGENERIC_ALLis used).You should encourage your developers to request only the level of access that they actually need. Rarely, for example, is a file opened for both
GENERIC_EXECUTEandGENERIC_WRITEat the same time.