The FileSystemRights enumeration used in the previous examples does not quite cover all of the possible values one might see when inspecting an ACL. In some cases, the rights will be shown as numeric values rather than names.
The -536805376 and 268435456 values were both included in some earlier examples. The missing values are part of the generic portion of the access control entry in Microsoft docs: https://docs.microsoft.com/en-us/windows/desktop/SecAuthZ/access-mask-format.
This generic portion is not accounted for by the FileSystemRights enumeration. These generic values, in turn, represent summarized rights, as shown on this page: https://docs.microsoft.com/en-us/windows/desktop/FileIO/file-security-and-access-rights.
Converting each of the values to binary goes a long way to showing their composition:
PS> foreach ($value in -536805376, 268435456) {
>> '{0,-10}: {1}' -f $value, [Convert]::ToString($value, 2).PadLeft(32, '0')
>> }
-536805376: 11100000000000010000000000000000
268435456 : 00010000000000000000000000000000
This script uses a GenericAccessRights enumeration toward show how these values may be deconstructed:
using namespace System.Security.AccessControl
# Define an enumeration which describes the generic access mask (only)
[Flags()]
enum GenericAccessRights {
GenericRead = 0x80000000
GenericWrite = 0x40000000
GenericExecute = 0x20000000
GenericAll = 0x10000000
}
# For each value to convert
foreach ($value in -536805376, 268435456) {
# For each enum that describes the values
$accessRights = foreach ($enum in [GenericAccessRights], [FileSystemRights]) {
# Find values from the enum where the value in question has that exact bit set.
[Enum]::GetValues($enum) | Where-Object { ($value -band $_) -eq $_ }
}
# Output the original value and the values from the enum (as a string)
'{0} : {1}' -f $value, ($accessRights -join ', ')
}
The two values discussed are therefore the following:
- -536805376: GenericExecute, GenericWrite, GenericRead, and Delete
- 268435456: GenericAll