How to Audit File Access Permissions in Batch Script

Maintaining a secure and compliant IT environment requires regular auditing of file system permissions. Whether you are preparing for a security audit, troubleshooting access issues, or simply ensuring that sensitive data is only accessible to authorized personnel, knowing how to programmatically extract and analyze Access Control Lists (ACLs) is an essential skill.

While Windows provides graphical tools for viewing permissions, they are inefficient for bulk auditing or generating consolidated reports. In this guide, we will explore how to use the versatile icacls command within Batch scripts to audit file access permissions across your system.

The Foundation of Auditing: ICACLS

The icacls command is the standard utility for managing and displaying NTFS permissions. For auditing purposes, we primarily use it to export or "dump" the permission entries of files and directories.

Basic Auditing for a Single Directory

To view the permissions of a specific folder and its contents, use the following syntax:

icacls "C:\SensitiveData"

This output provides a list of users and their corresponding rights. However, for a professional audit, you need to recurse through subdirectories and save the results for review.

Creating a Recursive Audit Script

A robust audit script should traverse a directory tree, capture permissions for every object, and output them to a text file for analysis.

The Audit Script

@echo off
setlocal

:: Define the root directory to audit and the output log file
set "targetRoot=D:\CompanyShares\Financials"
set "reportFile=C:\AuditReports\Financials_Permission_Audit.txt"

:: Ensure the report directory exists
if not exist "C:\AuditReports" mkdir "C:\AuditReports"

echo Starting permission audit for: %targetRoot%
echo Detailed report will be saved to: %reportFile%
echo Please wait...

:: Header for the report
echo FILE PERMISSION AUDIT REPORT > "%reportFile%"
echo TARGET: %targetRoot% >> "%reportFile%"
echo DATE: %DATE% %TIME% >> "%reportFile%"
echo -------------------------------------------------- >> "%reportFile%"

:: Use icacls to dump permissions recursively
:: /T: Traverse subfolders
:: /C: Continue on file errors (e.g., locked files)
icacls "%targetRoot%" /T /C >> "%reportFile%"

if %ERRORLEVEL% EQU 0 (
    echo.
    echo Audit completed successfully.
) else (
    echo.
    echo Audit finished with some errors (check the report for details^).
)

echo.
pause

Script Breakdown:

icacls "%targetRoot%" /T /C: This is the engine of the audit. It travels through every file and folder in the tree. The results, including a processing summary at the end, are appended (>>) to our report file.
Error Handling: Using the /C switch ensures the audit doesn't break if it encounters a system file or a folder that is currently in use.

Extracting Specific Users or Rights

In a real-world audit, you are often looking for specific risks, such as the "Everyone" group having access to a private folder or finding where a specific user has "Full Control."

Auditing for the "Everyone" Group

You can use findstr in combination with icacls to filter your audit for suspicious permissions.

@echo off
setlocal

set "auditPath=D:\Data"
set "riskReport=Insecure_Permissions.txt"

echo Scanning for broad access permissions...

:: Search for 'Everyone' or 'Anonymous' in the permissions list
icacls "%auditPath%" /T /C /Q | findstr /i "Everyone Anonymous" > "%riskReport%"

if %ERRORLEVEL% EQU 0 (
    echo.
    echo WARNING: Broad access permissions found. Check %riskReport%.
) else (
    echo.
    echo No 'Everyone' or 'Anonymous' permissions detected in the target tree.
)
pause

Advanced Auditing: Identifying "Full Control" Instances

Security professionals often prioritize identifying who has absolute power over critical data. In icacls output, Full Control is represented by strictly (F).

@echo off
setlocal

set "target=C:\Projects"

echo Auditing for Full Control permissions...

:: Find lines containing (F) which indicates Full Control
icacls "%target%" /T /C /Q | findstr /C:"(F)" > FullControl_Report.txt

echo.
echo Audit results saved to FullControl_Report.txt
pause

Best Practices for File Auditing

Run as Administrator: You cannot audit what you cannot see. Always run your audit scripts from an elevated command prompt.
Audit the Owner: Permissions are only half the story. Use dir /q or wmic path win32_logicalfilesecuritysetting to determine who owns the files, as the owner can always change permissions.
Scheduled Audits: For critical infrastructure, use Task Scheduler to run your audit script monthly and compare the output to a baseline to detect "permission drift."
Use CSV for Large Audits: If you are auditing millions of files, consider using a Batch script that calls a PowerShell helper to output the data in CSV format, making it easier to filter in Excel.

Pro Tool: AccessChk

For extremely deep auditing (including checking effective permissions derived from group memberships), consider using AccessChk from the Microsoft Sysinternals suite. It is a command-line tool that integrates beautifully into Batch scripts for more advanced auditing needs.

Conclusion

Auditing file access permissions via Batch script is a powerful way to bring transparency and security to your Windows environment. By combining icacls with recursion and filtering tools like findstr, you can generate detailed reports that help identify vulnerabilities and ensure compliance with security policies. Regular auditing is the first line of defense in protecting sensitive company data.

The Foundation of Auditing: ICACLS​

Basic Auditing for a Single Directory​

Creating a Recursive Audit Script​

The Audit Script​

Script Breakdown:​

Extracting Specific Users or Rights​

Auditing for the "Everyone" Group​

Advanced Auditing: Identifying "Full Control" Instances​

Best Practices for File Auditing​

Conclusion​

Table of Contents