GiveAccess - Set access permissions on files, folders, and registry keys
GA.exe sets access permissions of one or more files or folders, or on registry keys. It is a small program (9 KB) that can be used to adjust permissions during installation by running it in a custom action (QuickInstall 2) or Run Program action (ExpertInstall 3, Installer 5, InstallMate 7, InstallMate 9).
This program is copyright © 1990-2016 Tarma Software Research Ltd.
You may freely use this program for personal or internal business uses only. You may not incorporate the program either wholly or in part into any product or publication, or otherwise distribute the program without express written permission from Tarma Software Research Ltd. However, you may provide links to this program's web page.
As a special exception, Tarma Software Research Ltd hereby allows you to incorporate and distribute GA.exe with installers that you create with InstallMate 9, InstallMate 7, Tarma Installer 5, Tarma ExpertInstall 3, or Tarma QuickInstall 2.
Tarma Software Research Ltd is not liable for errors or omissions in this program.
- Download GiveAccess (version 188.8.131.5251, 16 April 2016)
The download archive contains the following versions of the GiveAccess tool:
|GA.exe||32-bit version of GiveAccess; intended for distribution and use on 32-bit Windows systems.|
|GA-Debug.exe||32-bit debug version of GiveAccess; intended for diagnostic and testing use (only) on 32-bit Windows systems. Not intended for redistribution.|
|GAx64.exe||64-bit version of GiveAccess; intended for distribution and use on x64 Windows systems (not suitable for IA64 systems).|
|GAx64-Debug.exe||64-bit debug version of GiveAccess; intended for diagnostic and testing use (only) on x64 Windows systems (not suitable for IA64 systems). Not intended for redistribution.|
System requirements: Runs on Windows NT4, 2000, XP, Vista, 7, 8, their Server editions, and later, both 32-bit and 64-bit versions. It does not run on Windows 9x systems, because those systems have no concept of access permissions.
GA GA access name_or_SID path
The first form displays a syntax summary and exits. The second form applies the access permissions to path for the account name or SID name_or_SID.
|GA||Name of the program; .exe is implied. You may have to use a fully qualified file path if GA.exe is located in a folder that does not appear in your PATH environment variable.|
|(none)||Display a message box with version info and syntax summary; exit when the user closes the message box.|
Desired access rights. This can be a combination of the following:
Name or SID (Security IDentifier) of the party to whom the rights are conveyed. This must be a name or SID of an existing built-in, local, or domain account.
If name_or_SID starts with the sequence S-, then GA interprets it as a security identifier; else it's assumed to be an account name. This implies that GA will fail if you are trying to use an account name that starts with S-.
Path to the file or folder, or to a registry key.
Be sure to "quote" the path if it contains spaces.
When the GA.exe process terminates, it returns 0 (zero) if it was successful, or a nonzero Windows error code if the operation failed. For a list of Windows error codes, see System error codes on the MSDN web site.
Note: Exit codes are returned as 32-bit unsigned integers (DWORD or UINT) as per Windows convention in ExitProcess() and GetExitCodeProcess(). However, some tools erroneously interpret or display them as 32-bit signed integers instead. This means that any exit codes > 2,147,483,647 are displayed as negative numbers by those tools. If that happens, you should convert them to the equivalent 32-bit unsigned number using 2-complement arithmetic, or by rewriting them as hexadecimal numbers, in order to get the correct value.
The following table lists some well-known security identifiers that you can use for name_or_SID. Consult the MSDN documentation for more.
|Everyone||S-1-1-0||The Everyone group; allows access to all users and groups.|
|Creator Owner||S-1-3-0||Pseudo-identifier that represents the account that created the file or folder.|
|Interactive||S-1-5-4||Users who are logged in for an interactive session.|
|Authenticated||S-1-5-11||All authenticated users.|
|Users||S-1-5-32-545||Local Users group. Note that this is not to the same as Everyone; the Users group only includes accounts that are explicitly added to it (usually designated restricted users).|
|Power Users||S-1-5-32-547||Local Power Users group.|
|Administrators||S-1-5-32-544||Local Administrators group.|
|Guests||S-1-5-32-546||Local Guests group.|
- GA adds the permissions to any existing or inherited permissions. If the target is a folder or a registry key, then the additional permissions will be inherited by files and subfolders in the folder (in the case of a folder) or the subkeys (in case of a registry key).
- Registry values (as opposed to registry keys) do not have access controls themselves. Access to registry values is determined solely by the access rights that apply to their parent key.
- File and folder permissions are only supported on Windows NT-based systems (i.e., NT4, 2000, XP, Vista, 7, 8, and later) that use NTFS as their file system. Registry key permissions are only supported on Windows NT-based systems.
- On 64-bit Windows systems you must use the x64 version of GA.exe to access the 64-bit view of the registry. If you use the 32-bit version of GA.exe on a 64-bit Windows system, the tool will try to modify the 32-bit registry keys, not the 64-bit keys.
- GA.exe will not run on Windows 9x systems (i.e., Windows 95, 98, Me) and if you use GA.exe in an installer action, then you should make sure that GA.exe is not run on these systems (for example, by clearing the action's Platforms boxes for Windows 95, 98, Me).
Here are some usage examples.
- Displays a message box with the syntax summary and version info, and exits when the message box is closed.
- GA A Everyone *.*
- Gives full access to all files and folders in the current folder.
- GA A S-1-1-0 *.*
- Does the same, but in a language-independent way.
- GA RW S-1-5-32-547 Data.mdb
- Gives users in the Power Users group read/write access to the file Data.mdb.
- GA A S-1-1-0 "<CommonProductAppDataFolder>\Data.mdb"
- Gives everyone full access to the Data.mdb file in the product's application data folder. Note the use of quotes to catch any spaces that might result from the expansion of <CommonProductAppDataFolder>.
- GA A S-1-1-0 MACHINE\Software\Microsoft\Windows\CurrentVersion
- Gives everyone full access to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion registry key and all of its subkeys (unless a subkey has permissions that block propagation of inherited access rights). Note that this is not recommended and only used here as an example of a registry key modification.
- GA A S-1-1-0 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
- Equivalent to previous example.