Subinacl.exe is a robust tool that will help you obtain and migrate security information for files, registry keys, services, and other Windows objects. I’m going to show you how to put it to work, and I’ll demonstrate with some usage examples. I’ve also created a downloadable reference sheet that offers more examples for how you can use the tool.

Introducing Subinacl
Subinacl is offered in the Windows Resource Kits for NT 4.0 and 2000. The appearance of Subinacl has changed across the releases. This article and the download will focus on the Windows 2000 Resource Kit release. I have also been using the Windows 2000 version on my Windows .NET Server RC1 without incident.

The tool is located in the \Program Files\Resource Kit folder after a default installation of the Win2K Resource Kit and is automatically appended to the path environment variable. Subinacl is a powerful tool, so it would be a matter of good practice to evaluate whether it is right for your situation before actually using it on a live system. It is also advisable to use the /testmode parameter to test changes before bringing them into the live operating system.

Subinacl parameters
Subinacl.exe offers four main parameters, which I discuss throughout the article and highlight in the downloadable worksheet. These are the parameters:

  • /view_mode specifies how much information is to be displayed upon execution. There are two levels of verbosity to choose from (verbose=1 and verbose=2), with level 2 (most information displayed) being the default.
  • /test_mode designates whether the commands are to be brought into the operating system upon execution or tested to see whether they fail. The default option is that all commands are directly interactive with the OS.
  • /object_type specifies what Windows objects are to be executed in the operation. Available objects are service, keyreg, subkeyreg, file, subdirectories, share, and printer, as well as a few others. There is no default option for this parameter, and it is required in order to execute.
  • /action specifies what Subinacl is to do. The default option is to display the appropriate information for the specified object. Options include display, replace, changedomain, migratetodomain, findsid, grant, deny, revoke, accesscheck, and ifchangecontinue, among others.

Deciding what object is to receive which action is the first step in determining how Subinacl can help in your scenario.

You can view a descriptive help file on Subinacl by running subinacl /help /full from the command prompt. This expanded help describes some of the special usage situations and some descriptions on the actions and objects of the tool.

Displaying security information
The best way to start working with Subinacl is to use it to display security information on various objects. Since display is the default parameter, you can invoke this process simply by executing subinacl with a specified object. To demonstrate, I used Subinacl to display security about the Windows HKEY_USERS registry subkey, running this command at verbosity level 1. Both the input and output appear in Figure A.

Figure A
Displaying basic security information on an object

I tend to like verbosity level 1 for obtaining information on objects. Verbosity level 2 (default option) brings a lot more to the display when running the same command, as illustrated in Figure B.

Figure B
Specify a higher verbosity to gather more information.

In this simple example, you can do some basic variations of the command to display more information about other areas of the Windows registry. For example, you could use subinacl /verbose=1 / keyreg * to run this command for all top-level registry keys, since wildcards are valid with Subinacl.

You can also export these results to a text file with the following command (this particular command allows you to see security information for all top-level keys):
subinacl /verbose=1 /keyreg * > c:\registryanalyze.txt

To run the security display on every subkey of the Windows registry on the local system, you could use:
subinacl /verbose=1 /subkey * > c:\registryanalyze.txt

Run this command offline because it is processor-intensive and takes a while to execute. Once it is complete, you can search through the file for accounts or rights that should not be there or other anomalous conditions for the entire Windows registry.

Security administration
Now that you know how to work with Subinacl, let’s take a look at how it can help you. Subinacl’s primary benefit is its ability to transfer security information from various Windows objects to new users, domains, or workgroups. Subinacl can also perform security administration that other Windows tools can do. However, Subinacl can be used in batch files since it is a command-line tool, and using it in a batched environment could save a lot of work during a migration.

Let’s look at a simple example that shows some of Subinacl’s power. Windows objects have owners, and Subinacl enables you to set ownership using the /setowner action. For our example, let’s display the properties of the VNC Server service, set a new owner, and then display the properties of the service after the change. The new owner is process-admin. Figure C shows the commands to perform this task and highlights the before and after.

Figure C
Subinacl can be used to change ownership of Windows objects.

Note that in the command, I have winvnc rather than VNC Server. This is because the service is actually named Winvnc.exe, and Subinacl interacts with all services by their executable names.

Let the fun begin
As our example shows, Subinacl can help complex computing environments that manage many Windows objects with more than just the administrator account. But this is just one example of Subinacl’s capabilities. If you delve into the help files and download this Subinacl reference sheet, you can start experimenting with some of its other uses. Subinacl lends itself to endless hours of experimentation on parameters that could help you in an auditing capacity or with your next migration. Of course, Subinacl’s display feature alone serves as a powerful audit tool, and you could justify using Subinacl to simply examine the security of important objects on your Windows servers.