Win32 API CreateFile to Open File with empty DACL (Security Descriptor)

I'm using CreateFile to get a handle to a file to add ACE to its DACL. The problem is, when the file has no permissions, I get access denied error when I call the function CreateFile, I'm the OWNER of the file and Admin. If I using explorer I can add permissions.

I'm not interested in other functions such as OpenFile or Set security descriptor directly, I'm interested in the right combination to open such files.

I've read in MSDN that I have to use specific access right, I've tr开发者_运维百科ied:

CreateFile(lpFileName, READ_CONTROL | WRITE_DAC, 0, NULL, OPEN_EXISTING, FILE_FLAG_BACKUP_SEMANTICS);

CreateFile(lpFileName, READ_CONTROL | WRITE_DAC, 0, NULL, OPEN_EXISTING, ACCESS_SYSTEM_SEURITY);

Both I get the access denied. Any ideas?

Thanks, Gabi

This should work as the owner is always implicitly granted READ_CONTROL and WRITE_DAC, but I verified the same behavior on my machine. Out of curiosity I ran Process Monitor on it and found something a bit odd. When Explorer is opening the file to read the security information, it goes through NtOpenFile(READ_CONTROL). When my test program which calls CreateFile() is opening the file, it goes through NtCreateFile(READ_CONTROL | SYNCHRONIZE). Obviously this is going to fail as there are no ACEs granting me SYNCHRONIZE access. I have no idea where this extra access flag is coming from, though. The only thing I can think of is maybe it has something to do with WOW64 (this is a 32-bit test program running as administrator on a 64-bit machine), but I wasn't motivated enough to research it further.