> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/windows/trick-0050.md).

# Windows PE Via SeChangeNotifyPrivilege

***

Leverage the `SeChangeNotifyPrivilege` (Bypass traverse checking) on Windows to modify file permissions using the `CACLS` command. The `SeChangeNotifyPrivilege` allows a user to bypass traverse checking, meaning a user with this privilege can traverse any directory structure, even without permissions to list intermediate directories. While the privilege is intended for traversal, it can be abused in conjunction with tools like `cacls` to modify file permissions on objects that would otherwise be inaccessible due to directory restrictions. This can bypass typical access restrictions on files, even if they are located in inaccessible directories.

If a restricted file, such as `C:\backup\restore.txt`, is discovered but initially inaccessible ('Access is denied'), this privilege combined with `CACLS` can modify its Access Control List (ACL). `CACLS` is a command-line utility used to display or modify Access Control Lists (ACLs) for files and folders. Although this command has been deprecated in favor of `ICACLS`, it can still be found and used on many systems.

The basic syntax for `CACLS` is:`CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]]`

The permissions that can be assigned or changed using `CACLS` are typically represented by abbreviations:

* `R`: Read
* `W`: Write
* `C`: Change (write + delete)
* `F`: Full control
* `N`: None

To grant the current user (`SG`) 'Full control' (`f`) over the file, making it readable, the `/P` parameter is used to change permissions. By default, `/P` replaces existing permissions. The `/E` flag is used to edit the ACL instead of replacing it entirely, allowing you to add or modify specific permissions without removing others.

Use the following command to grant the current user (`SG`) 'Full control' (`f`) over the file, making it readable:

```batch
CACLS ./restore.txt /e /p SG:f
```

Alternatively, specifying the full path works similarly:

```bash
cacls C:\path\to\restricted\file /e /p user:f
```

The `/e` flag edits the ACL instead of replacing it, and `/p user:perm` changes the access permissions for the specified user. While `SeChangeNotifyPrivilege` primarily allows directory traversal, its abuse via deprecated tools like `CACLS` permits ACL modification, effectively granting access to previously restricted objects. Other useful parameters include `/G user:perm` to grant specified access rights, `/R user` to revoke specified access rights, and `/D user` to deny access to the specified user. The `/T` option can be used to change ACLs of specified files in the current directory and all subdirectories.
