Retrieving security descriptor and getting number for FileSystemRights

The value of the FileSystemRights property is an unsigned 32-bit integer, where each bit represents a particular access permission. Most of the permissions are listed in the Win32_ACE class documentation, except for the "generic" permissions (bits 28-31) and the right to access SACLs (bit 23). More details can be found here and here.

If you want to break down an ACE access mask into its specific access rights (vulgo "extended permissions") you could do something like this:

$accessMask = [ordered]@{  [uint32]'0x80000000' = 'GenericRead'  [uint32]'0x40000000' = 'GenericWrite'  [uint32]'0x20000000' = 'GenericExecute'  [uint32]'0x10000000' = 'GenericAll'  [uint32]'0x02000000' = 'MaximumAllowed'  [uint32]'0x01000000' = 'AccessSystemSecurity'  [uint32]'0x00100000' = 'Synchronize'  [uint32]'0x00080000' = 'WriteOwner'  [uint32]'0x00040000' = 'WriteDAC'  [uint32]'0x00020000' = 'ReadControl'  [uint32]'0x00010000' = 'Delete'  [uint32]'0x00000100' = 'WriteAttributes'  [uint32]'0x00000080' = 'ReadAttributes'  [uint32]'0x00000040' = 'DeleteChild'  [uint32]'0x00000020' = 'Execute/Traverse'  [uint32]'0x00000010' = 'WriteExtendedAttributes'  [uint32]'0x00000008' = 'ReadExtendedAttributes'  [uint32]'0x00000004' = 'AppendData/AddSubdirectory'  [uint32]'0x00000002' = 'WriteData/AddFile'  [uint32]'0x00000001' = 'ReadData/ListDirectory'}$fileSystemRights = Get-Acl -LiteralPath 'C:\some\folder_or_file' |                    Select-Object -Expand Access |                    Select-Object -Expand FileSystemRights -First 1$permissions = $accessMask.Keys |               Where-Object { $fileSystemRights.value__ -band $_ } |               ForEach-Object { $accessMask[$_] }

The simple permissions FullControl, Modify, ReadAndExecute etc. are just specific combinations of these extended permissions. ReadAndExecute for instance is a combination of the following extended permissions:

• ReadData/ListDirectory
• Execute/Traverse
• ReadAttributes
• ReadExtendedAttributes
• ReadControl

so the access mask for ReadAndExecute would have the value 131241.

If you want the result to be a combination of simple permission and the remaining extended permissions, you could do something like this:

$accessMask = [ordered]@{  ...}$simplePermissions = [ordered]@{  [uint32]'0x1f01ff' = 'FullControl'  [uint32]'0x0301bf' = 'Modify'  [uint32]'0x0200a9' = 'ReadAndExecute'  [uint32]'0x02019f' = 'ReadAndWrite'  [uint32]'0x020089' = 'Read'  [uint32]'0x000116' = 'Write'}$fileSystemRights = Get-Acl -LiteralPath 'C:\some\folder_or_file' |                    Select-Object -Expand Access |                    Select-Object -Expand FileSystemRights -First 1$fsr = $fileSystemRights.value__$permissions = @()# get simple permission$permissions += $simplePermissions.Keys | ForEach-Object {                  if (($fsr -band $_) -eq $_) {                    $simplePermissions[$_]                    $fsr = $fsr -band (-bnot $_)                  }                }# get remaining extended permissions$permissions += $accessMask.Keys |                Where-Object { $fsr -band $_ } |                ForEach-Object { $accessMask[$_] }

Quick and dirty tanslation:

268435456 - FullControl

-536805376 - Modify, Synchronize

-1610612736 - ReadAndExecute, Synchronize

If you want to learn about the translation process this was the best i could find at the moment: Link