How can I correctly check for effective read/write access to a file using Windows API?

Question

I've attempted to do this using GetEffectiveRightsFromAcl, but it's not returning the correct access mask for files that are denied to me due to a group I'm part of.

For example, I have a file, unreadable.txt. If I deny write access to unreadable.txt for my current user, the access mask correctly shows that I don't have write access. However, if I instead deny write access for the 'Authenticated Users' group, the access mask implies that I have full access (which I don't).

My alternative was to manually iterate the Ace list and compare my SID with each entry, but I'm unable to find a clean or easy way to check if the Ace is for a group, and if the current user is part of that group.

As an extension, the file may not exist (i.e. it's a new file, about to be written), in which case the access to the directory needs to be checked.

Is there any good solution to this? It seems like there should exist an easier way to do this, without actually trying to read/write to the file in question.

Answer 1

Use AccessCheck instead, as recommended by the knowledge base article on the Limitations of the GetEffectiveRightsFromAcl API.

Answer 2

Just try to open the file with the desired mode using CreateFile - if it succeeds you know you have the access rights. You don't actually have to write anything to the file, just close it right away.