SUBINACL is a command-line tool in Windows that enables administrators to obtain security information about files, registry keys, services, and other system objects. It can set permissions, audit information, and ownership. This tool is particularly useful for automating security management tasks in large systems and can be crucial during system migrations or backups.


The general syntax for SUBINACL is as follows:

subinacl /object_type object_name /action[=parameters]
  • object_type specifies the type of object (e.g., file, service, or registry key).
  • object_name defines the name or path of the object.
  • action specifies the action to take, with optional parameters.

Detailed Syntax

subinacl /file filename [/grant[=access]][/deny[=access]][/setowner=owner][/replace][/revoke=user]
subinacl /subdirectories directory [/grant[=access]][/deny[=access]][/setowner=owner][/replace][/revoke=user]
subinacl /keyreg RegistryKey [/grant[=access]][/deny[=access]][/setowner=owner][/replace][/revoke=user]
subinacl /service servicename [/grant[=access]][/deny[=access]][/setowner=owner][/replace][/revoke=user]


  • /file: Specifies a file for which to set information.
  • /subdirectories: Targets subdirectories of the specified directory.
  • /keyreg: Targets a registry key.
  • /service: Specifies a service.
  • /grant[=access]: Grants access rights to a user. The format is user[=rights].
  • /deny[=access]: Denies access rights to a user. Follows the format user[=rights].
  • /setowner=owner: Sets the owner of an object.
  • /replace: Replaces the security information for the specified object.
  • /revoke=user: Revokes all access rights from a user.


1. Granting Full Access to a User on a File:

subinacl /file c:\example.txt /grant=administrator=F

2. Revoking All Permissions for a User on a Registry Key:

subinacl /keyreg HKEY_LOCAL_MACHINE\Software\Example /revoke=guest

3. Setting Ownership of a Directory and Subdirectories:

subinacl /subdirectories c:\example\*.* /setowner=administrator

Common Issues

  • Permission Errors: Ensure that SUBINACL is run with administrative privileges to avoid access denied errors.
  • Incorrect Syntax: Double-check the command syntax, especially spaces and equal signs in commands like /grant and /deny.
  • Unsupported Actions on Objects: Some actions may not be supported on certain types of objects, such as services or registry keys.


SUBINACL can be integrated with batch scripts to automate the deployment of permissions across multiple system objects. Here is a basic script example:

@echo off
subinacl /file c:\example\*.* /setowner=administrator
subinacl /file c:\example\*.* /grant=administrator=F
echo Permissions have been updated.

Combine SUBINACL with other commands like icacls for comprehensive permission and security management.

  • cacls: Older command similar to SUBINACL, but with less functionality.
  • icacls: Replacement for cacls, allows for more granular permission setting.

For further reading and more detailed information, refer to the official Microsoft documentation on SUBINACL.