6 days of recovery – day 6: Recovering security permissions after restoring data on a new hard drive

Okay, I’ve now got the Windows system drive (C:) back up and running and using my trusty backup I have restored all my data onto the new data drive (A Seagate 1TB 7200RPM 32MB cache – nice and fast).  However, I now had a security problem:  all my old file permissions were now incorrect, and in the directory and file properties windows on the security tab I was getting “Account Unknown”:

Windows Vista Security file properties: Account Unknown

The problem was that although my user name was the same in the new Windows install, the unique Security ID (SID) used by my old Windows install was different from the unique Security ID created by the new Windows install.  This makes sense because the ID is a unique identifier (and is probably created based on the current time in milliseconds and lots of other things).

BTW, It’s possible to copy-and-paste that long numeric SID rather than trying to type it out.  From the file security property dialog box above click on the “Advanced” button, and then double-click on the “Account Unknown” in the “Permission entries” pane.  Then, you can copy the long numeric SID from the “Name” text box.

How to copy the numeric SID for an Account Unknown

My first approach was just to remove all the “Account Unknown” entries completely with the iacls command but I got a VERY frustrating message:

D:\>icacls * /remove *S-1-5-21-671368754-1592612355-3076361259-1000 /T
Successfully processed 0 files; Failed processing 0 files

I tried about 50 different variations and got absolutely nowhere, which turned out to be very fortunate because I discovered that it’s possible to simply REPLACE the OLD broken SID with the working new one!  Phew.  A little Microsoft tool called subinacl.exe did the trick very nicely.  It requires installation (?!) and doesn’t put itself onto the path (which is good I guess) and after reading the help and trying a few different things I got it to work like this:

"c:\Program Files (x86)\Windows Resource Kits\Tools\subinacl.exe" /subdirectories d:\

So it took a little while to solve the problem but it worked!  It’s also the ONLY Microsoft Vista command line tool I’ve ever seen that actually had a “fancy” little GUI:

Subinacl at work

The red is a little scary (because I assumed something bad had happened), but it was fine and my new HDD with all my data had all the security backed up correctly, and I didn’t have to muck around trying to remember and manually reset folder permissions.  Very elegant, although it took me about an hour to figure this out!



No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: