The Win32_LogicalFileSecuritySetting WMI class represents security settings for a logical file. You cannot enumerate instances of this class.
Methods
Win32_LogicalFileSecuritySetting has 2 methods:
Method | Description |
---|---|
GetSecurityDescriptor | Class method that retrieves a structural representation of the object security descriptor (SD). |
SetSecurityDescriptor | Class method that sets an SD to the specified structure. |
Learn more about Invoke-CimMethod
and how to invoke commands. Click any of the methods listed above to learn more about their purpose, parameters, and return value.
Properties
Win32_LogicalFileSecuritySetting returns 6 properties:
'Caption','ControlFlags','Description','OwnerPermissions','Path','SettingID'
Unless explicitly marked as writeable, all properties are read-only. Read all properties for all instances:
Get-CimInstance -ClassName Win32_LogicalFileSecuritySetting -Property *
Most WMI classes return one or more instances.
When
Get-CimInstance
returns no result, then apparently no instances of class Win32_LogicalFileSecuritySetting exist. This is normal behavior.Either the class is not implemented on your system (may be deprecated or due to missing drivers, i.e. CIM_VideoControllerResolution), or there are simply no physical representations of this class currently available (i.e. Win32_TapeDrive).
Caption
Short textual description of the CIM_Setting object.
Get-CimInstance -ClassName Win32_LogicalFileSecuritySetting | Select-Object -Property Path, Caption
ControlFlags
Control bits that qualify the meaning of an SD or its individual members. For more information about how to set the ControlFlags value, see the Remarks section. The following list lists the flags in ControlFlags. For more information, see SECURITY_DESCRIPTOR_CONTROL.
Indicates an SD with a default owner security identifier (SID). You can use this bit to find all of the objects that have default owner permissions set.
Indicates an SD with a default group SID. You can use this bit to find all of the objects that have default group permissions set.
Indicates an SD that has a discretionary access control list (DACL). If this flag is not set, or if this flag is set and the DACL is NULL, the SD allows full access to everyone.
Indicates an SD with a default DACL. For example, if an object creator does not specify a DACL, the object receives the default DACL from the access token of the creator. This flag can affect how the system treats the DACL, with respect to access control entry (ACE) inheritance. The system ignores this flag if the SE_DACL_PRESENT flag is not set.
Indicates an SD that has a system access control list (SACL).
Indicates an SD with a default SACL. For example, if an object creator does not specify an SACL, the object receives the default SACL from the access token of the creator. This flag can affect how the system treats the SACL, with respect to ACE inheritance. The system ignores this flag if the SE_SACL_PRESENT flag is not set.
Requests that the provider for the object protected by the SD automatically propagate the DACL to existing child objects. If the provider supports automatic inheritance, it propagates the DACL to any existing child objects, and sets the SE_DACL_AUTO_INHERITED bit in the security descriptors of the object and its child objects.
Requests that the provider for the object protected by the SD automatically propagate the SACL to existing child objects. If the provider supports automatic inheritance, it propagates the SACL to any existing child objects, and sets the SE_SACL_AUTO_INHERITED bit in the SDs of the object and its child objects.
Windows 2000 only. Indicates an SD in which the DACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. This bit is not set in SDs for Windows NT versions 4.0 and earlier, which do not support automatic propagation of inheritable ACEs.
Windows 2000: Indicates an SD in which the SACL is set up to support automatic propagation of inheritable ACEs to existing child objects. The system sets this bit when it performs the automatic inheritance algorithm for the object and its existing child objects. This bit is not set in SDs for Windows NT versions 4.0 and earlier, which do not support automatic propagation of inheritable ACEs.
Windows 2000: Prevents the DACL of the SD from being modified by inheritable ACEs.
Windows 2000: Prevents the SACL of the SD from being modified by inheritable ACEs.
Indicates an SD in self-relative format with all of the security information in a contiguous block of memory. If this flag is not set, the SD is in absolute format. For more information, see Absolute and Self-Relative Security Descriptors.
Get-CimInstance -ClassName Win32_LogicalFileSecuritySetting | Select-Object -Property Path, ControlFlags
Description
Textual description of the CIM_Setting object.
Get-CimInstance -ClassName Win32_LogicalFileSecuritySetting | Select-Object -Property Path, Description
OwnerPermissions
Owner permissions to the object.
Get-CimInstance -ClassName Win32_LogicalFileSecuritySetting | Select-Object -Property Path, OwnerPermissions
Path
Full path of the file or directory.
Get-CimInstance -ClassName Win32_LogicalFileSecuritySetting | Select-Object -Property Path
SettingID
Identifier by which the CIM_Setting object is known.
Get-CimInstance -ClassName Win32_LogicalFileSecuritySetting | Select-Object -Property Path, SettingID
Examples
List all instances of Win32_LogicalFileSecuritySetting
Get-CimInstance -ClassName Win32_LogicalFileSecuritySetting
Learn more about Get-CimInstance
and the deprecated Get-WmiObject
.
View all properties
Get-CimInstance -ClassName Win32_LogicalFileSecuritySetting -Property *
View key properties only
Get-CimInstance -ClassName Win32_LogicalFileSecuritySetting -KeyOnly
Selecting Properties
To select only some properties, pipe the results to Select-Object -Property a,b,c
with a comma-separated list of the properties you require. Wildcards are permitted.
Get-CimInstance
always returns all properties but only retrieves the ones that you specify. All other properties are empty but still present. That’s why you need to pipe the results into Select-Object
if you want to limit the visible properties, i.e. for reporting.
Selecting Properties
The code below lists all available properties. Remove the ones you do not need:
$properties = 'Caption',
'ControlFlags',
'Description',
'OwnerPermissions',
'Path',
'SettingID'
Get-CimInstance -ClassName Win32_LogicalFileSecuritySetting | Select-Object -Property $properties
Limiting Network Bandwidth
If you work remotely, it makes sense to limit network bandwidth by filtering the properties on the server side, too:
Get-CimInstance -Class Win32_LogicalFileSecuritySetting -Property $property |
Select-Object -Property $property
Selecting Instances
To select some instances, use Get-CimInstance and a WMI Query. The wildcard character in WMI Queries is % (and not “*”).
The parameter -Filter runs a simple query.
Listing all instances where the property Caption starts with “A”
Get-CimInstance -Class Win32_LogicalFileSecuritySetting -Filter 'Caption LIKE "a%"'
Using a WQL Query
The parameter -Query uses a query similar to SQL and combines the parameters -Filter and -Property. This returns all instances where the property Caption starts with “A”, and returns the properties specified:
Get-CimInstance -Query "SELECT Path, OwnerPermissions, Caption, Description FROM Win32_LogicalFileSecuritySetting WHERE Caption LIKE 'a%'"
Any property you did not specify is still present but empty. You might need to use
Select-Object
to remove all unwanted properties:Get-CimInstance -Query "SELECT Path, OwnerPermissions, Caption, Description FROM Win32_LogicalFileSecuritySetting WHERE Caption LIKE 'a%'" | Select-Object -Property Path, OwnerPermissions, Caption, Description
Accessing Remote Computers
To access remote systems, you need to have proper permissions. User the parameter -ComputerName to access one or more remote systems.
Authenticating as Current User
# one or more computer names or IP addresses:
$list = 'server1', 'server2'
# authenticate with your current identity:
$result = Get-CimInstance -ClassName Win32_LogicalFileSecuritySetting -ComputerName $list
$result
Authenticating as Different User
Use a CIMSession object to authenticate with a new identity:
# one or more computer names or IP addresses:
$list = 'server1', 'server2'
# authenticate with a different identity:
$cred = Get-Credential -Message 'Authenticate to retrieve WMI information:'
$session = New-CimSession -ComputerName $list -Credential $cred
$result = Get-CimInstance Win32_LogicalFileSecuritySetting -CimSession $session
# remove the session after use (if you do not plan to re-use it later)
Remove-CimSession -CimSession $session
$result
Learn more about accessing remote computers.
Requirements
To use Win32_LogicalFileSecuritySetting, the following requirements apply:
PowerShell
Get-CimInstance
was introduced with PowerShell Version 3.0, which in turn was introduced on clients with Windows 8 and on servers with Windows Server 2012.
If necessary, update Windows PowerShell to Windows PowerShell 5.1, or install PowerShell 7 side-by-side.
Operating System
Win32_LogicalFileSecuritySetting was introduced on clients with Windows Vista and on servers with Windows Server 2008.
Namespace
Win32_LogicalFileSecuritySetting lives in the Namespace Root/CIMV2. This is the default namespace. There is no need to use the -Namespace parameter in Get-CimInstance
.
Implementation
Win32_LogicalFileSecuritySetting is implemented in CIMWin32.dll and defined in Secrcw32.mof. Both files are located in the folder C:\Windows\system32\wbem
:
explorer $env:windir\system32\wbem
notepad $env:windir\system32\wbem\Secrcw32.mof