Why would the NTFS ACL utility `icacls` alter the system partition behind the scene?
I attached an hdd to my win7 machine and assigned the drive letter I: to the only partition on the hdd. The hdd was originally from another computer, and to avoid all those "you don't currently have permission..." dialogs, I decided to use icacls to clear all ACLs.
I ran icacls I:\ /reset /t /c /l. After a while, Chrome stopped working. Safari crashed. I traced the problem and find that the ACLs of my home folder (in C:\Users) are all messed up. Chrome and Safari couldn't write to their cache folder. I fixed the ACLs of my home folder and everything seems to be OK now.
Why would icacls mess with my home folder when I specifically told it to work on the I: drive? I have even put in the /L switch so that it won't resolve symbolic links. Did I misunderstood the switch?
For your reference, below is the relevant parts of the help screen.
ICACLS name /reset [/T] [/C] [/L] [/Q]
replaces ACLs with default inherited ACLs for all matching files.
/T indicates that this operation is performed on all matching
files/directories below the directories specified in the name.
/C indicates that this operation will continue on all file errors.
Error messages will still be displayed.
/L indicates that this operation is performed on a symbolic link
itself versus its target.
OK I found the answer...
The hidden Documents and Settings in I:\ is a junction pointing to C:\Users. The target of the junction is an absolute path (as opposed to a relative path). Since /L takes care of symbolic links only, icacls resolved I:\Documents and Settings into C:\Users and reset all the ACLs there.
Therefore, never use icacls unless you have examined all the junctions in the folder you want icacls to work on! This makes icacls practically useless as a recursive ACLs modification tool... If the folder contains a junction pointing to C:\ deep inside the folder structure, you could have killed your Windows without even knowing why!