acllock

ACL-based file and folder locking utility for Windows

A professional CLI/TUI tool for locking and unlocking files and folders on Windows using NTFS ACL permissions. Perfect for developers, security researchers, and power users who need quick, permission-based access control.

Features

🔒 Lock/Unlock Files & Folders - Use Windows ACL permissions to deny/grant access
💾 Automatic Backups - Original permissions saved before locking
🎨 Dual Interface - Both CLI (scriptable) and TUI (interactive) modes
🔍 Status Checking - View lock status and backup information
⚡ Fast & Lightweight - Pure PowerShell, no external dependencies
🛡️ Safe by Design - Administrators always retain recovery access
📝 Audit Logging - Track all operations with timestamps and notes

Security Model

⚠️ Important: This tool uses NTFS ACL permissions, not cryptographic encryption.

• ✅ Protects against normal user access
• ✅ Prevents accidental file access/modification
• ✅ Suitable for quick permission-based locking
• ❌ Does NOT provide encryption
• ❌ Administrators can always unlock
• ❌ Not suitable for protecting against privileged users

Requirements

• Windows 10/11 or Windows Server 2016+
• PowerShell 7.0 or later
• NTFS file system
• Administrator privileges (for lock/unlock operations)

Installation

Quick Install (Recommended)

Run as Administrator:

iwr https://raw.githubusercontent.com/mini-page/acllock/main/install.ps1 | iex

Manual Install

1. Download or clone this repository
2. Run as Administrator:

cd path\to\acllock
.\install.ps1

This will:

• Copy files to C:\Program Files\acllock
• Add acllock to system PATH
• Make acllock command available globally

Usage

CLI Mode (Command Line)

# Lock a file
acllock lock "C:\SecretFiles\document.txt"

# Lock a folder with a note
acllock lock "C:\Projects\Confidential" -Note "Project freeze"

# Unlock a file
acllock unlock "C:\SecretFiles\document.txt"

# Check lock status
acllock status "C:\SecretFiles"

# Dry run (preview changes)
acllock lock "C:\Test" -DryRun

# Force operation (skip confirmations)
acllock unlock "C:\Test" -Force

# JSON output (for scripting)
acllock status "C:\Test" -Json

# Backup ACL before manual changes
acllock backup "C:\Important"

# Restore ACL from backup
acllock restore "C:\Important"

TUI Mode (Interactive)

acllock tui

Navigate using the menu:

• Lock/unlock files and folders
• Check status
• Create/restore backups
• View help and emergency recovery info

How It Works

Locking Process

1. Backup - Original ACL permissions are saved to .acllock folder
2. Remove Inheritance - Inherited permissions are disabled
3. Grant Administrators - Ensure admin access is preserved
4. Deny Everyone - Block all other users from accessing

Unlocking Process

1. Remove Deny Rule - Remove the "Everyone" deny rule
2. Restore Inheritance - Re-enable permission inheritance
3. Restore from Backup - Optionally restore original permissions

Examples

Lock a sensitive project folder

acllock lock "C:\Projects\ClientData" -Note "Client confidential - Q1 2024"

Check if something is locked

acllock status "C:\Projects\ClientData"

Output:

Status for: C:\Projects\ClientData

  🔒 Status: LOCKED
  🔍 Access: No

  💾 Backup exists
     Created: 2024-01-15 14:30:22
     By: umang@DESKTOP-PC
     Note: Client confidential - Q1 2024

Unlock with confirmation

acllock unlock "C:\Projects\ClientData"

Scripting example

# Batch lock multiple folders
$folders = @(
    "C:\Data\Project1",
    "C:\Data\Project2",
    "C:\Data\Project3"
)

foreach ($folder in $folders) {
    acllock lock $folder -Force -Note "End of quarter lockdown"
}

Emergency Recovery

If you get locked out or need to bypass acllock, run as Administrator:

takeown /f "C:\LockedPath" /r /d y
icacls "C:\LockedPath" /reset /t

This will:

• Take ownership of the path
• Reset all permissions to defaults
• Restore full access

Command Reference

Command	Description
lock <path>	Lock file or folder
unlock <path>	Unlock file or folder
status <path>	Check lock status
backup <path>	Backup ACL permissions
restore <path>	Restore ACL from backup
tui	Launch interactive TUI
help	Show help
version	Show version

Options

Option	Description
-Recursive	Apply to subdirectories
-DryRun	Preview changes only
-Force	Skip confirmations
-Json	Output as JSON
-Verbose	Show detailed output
-Note <text>	Add note/reason

File Structure

acllock/
├── acllock.ps1          # Main entry point
├── acllock.cmd          # CMD wrapper
├── install.ps1          # Installer script
├── core/
│   ├── acl.ps1          # ACL operations
│   ├── validate.ps1     # Path validation
│   ├── state.ps1        # State management
│   ├── backup.ps1       # Backup/restore
│   └── logger.ps1       # Logging utilities
└── ui/
    ├── tui.ps1          # TUI main
    └── draw.ps1         # UI rendering

Backup System

acllock automatically creates backups before locking:

• Location: .acllock folder next to locked path
• Format: JSON with full ACL details
• Metadata: Timestamp, user, computer, notes
• Recovery: Use restore command or manual JSON inspection

Example backup structure:

C:\Projects\
├── ClientData\          (locked folder)
└── .acllock\
    └── ClientData.acl.backup

Logging

All operations are logged to:

%LOCALAPPDATA%\acllock\acllock.log

Log format:

[2024-01-15 14:30:22] [INFO] Locking: C:\Projects\ClientData
[2024-01-15 14:30:23] [SUCCESS] Path locked successfully

Best Practices

✅ DO:

• Always run as Administrator for lock/unlock
• Use -DryRun to preview changes on critical paths
• Add descriptive notes to track why something is locked
• Keep backups of the .acllock folders
• Test recovery procedures before locking critical data

❌ DON'T:

• Lock system directories without careful consideration
• Lock files that are currently in use
• Rely on this for cryptographic security
• Delete .acllock backup folders
• Lock the acllock installation directory

Troubleshooting

"Administrator privileges required"

Run PowerShell as Administrator

"Path must be on NTFS volume"

acllock only works on NTFS. FAT32, exFAT, and network shares are not supported.

"Failed to remove inheritance"

The path may be in use. Close programs using it and try again.

PowerShell slow to start

The wrapper uses -NoProfile to avoid this. If still slow, check your PowerShell configuration.

Roadmap

Future improvements:

• Recursive locking with exclusion patterns
• Time-based auto-unlock
• Password-protected unlock
• Per-user ACL targeting
• WinGet package distribution
• Rust rewrite (optional, for performance)

Contributing

Contributions welcome! Please:

1. Fork the repository
2. Create a feature branch
3. Test thoroughly on Windows
4. Submit a pull request

License

MIT License - see LICENSE file for details

Author

Created for ethical hackers, developers, and security researchers who need quick ACL-based file protection on Windows.

Disclaimer

This tool modifies NTFS permissions. While designed with safety in mind (automatic backups, administrator access preservation), always:

• Test on non-critical data first
• Maintain backups of important files
• Understand emergency recovery procedures
• Use responsibly and ethically

---

Remember: acllock is permission-based, not encryption. For true security, use proper encryption tools like BitLocker, VeraCrypt, or 7-Zip with passwords.