icacls.exe

Windows ICACLS Command-Line Tool

System UtilitySafeAccess Control

CPU Usage

0-2%

Memory

2-5 MB

Location

C:\Windows\System32

Publisher

Microsoft Corporation

Quick Answer

icacls.exe is a legitimate Windows command-line tool. It manages ACLs on files and folders by modifying security descriptors via command line.

Is it a Virus?

✔ NO - Safe

Located in C:\Windows\System32\icacls.exe and signed by Microsoft.

Warning

Permission changes can affect access

Used to grant, deny, or revoke permissions; misused changes access for users or groups.

Can I Disable?

✔ YES

icacls.exe is a built-in Windows utility and cannot be uninstalled. You can restrict usage by admin controls and avoid running it unnecessarily.

What is icacls.exe?

icacls.exe is the Windows command-line utility used to view and modify Access Control Lists for files and directories. It supports batch changes, permission propagation, and backups of security descriptors. Admins script permission management from CMD or PowerShell, affecting who can access data.

icacls.exe edits the security descriptor of an object, allowing grant, deny, and revoke actions and control over inheritance. It runs in CMD or PowerShell and does not delete data; it only changes who can access what.

Quick Fact: icacls.exe has been a core Windows tool for scripted ACL management across large file sets.

Types of icacls Usage

ACL Display: View existing permissions on files or folders
Modify Permissions: Grant, deny, or revoke access for users and groups
Inherit and Propagate: Control inheritance and propagation of ACLs
Backup and Restore: Save and restore ACLs with /save and /restore
Batch Scripting: Use in scripts to apply permissions across many objects
Audit Settings: Configure or view object audit descriptors

Is icacls.exe Safe?

Yes, icacls.exe is safe when used from official Microsoft sources and with administrator rights.

Is icacls.exe a Virus or Malware?

The genuine icacls.exe is not a virus. However, malware may mimic names or place files in suspicious folders.

How to Tell if icacls.exe is Legitimate or Malware

File Location: Must be in C:\Windows\System32\icacls.exe or C:\Windows\SysWOW64\icacls.exe. Any icacls.exe elsewhere is suspicious.
Digital Signature: Right-click icacls.exe -> Properties -> Digital Signatures. Should show Microsoft Corporation.
Resource Usage: Normal usage is minimal when idle; unexpected high activity may indicate misuse.
Behavior: Should be used by admins for permission changes; persistent unusual activity warrants a scan.

Red Flags: If icacls.exe is located outside the Windows System32/ SysWOW64 folders, lacks a valid signature, or shows signs of automated unauthorized permission changes, scan the system and review admin activity.

Why Is icacls.exe Running on My PC?

icacls.exe runs when administrators or scripts are inspecting or modifying file and folder ACLs, performing audits, or applying permission changes across multiple objects.

Reasons it's running:

Active permission management: An admin or automation script is querying or updating ACLs on one or more files or folders.
Policy or baseline enforcement: IT policies deploy ACL changes or enforce security baselines via scripted tasks.
Backup and restore operations: ACL snapshots are being saved or restored as part of maintenance or disaster recovery.
Security auditing: Auditors or security tools invoke icacls to verify or adjust access controls.
Batch maintenance: Scheduled maintenance tasks adjust permissions across many objects as part of routines.

Can I Disable or Remove icacls.exe?

Not recommended to disable. icacls.exe is a built-in Windows tool used for permission management. You can restrict its use by admin controls and avoid running it unnecessarily.