Continuing the tradition of exploring lesser-known features of very well-known executables today we will look at icacls.exe program.

ICACLS
(Integrity Control Access Control List) is a command-line utility in Windows (Vista and later) used to view, modify, backup, or restore Access Control Lists (ACLs) for files and folders on NTFS systems. It serves as a modern, more capable replacement for the older cacls command, allowing administrators to manage permissions, user rights, and inheritance.

There is an undocumented /dbg command line argument we can add to icacls.exe program invocations that may help us to see additional, more granular information in the output.

For instance,

icacls notepad.exe 
vs.
icacls notepad.exe /dbg