Need help resetting folder permissions

[TheThemePark]

I have been messing around with folder permissions on a Windows partition, and now I'd like to revert them back to how they were when Windows got installed. I know about icacls, and that it comes with a reset option, but that option doesn't actually reset it to default, it just uses the permissions at the path you're calling icacls from, and then replacing all permissions from there with those permissions.

But when Windows gets installed, there's a myriad of different permission settings for different folders, and that's what I want to revert it back to. For example, the Windows folder doesn't inherit its permissions from the root, and each user has their own unique permissions.

It would be too much work to do it manually, so is there a way I can use icacls for this, and actually get it to reset to the real default?

 

[logicearth]

Reinstall Windows or restore an image. Since you didn't save the Security Descriptors there is no way to go back.

 

[arkhi]

Specifically:

http://www.sevenforums.com/tutorials/3413-repair-install.html

EDIT:
BTW, out of curiosity, what folders did you change? It could be possible to copy the security descriptor from a parent folder if only a child folder was affected.

 

[TheThemePark]

Well, reinstalling is certainly an option. But since installation and reinstallation can set the Security Descriptors on all the folders that are created, those descriptors must be hidden somewhere in Windows, presumably in a file somewhere. I was hoping to find that file.

arkhi, I changed the root folder and every subfolder and file. Even if I hadn't, I couldn't restore it 100 %, since like I said not all folders inherit permissions from the parent folder.

So let's say I get all the permissions restored completely to how they are when Windows is installed the first time. Can I then save them all for the entire drive, and then apply them to another drive, skipping the folders that do not exist on the new drive?

 

[logicearth]

Security Descriptors are stored with the files not in some central repository.
icacls has an example just for backing up and restoring:

icacls c:\windows\* /save AclFile /T
- Will save the ACLs for all files under c:\windows
  and its subdirectories to AclFile.

icacls c:\windows\ /restore AclFile
- Will restore the Acls for every file within
  AclFile that exists in c:\windows and its subdirectories.

 

[arkhi]

So let's say I get all the permissions restored completely to how they are when Windows is installed the first time. Can I then save them all for the entire drive, and then apply them to another drive, skipping the folders that do not exist on the new drive?

Not sure about saving, but you can definitely try logicearth's command line.

As for me, I did

XCOPY source [destination] [/X]

Where:

/O Copies file ownership and ACL information.
/X Copies file audit settings (implies /O).

You can also experiment with other switches to suit your needs, i.e.

/S Copies directories and subdirectories except empty ones.
/E Copies directories and subdirectories, including empty ones.
Same as /S /E. May be used to modify /T.
/H Copies hidden and system files also.
/R Overwrites read-only files.

...and for skipping folders that do not exist

/U Copies only files that already exist in destination.

 

[TheThemePark]

Okay, so neither xcopy nor icacls seem to actually set the permissions. I tried using robocopy to only copy the ACLs, but for some reason it skips all the directories, even though they're the same, and it copies none of them. I'm using robocopy "d:\Program Files" "c:\Program Files" *.* /r:0 /copy:sou /v /e