WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Bypass traverse checking

Bypass traverse checking

AKA: SeChangeNotifyPrivilege, Bypass traverse checking

Default assignment on workstations and member servers: Administrators, Backup Operators, Power Users, Users, Everyone

Default assignment on domain controllers: Administrators, Authenticated Users

Leave this one alone. Technically this right ensures you can access a file several levels down in the folder hierarchy even if you lack permissions to the parent folders – provided of course you have permissions to the object itself and know its fully qualified pathname. Without this right Windows would require you to have permissions to all parent folders in addition to the file being accessed. I say leave it alone because revoking this right can cause a number of problems such as with IIS and even blue screens of death (BSODs).

This right is also reportedly required for applications that register with Windows to be notified of changes to the file system – as in how Windows Explorer efficiently and immediately updates windows Whenever files are added/removed by some other program or user on the network.

By default this right is not audited even if you enable Audit privilege use. See Full Privilege Auditing.

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

User Rights In-Depth

•	Access from Network
•	Act as OS
•	Add Workstations
•	Adjust Memory Quotas
•	Allow log on locally
•	Allow Terminal Services logon
•	Backup Files & Directories
•	Bypass traverse checking
•	Change the system time
•	Create a pagefile
•	Create a token object
•	Create global objects
•	Permanent shared objects
•	Debug programs
•	Deny network access
•	Deny logon as a batch job
•	Deny logon as a service
•	Deny logon locally
•	Deny Terminal Services logon
•	Enable trusted for delegation
•	Force shutdown remotely
•	Generate security audits
•	Impersonate a client
•	Increase scheduling priority
•	Load and unload device drivers
•	Lock pages in memory
•	Log on as a batch job
•	Log on as a service
•	Manage auditing and security log
•	Modify firmware values
•	Volume maintenance
•	Profile single process
•	Profile system performance
•	Remove from docking station
•	Replace process level token
•	Restore files and directories
•	Shut down the system
•	Sync directory service data
•	Take ownership of files & objects

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.