WinSecWiki > Security Settings > Local Policies > User Rights > User Rights In-Depth > Bypass traverse checking

Bypass traverse checking

AKA: SeChangeNotifyPrivilege, Bypass traverse checking

Default assignment on workstations and member servers: Administrators, Backup Operators, Power Users, Users, Everyone

Default assignment on domain controllers: Administrators, Authenticated Users

Leave this one alone. Technically this right ensures you can access a file several levels down in the folder hierarchy even if you lack permissions to the parent folders – provided of course you have permissions to the object itself and know its fully qualified pathname. Without this right Windows would require you to have permissions to all parent folders in addition to the file being accessed. I say leave it alone because revoking this right can cause a number of problems such as with IIS and even blue screens of death (BSODs).

This right is also reportedly required for applications that register with Windows to be notified of changes to the file system – as in how Windows Explorer efficiently and immediately updates windows Whenever files are added/removed by some other program or user on the network.

By default this right is not audited even if you enable Audit privilege use. See Full Privilege Auditing.

Back to top


Additional Resources