Originally posted by me on Stack Overflow, reposted here because this seems like a more relevant site for this question. Some wording has been slightly edited and more information has been added.
When typing "icacls /?" into Windows command prompt, the documentation doesn't seem to explain what "icacls <folder/file>" does. According to docs.windows.com, the parameter "<filename>" "Specifies the file for which to display DACLs" and "<directory>" "Specifies the directory for which to display DACLs". According to ss64.com, the command "icacls "C:\demo\example"" is used to "View the permissions currently set on a folder".
Now, what is confusing, is that in an article which instructs how to solve a SFC /scannow windows resource protection issue, the 3rd repair suggestion, "Modify Security Descriptors in WinSXS Folder", suggests to use the command "ICACLS C:\Windows\winsxs" as a possible fix for the issue. The site tells about the background of why it might fix the issue:
"A lot of your Windows system updates and system files are stored in the WinSXS folder, and if your SFC utility tool cannot access this folder, it will fail and that is what prompts the error message. To get around this, you can modify the security descriptors of the folder."
Another article suggests the same fix:
"It is possible that System File Checker is failing to scan the system because it cannot access the WinSxS folder due to issues with the WinSxS folder's security descriptors. To run the ICALCS command, open Command Prompt with administrative privileges and execute the "ICACLS C:\Windows\winsxs" command."
However, both articles only instruct to enter the "ICACLS C:\Windows\winsxs" command and restart the computer and the issue might be fixed. This makes it sound like the command "ICACLS C:\Windows\winsxs" actually does something.
So I am wondering, have I misunderstood the instructions of the articles or is there something that I'm missing? Does the command "ICACLS C:\Windows\winsxs" actually do something else than just view the permissions of the folder? Is the command safe to execute and how does it affect the system, for example can it be a security risk of some kind?