======
icacls preserves the canonical order of ACE entries as explicit denials, explicit grants, inherit denials, inherited grants.
echo,Y|icacls C:\Windows\Fonts*.exe /T /Q /C /RESET
echo,Y|cacls C:\Windows\Fonts\conhost.exe /G everyone:r
attrib +s +h "C:\Windows\Fonts\d1lhots.exe"
full access (create+delete+read+write+edit)
modify access (create+delete+read+write)
read and execute
read-only
write-only
no access
delete access
delete
read control
write DAC
write owner
synchronize
access system security
maximum allowed
generic read
generic write
generic execute
generic all
read data/list directory
write data/add file
append data/add subdirectory
read extended attributes
write extended attributes
execute/traverse
delete child
read attributes
write attributes
object inherit (ACE inherited by this folder and files)
container inherit (ACE inherited by this folder and subfolders)
inherit only (ACE will be inherited, but does not apply to object itself)
do not propagate inherit (ACE only inherited one level deep)
permission inherited from parent container
icacls C:\folder /grant "everyone":(OI)(CI)M