type
  PACE_HEADER = ^ACE_HEADER;
  _ACE_HEADER = record
    AceType: Byte;
    AceFlags: Byte;
    AceSize: Word;
  end;

  ACE_HEADER = _ACE_HEADER;

  TAceHeader = ACE_HEADER;
  PAceHeader = PACE_HEADER;

  PACL_SIZE_INFORMATION = ^ACL_SIZE_INFORMATION;
  _ACL_SIZE_INFORMATION = record
    AceCount,
      AclBytesInUse,
      AclBytesFree: DWORD
  end;
  ACL_SIZE_INFORMATION = _ACL_SIZE_INFORMATION;
  TAclSizeInformation = ACL_SIZE_INFORMATION;
  PAclSizeInformation = PACL_SIZE_INFORMATION;

  PAccessAllowedAce = ^TAccessAllowedAce;
  _ACCESS_ALLOWED_ACE = record
    Header: ACE_HEADER;
    Mask: DWORD;
    SidStart: DWORD;
  end;
  TAccessAllowedAce = _ACCESS_ALLOWED_ACE;

function SIDToStr(sid: PSID): WideString;
var
  sidstr: PWideChar;
begin
  ConvertSidToStringSidW(sid, sidstr);
  result := WideString(sidstr);
end;

function DumpACL(dacl: PACL): DWORD;
var
  sizeInfo : TAclSizeInformation;
  i: Integer;
  pace: Pointer;
  s: String;
begin
  result := 0;
  if GetAclInformation(dacl^, @sizeInfo, SizeOF(TAclSizeInformation), AclSizeInformation) then
  begin
    for i := 0 to sizeInfo.AceCount - 1 do
    begin
      GetAce(dacl^, i, pace);
      case PAccessAllowedAce(pace)^.Header.AceType of
        ACCESS_ALLOWED_ACE_TYPE:
        begin
          s := 'granted';
        end;
        ACCESS_DENIED_ACE_TYPE:
        begin
          s := 'denied';
        end;
      end;
      Writeln(SIDToStr(PSID(PAccessAllowedAce(pace)^.SidStart)));
    end;
  end
  else
    result := GetLastError;
end;

function GetFileDACL(const Filename: WideString): PACL;
var
  sidOwner, sidGroup: PSID;
  dacl, sacl : PACL;
  psd : PSECURITY_DESCRIPTOR;
begin
  result := nil;
  if GetNamedSecurityInfoW(PWideChar(Filename), SE_FILE_OBJECT, OWNER_SECURITY_INFORMATION, sidOwner, sidGroup, dacl,
    sacl, psd) = 0 then
  begin
    result := dacl;
  end;
end;