+ /* On Windows we also use the timestamps pass to apply security
+ * descriptors. This is because it seems we really need the depth-first
+ * behavior: in particular, Windows contains files like
+ * \Windows\Registration\CRMLog that have funny permissions and don't
+ * even let the administrator with SE_RESTORE_NAME open (at least, with
+ * privileges other than FILE_WRITE_ATTRIBUTES as we do below) after the
+ * security descriptor has been applied. */
+ if (inode->i_security_id >= 0 &&
+ !(args->extract_flags & WIMLIB_EXTRACT_FLAG_NO_ACLS)
+ && (args->vol_flags & FILE_PERSISTENT_ACLS))
+ {
+ int ret = win32_set_security_data(inode, NULL, path, args);
+ if (ret)
+ return ret;
+ }
+