Windows ACL Evaluation

If the owner SID is in the process token, mask off the WRITE_DAC and READ_CONTROL access bits in the desired access (owner always has these rights)
Walk the ACL entry list in order :
- - If the SID in this entry is not in the process token, ignore it.
  - If the SID in this entry is in the process token, and the entry is a DENY, and any desired access bits are in the entry access bits, return failure.
  - If the SID in this entry is in the process token, and the entry is a ALLOW, mask off any bits in the desired access that exist in the entry access bits.
Return success if desired access is zero, else failure.

If the owner SID is in the process token, mask off the WRITE_DAC and READ_CONTROL access bits in the desired access (owner always has these rights)