Restoring 'TrustedInstaller' as owner for executable in Windows folder

Question

After changing the ownership of executables in the Windows directory (explorer.exe, regedit.exe, etc.), I can't seem to change it back to TrustedInstaller using icacls.exe. Using the GUI method (Properties → Security → Advanced → Owner) works fine though.

Doing the same thing to any other file under Windows, that is not an executable, works fine. Tried the same under safe-mode, no luck.

These are the 2 basic commands I'm using:

takeown /F C:\Windows\explorer.exe /A
icacls C:\Windows\explorer.exe /setowner "NT SERVICE\TrustedInstaller"

---

Edit: Forgot to mention I'm receiving the error 'Access is denied'.

C:\Windows\System32>takeown /F c:\Windows\explorer.exe /A  
SUCCESS: The file (or folder): "c:\Windows\explorer.exe" now owned by the administrators group.
C:\Windows\System32>icacls c:\Windows\explorer.exe /setowner "NT SERVICE\TrustedInstaller"

c:\Windows\explorer.exe: Access is denied.

Successfully processed 0 files; Failed processing 1 files

Answer 1

So the title says restoring TrustedInstaller.

Seems there is a missing part; removing the added Administrators group permissions.

takeown /F "C:\Windows\regedit.exe" /A
/F - file to become owner of
/A - means it will set the users group (ie. Administrators, not userxyz)

icacls "C:\Windows\regedit.exe" /grant Administrators:F
/grant - will add permissions
:F - Full Control

icacls "C:\Windows\regedit.exe" /setowner "NT SERVICE\TrustedInstaller"
/setowner - new owner

icacls "C:\Windows\regedit.exe" /grant:r Administrators:RX
/grant:r - will set permissions (removing higher ones)
:RX - Read and Execute

Reference: https://ss64.com/nt/icacls.html

Answer 2

The command works only after granting full permissions to the Administrators group, i. e.:

icacls c:\Windows\explorer.exe /grant Administrators:f  

Even granting 'Modify' doesn't seem to be enough for some reason.

Answer 3

The problem, as you discovered in your answer, is that setting the owner of a file requires a special permission, specifically "take ownership." The reason the ACL editor GUI is able to set the owner anyway is that it enables the SeTakeOwnershipPrivilege privilege, which allows overriding that access check. Programs running as administrator have this privilege, but they have to explicitly enable it before using it, and apparently icacls doesn't.

Conveniently, processes inherit the privileges of their parent by default, so if you can enable that privilege for the command prompt from which you invoke icacls, the utility will have the privilege enabled too and will be able to set the owner. You can use my open-source utility SprintDLL to call the appropriate Win32 functions to enable the privilege in SprintDLL's parent process (the command prompt):

SprintDLL call kernel32.dll!OpenProcess /return native /into prochandle (int 0x400, int 0, slotdata parentpid); newslot native token; call advapi32.dll!OpenProcessToken /return int (slotdata prochandle, int 0x20, slotptr token); newslot block luid = int 0, int 0; call advapi32.dll!LookupPrivilegeValueW /return int (nullptr, lpwstr "SeTakeOwnershipPrivilege", slotptr luid); newslot block privs = int 1, slotdata luid, int 2; call advapi32.dll!AdjustTokenPrivileges /return int (slotdata token, int 0, slotptr privs, slotsize privs as int, nullptr, nullptr)

If it works, the output will say all three called functions returned 1. You will then be able to use icacls as you originally attempted.

Answer 4

Experimenting with C:\Windows\System32\CompatTelRunner.exe

1. Change the ownership to Administrators

Hit WinKey+r, type cmd, hold down Ctrl+Shift and press Enter. ¹

Then run : ²
dir /q CompatTelRunner.exe

Expect the response to contain a line like :
<Date> <Time> <bytes> NT SERVICE\TrustedInstaCompatTelRunner.exe
(Unfortunately, NT SERVICE\TrustedInstaller gets cut off.)

This response shows that the current owner is TrustedInstaller.

Next run : ³
takeown /f CompatTelRunner.exe /a (1)

Now expect the response from dir /q CompatTelRunner.exe to be :
<Date> <Time> <bytes> BUILTIN\Administrators CompatTelRunner.exe
showing that the owner has been changed to Administrators.

2. Extend the access permissions of the Administrators

Run : ⁴
icacls CompatTelRunner.exe

Expect the response to contain the following two lines :
NT SERVICE\TrustedInstaller:(F)
BUILTIN\Administrators:(RX)

This response shows that the TrustedInstaller still has Full control (even though it's no longer the owner), while the Administrators group still has only Read & eXecute permissions (even though it's now the owner).

Then run :
icacls CompatTelRunner.exe /grant Administrators:f (2)

Now expect the response of icacls CompatTelRunner.exe to contain the lines :
BUILTIN\Administrators:(F)
NT SERVICE\TrustedInstaller:(F)
showing that the Administrators group now also has Full control.

3. Set the ownership back to TrustedInstaller

Run :
icacls CompatTelRunner.exe /setowner "NT SERVICE\TrustedInstaller" (3)

Expect the response from dir /q CompatTelRunner.exe once again to be :
<Date> <Time> <bytes> NT SERVICE\TrustedInstaCompatTelRunner.exe
showing that the owner has now been restored to TrustedInstaller.

4. Reset the access permissions of the Administrators

The only thing that remains to be restored is to set the permissions of the Administrators group back to just Read & eXecute :
icacls CompatTelRunner.exe /grant:r Administrators:rx (4)

Expect the response of icacls CompatTelRunner.exe now to contain the lines :
BUILTIN\Administrators:(RX)
NT SERVICE\TrustedInstaller:(F)
showing that the access permissions of the Administrators group has been restored.

5. Why you got Access is denied

Is it clear by now why you got Access is denied?
– The reason is that when you took ownership of the file, you still did not have full access permissions on it. So when you tried to set the ownership back to TrustedInstaller, you didn't have the necessary permissions to do so, and hence got Access is denied. Taking ownership of the file is the correct first step, because otherwise you are not allowed to extend your permissions.

6. What's the point?

Running the above commands (1), (2), (3), (4) – in that order – will restore your operating system to how Microsoft sets it up. This is true regardless of whether the access permissions of this file were already restored or not.

So what's the point?
– Well, I never used to run the commands (3) and (4). And I don't intend to do so in the future either.

Why should I? – As long as I trust my administrators (including myself), I don't really see any reason to restore things to being the Microsoft way.

Answering this question has still been worthwhile as I have learned to take ownership and change access permissions of a file. And to understand the difference between the two.

References

• DIR /Q – Display the owner of a file
• TAKEOWN.exe – Take ownership of a file or folder
• ICACLS.exe – Change file and folder permissions - display or modify Access Control Lists (ACLs)
• ICACLS.exe at Wikipedia
• A much shorter answer to the question asked

---

¹ Holding down Ctrl+Shift makes the command prompt open as administrator.

² The command dir /q <SomeFileName> displays the owner of the file <SomeFileName>.

³ The flag /f is needed to indicate that what follows next is the name of the file/folder.
The flag /a gives ownership to the Administrators.

⁴ ICACLS stands for Integrity Change Access Control ListS.

Answer 5

This worked for me on 64 bit system (and my issue)...

icacls c:\Windows\SysWOW64\usercpl.dll /grant Administrators:f  
icacls "C:\Windows\SysWOW64\usercpl.dll" /setowner "NT SERVICE\TrustedInstaller"

/setowner - new owner

Answer 6

Works fine here (tested in Windows 7 64-bit).

Ensure you've started your command prompt in elevated mode (aka: "Run as administrator").