A Guide to Diagnosing, Fixing, and Reverting WindowsApps Folder Permissions via PowerShell in Windows
⚠ High-risk procedure: Changing permissions in C:\Program Files\WindowsApps can corrupt the system or render apps unusable. This response provides a comprehensive approach with diagnosis, repair, and reversion. Recommended only for advanced users.
Table of Contents
Preparing and Backing Up Critical Data
- Back up all your important personal data (documents, photos, etc.) to an external drive or cloud service. Backing up personal files is the most critical safeguard before system-level changes.
- Boot Windows into Safe Mode.
- Open PowerShell Terminal as Administrator.
# Define the target folder
$Folder = 'C:\Program Files\WindowsApps'
--- Start: Creation of a system restore point ---
Write-Host 'Creating a system restore point before any changes…' -ForegroundColor 'Cyan'
try {
Checkpoint-Computer -Description 'Before modifying WindowsApps' -ErrorAction 'Stop'
Write-Host 'Restore point created successfully!' -ForegroundColor 'Green'
} catch {
Write-Host "Error creating the restore point: $($_.Exception.Message)" -ForegroundColor 'Red'
$confirm = Read-Host 'Do you want to proceed with the procedure even with the restore point creation error? (Y/N)'
if ($confirm -ne 'Y') {
Write-Host 'Procedure canceled.' -ForegroundColor 'Red'
exit
}
}
--- End: Restore point ---
--- Start: Backup of original permissions and owner ---
Write-Host 'Backing up original permissions and owner…' -ForegroundColor 'Green'
$Owner = (Get-Acl $Folder).Owner
$Owner | Out-File 'C:\Backup-Owner.txt' -Encoding 'UTF8'
& icacls $Folder /Save C:\Backup-Permission.txt /T /C
Write-Host 'Backup completed at C:\Backup-Owner.txt and C:\Backup-Permission.txt' -ForegroundColor 'Green'
--- End: Backup ---
Ensure Administrators have control to allow icacls operations
Write-Host 'Temporarily taking ownership of the folder for Administrators…' -ForegroundColor 'Yellow'
& takeown /F $Folder /R /A /D Y
Grant full control to Administrators for all subsequent operations (including /Reset)
$SID = 'S-1-5-32-544' # SID for BUILTIN\Administrators
$Account = (New-Object System.Security.Principal.SecurityIdentifier($SID)).Translate([System.Security.Principal.NTAccount]).Value
Write-Host 'Granting full control to Administrators on the folder…' -ForegroundColor 'Yellow'
& icacls $Folder /Grant "$Account:(OI)(CI)(F)" /T /C
Force ACL reset, removing explicit permissions
This will disrupt UWP app permissions, forcing Windows to self-repair
Write-Host 'Resetting WindowsApps folder permissions to force system self-repair…' -ForegroundColor 'Yellow'
& icacls $Folder /Reset /T /C /Q
Temporarily grant full control to Administrators to assist in system self-repair
Windows should automatically revoke this permission when restoring default UWP app security
Write-Host 'Granting full control to Administrators on the folder…' -ForegroundColor 'Yellow'
& icacls $Folder /Grant "$Account:(OI)(CI)(F)" /T /C
Temporarily grant Everyone full control to trigger system reaction; this must be revoked later to avoid security risks
Windows should remove this permission when restoring the default security state. Evaluate in tests and revoke if the permission persists
Write-Host 'Granting full control to Everyone on the folder…' -ForegroundColor 'Yellow'
$SID = 'S-1-1-0' # SID for Everyone
$Account = (New-Object System.Security.Principal.SecurityIdentifier($SID)).Translate([System.Security.Principal.NTAccount]).Value
& icacls $Folder /Grant "$Account:(OI)(CI)(F)" /T /C
Display current permissions (they should now be inherited)
Write-Host 'Permissions after reset:' -ForegroundColor 'Cyan'
& icacls $Folder
Write-Host 'First phase completed. Backup files are at C:\Backup-Owner.txt and C:\Backup-Permission.txt.' -ForegroundColor 'Green'
Write-Host 'COPY THESE FILES TO A SAFE LOCATION NOW (e.g., USB drive)!' -ForegroundColor 'Red'
Testing and Validation
Reboot the computer (not in Safe Mode, but in normal Windows mode).
Log in as administrator.
Try opening UWP apps (such as Microsoft Edge, Store, Calculator, and others that were problematic).
Observe the behavior:
If the apps opened and worked, this suggests Windows detected and repaired the corrupted permissions (due to /Reset) and likely managed to self-repair them when attempting to launch them. This is a good sign.
If the apps still don’t work or fail differently, the issue may be deeper. Before resorting to more drastic measures (such as a system restore or Windows reinstallation), consider running system file checks like 'sfc /scannow' or examining Event Viewer logs for related errors. These steps can provide further diagnostic insights or resolve underlying corruption.
If the tests worked, repeat them with a standard user.
Reverting Changes (If Needed)
It’s important to note that, even after restoring ownership, Windows may, in future updates or system checks, reset the WindowsApps folder ownership back to NT SERVICE\TrustedInstaller (or NT AUTHORITY\SYSTEM for some subfolders). This is the default and expected behavior for UWP app security and integrity.
# Define the target folder
$Folder = 'C:\Program Files\WindowsApps'
Take ownership again for Administrators to ensure reverting
Write-Host 'Temporarily taking ownership for Administrators for reverting…' -ForegroundColor 'Yellow'
& takeown /F $Folder /R /A /D Y
Grant full control to Administrators (if takeown isn’t sufficient)
$SID = 'S-1-5-32-544' # SID for BUILTIN\Administrators
$Account = (New-Object System.Security.Principal.SecurityIdentifier($SID)).Translate([System.Security.Principal.NTAccount]).Value
Write-Host 'Granting full control to Administrators on the folder for reverting…' -ForegroundColor 'Yellow'
& icacls $Folder /Grant "$Account:(OI)(CI)(F)" /T /C
Restore permissions from backup
Write-Host 'Restoring folder permissions from backup…' -ForegroundColor 'Green'
& icacls $Folder /Restore C:\Backup-Permission.txt /C
Restore original owner
Write-Host 'Restoring the folder’s original owner…' -ForegroundColor 'Green'
$OriginalOwner = Get-Content 'C:\Backup-Owner.txt'
& icacls $Folder /SetOwner "$OriginalOwner" /T /C
Write-Host 'Reverting completed. Reboot the system to verify.' -ForegroundColor 'Green'
Post-Testing Evaluation
Now, if the tests were successful, two possible outcomes lie ahead:
Ideal (and expected): Windows’ self-repair worked. The system removed the broad permissions (Everyone:F and Administrators:F) that were temporarily granted, restoring default (secure and restricted) permissions for the WindowsApps folder. This is the most likely and desired scenario, ensuring system functionality and security.
Fallback scenario (less likely but crucial to check): Even after the procedure, the apps still don’t work correctly OR, although the apps work, the broad permissions (Everyone:F or Administrators:F) are still present in the WindowsApps folder. In this case, Windows’ self-repair was incomplete in terms of security (or didn’t occur). Maintaining overly broad permissions in this critical system folder can seriously compromise the environment’s security. I recommend performing Revoking Overly Permissive Permissions, which specifically addresses the removal of these persistent broad permissions.
I strongly suggest re-evaluating permissions in the C:\Program Files\WindowsApps folder after the procedure. If the fallback scenario occurred and broad permissions (especially Everyone:F and Administrators:F) persist, revocation is essential for long-term security and stability.
Revoking Overly Permissive Permissions (Optional)
# Define the target folder
$Folder = 'C:\Program Files\WindowsApps'
Revoke full control from Everyone
$SID = 'S-1-1-0' # SID for Everyone
$Account = (New-Object System.Security.Principal.SecurityIdentifier($SID)).Translate([System.Security.Principal.NTAccount]).Value
Write-Host 'Removing full control from the Everyone group…' -ForegroundColor 'Yellow'
& icacls $Folder /Remove "$Account" /T /C
Revoke full control from Administrators
$SID = 'S-1-5-32-544' # SID for BUILTIN\Administrators
$Account = (New-Object System.Security.Principal.SecurityIdentifier($SID)).Translate([System.Security.Principal.NTAccount]).Value
Write-Host 'Removing full control from the Administrators group…' -ForegroundColor 'Yellow'
& icacls $Folder /Remove "$Account" /T /C
