if Administrators effective access rights excludes change permissions then:

Topic

New Reply

How can you change permissions?

I am facing a strange issue when I install Window 10 & I have tried it in all different ways, I end up with System and Administrators not having any rights on Widows and all its subfolders including Windows\Systrom32. This causes a lot of problems with services such as DNS client and McpManagerService as well as others.

You can’t change it through security tab on properties either. If you try there are no squares to tick and even if they appear you can’t tick them. This appeared to be very strange to me especially when you use the advanced button, both system and administrators have two entries: 1- Full control on the folder, 2- Full control on files and subfolders. The inheritance is set to None.

I didn’t quite understand this. I tried icacls to reset permissions, but it failed. This was until I checked the effective access and noticed that while both accounts had quite a few rights but short of full control and one of the exclusions is the permission to change permissions.

Now it made sense. I tried the third-party tool SetAcl Studio but it didn’t work and ended up corrupting the system. I guess I should have used undone when there was an error but then that would defeat the purpose.

My guess is that this needs to change in the registry in a way updates and security updates specially cannot change them. Because as it stands the permissions are contradictory.

BTW, Dell engineers have had a go and someone on Microsoft tech who suspected that I was misunderstanding things and that there were no problems asked me to send him icacls output on Windows\System32 folder and a sample file in that folder which I did but didn’t hear anything back from him after 48 hours, but the permissions were different to his Windows 11.

Reply | Quote

Replies

Have you tried a repair install?

 

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

If repair worked, I wouldn’t reinstall it so many times. Repair is always the first thing one tries unless you find reinstalling of Windows enjoyable.

There is a contradiction in the way the rights turn out.

I suspect it is one of the updates and maybe a security update that causes this when it doesn’t get completed. Because when I run update troubleshooter there is always a problem detected but it cannot be corrected. Given the contradiction it causes it is no surprise that it cannot be corrected.

You basically need an account that has more rights than the Administrator.

 

I have heard that this is possible but I don’t know how to do it.

 

 

Reply | Quote

There is a super administrator.
https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/enable-and-disable-the-built-in-administrator-account?view=windows-11

cheers, Paul

Reply | Quote

If you mean the built in administrator then no, I am afraid that account has no more rights than the administrators group in Windows (unlike Linux).

I tried it and it didn’t work which at the time I didn’t understand until I chose the inbuilt administrators account in effective access widow. That account doesn’t have the right to change permission on any of the system files. I haven’t checked every folder and file but the important ones like Widows and Widows\System32.

For example McpManagerService outputs error 1500. It took me ages to find out why. In the end it turned out that neither administraor, nor the System accounts have the right to access mui files.

Some services should run under the local account but if they can’t then they run under user process ID which are those number that are attached to the name of the service.

In these cases they get started under the inbuilt administrators account (which is cheat anyway) but because in this case the Administrator doesn’t have enough rights even that doesn’t work.

Reply | Quote

2Jakes wrote:

You basically need an account that has more rights than the Administrator.

That would be the super admin acct:

=============TOP Turn hidden admin acct on or off=============

From a administrators CMD window enter:

=====================
net user administrator /active:yes
=====================

To disable at any time, use the following command:
========================
net user administrator /active:no
========================
=============END Turn hidden admin acct on or off=============

Enable the hidden super administrators account and restart your computer.  Enter the new super admin acct.  Use file explorer navigate to your REGULAR user account.  I’ve done this many times with out a permissions problem.  You’re results may be different.

 

Desktop mobo Asus TUF X299 Mark 1, CPU: Intel Core i7-7820X Skylake-X 8-Core 3.6 GHz, RAM: 32GB, GPU: Nvidia GTX 1050 Ti 4GB. Display: Four 27" 1080p screens 2 over 2 quad.

Reply | Quote

I am afraid that doesn’t work either. The inbuilt administrator has no more rights than administrators group, as I explained my previous response.

Windows is not Linux. Not even the super administrator has complete control over everything. In fact super administrator is misnomer in the case of Windows. But I think you can make one. I just don’t know how. There must be a script that starts from low level and by passes all the controls.

If anyone comes across it please let me know where I can download it from because that is the only way I see you can get out of this catch 22.

Reply | Quote

It is NORMAL for the Windows folder and the System32 folder to have security descriptors specifying the Owner as TrustedInstaller and not giving the Administrators group or SYSTEM the right to change permissions.

For C:\Windows

Permissions for the Administrators group (this folder)

For C:\Windows\System32

Permissions for the Administrators group (this folder)

Regardless of the presence of inheritable permissions in a folder’s security descriptor in many cases there are sub-folders and files beneath the Windows folder that only contain explicit permissions and no inherited permissions from their parents.  Attempting to reset the security descriptors of Windows and its sub-folders manually is unlikely to produce results identical to those of a successful installation of windows.

The 15100 error related to descriptive information for the McpManagementService is strictly related to a missing MUI dll from which those text strings should be obtained.

This is a cosmetic problem.

Furthermore, regardless of the inheritable permissions in the security descriptor for the language specific sub-folder of System32 that contains the MUI dlls those individual files only have security descriptors with explicit permissions that do not give Full Control to the Administrators group or SYSTEM.  Again, TrustedInstaller is the Owner and has Full Control.  This is another example of how inheritable permissions are NOT propagated by the system during installation.

 

3 users thanked author for this post.

wavy, steeviebops, TechTango

Reply | Quote

2Jakes wrote:

Because when I run update troubleshooter there is always a problem detected but it cannot be corrected

Can you run CMD – DISM commands (maybe in safe mode ?)

What was the problem detected by the troubleshooter ?

Reply | Quote

2Jakes wrote:

In fact super administrator is misnomer in the case of Windows. But I think you can make one. I just don’t know how.

Super Administrator is build-in and there is no need to create one.

Reply | Quote

2Jakes wrote:

In fact super administrator is misnomer in the case of Windows. But I think you can make one.

The conventional wisdom is for an Administrator to take ownership of the target file/folders and then make the desired changes to security descriptors using the command line tools (i.e., takeown.exe, icacls.exe).

I believe what you are looking for is a way to run a process with a token that contains the SIDS for the Administrators group and the TrustedInstaller group.  Assuming you already have access to an account that is a member of the Administrators group it is possible to accomplish this with some low-level coding.

However, even with the artificially created “super administrator” you would still face the issue of how to handle the multitude of folders/files whose security descriptors contain explicit permissions and where inheritable permissions are not propagated.  In my view this is a recipe for disaster and is not recommended.

Reply | Quote

NirSoft’s AdvanceRun allows you to run programs with the Run As… option set for various different users, even including SYSTEM and TrustedInstaller; both of which have a “higher access level” than Administrators (even the super administrator.)

BTW, be absolutely sure you have a working image backup and an external means of restoring it (i.e rescue USB) before using it as either of those users because, with their level of access, you can “easily” mess things up to the point where your PC won’t boot up anymore (BTDT!!)

Also, because of how it works, a lot anti-virus programs will generate a false alert when you download and use it.

3 users thanked author for this post.

wavy, RetiredGeek, 2Jakes

Reply | Quote

The “higher access level” is simply a function of what permissions (inherited or explicit) are present in the DACL of a secured object.

In my opinion  Microsoft’s use of TrustedInstaller as the owner of files/folders with Full Control while removing Full control from ACEs for SYSTEM and the Administrators group is simply Microsoft’s attempt to keep users from screwing things up.

3 users thanked author for this post.

2Jakes, Bob99, joep517

Reply | Quote

Thanks,

I think that is the ticket something that can run as TrustedInstaller.

I had hoped that Dell would have something like it that they would use for repair but not release it to users in case Microsoft complains.

There is nothing to back up. The last time Installed it was minimum and without Internet hoping to stop updates causing the problem. But it still happens. It is as if there is virus somewhere. Why didn’t it happen when I reinstalled Windows a few years ago on the same machine? The only difference is that it was an earlier version of Windows 10.

 

Reply | Quote

As an example, following shows result of turning a standard user into “Super Awesome Administrator” for a single process running cmd. The highly privileged token is displayed using Process Explorer.  Note that the account information for the user was not changed by this one process token transformation. This was done with my own code, not the Nirsoft utility.

Console window –

Process token

Reply | Quote

Can you show me the AdvancedRun.cfg that you used.
I did pretty much the same thing using PowerShell and inside the PowerShell Window run through AdvancedRun.cfg. Things look fine but.
When I exit and go to check the changes in Effective Access table nothing has changed.
I tried it with my own account and the inbuild administrator account.
This is getting frustrating. Using CMD instead of Poweshell shouldn’t make a difference, should it?

Reply | Quote

As I said in my post, I created “Super Awesome Administrator” with my own code.  I did not use AdvancedRun by NirSoft.

Reply | Quote

Thanks for your response.

I just want to return the file access to default by running icacls under an account that has enough access to do it.
At the moment running it even on a subfolder of System32 returns access denied errors.
My rational tells me that if the files had their default access this shouldn’t happen and then I have several services like McpManagerSrivce return errors in this case 1500 associated with access to files not being adequate. This is the same with DNS client service.
I had to trace individual files in this case and give them access one by one. I still keep having error and not knowing quite what account what access should have can lead to generating a new error. It is like going one step forward and two step backward.

I agree that such an account can be very dangerous. But why does Microsoft include a service link DNS client service that literally doesn’t do anything and is set to start automatically under Network service. If they had provided a script that would at least automatically would give its files, the necessary permissions for it to work then fine. But why include it as default when it cannot be used and its only taking processing power.

Some of Microsoft decisions are frustrating. In the Home Edition the inbuilt administrator seems to have been deliberately hidden. I had to create two additional keys in the registry to get it to re-appear as a login possibility.

Then you can upgrade to the pro version for free, but you can’t activate is unless you buy a license for it.

There are times when drastic measures are required. Besides, I am not totally new to Windows. I am retired now but at one time I was a certified SQL Administrator and also used to manage as repair Exchange servers.

 

 

Reply | Quote

That is another thing: here is a screen shot of TrustelInstallers permission. It only has listing access.

Isn’t that strange. It is the same thing. In the advanced table is has full access but I can’t see what are its effective access because it is not an of the object by that name.

This the same with System32. And yet on the file you can get Everyone to have full access on the file.

This is what I mean. There is something odd going on.

I am going to get rid of these user process services and hope something changes.
By the why have these user process specific services especially when there is a way to get rid of them?

I am asking you since you seem to know Microsoft’s Windows inside out and Microsoft’s intentions more than most and agree with them.

And yet you created a super administer account.

Reply | Quote

I don’t get it. I run the PowerShell in the AdvancedRunAs TrustedInstaller. I check the identity with whoamI  and Inside the PowerShell I have full authority.

Then I run icacls and grant the Inbuilt Administrator full rights to Winows\system32\*.

It runs fine and doesn’t returns no errors.

But when I check outside( from effective access table), nothing has changed?

What is going on?

Best regards

 

B. Kamali

Reply | Quote

2Jakes wrote:

That is another thing: here is a screen shot of TrustelInstallers permission. It only has listing access.

There was no screenshot visible in your post.

There are many individual permissions associated with file and folder access.  The Security tab user interface and the Advanced display present summaries.  For example, Read and Execute is not a single permission but represents a specific combination.  When the rights don’t meet the predetermined combinations for display the “Special Permissions” category is checked.  If you had scrolled the display for the Windows and the System32 folders you probably would have seen this with respect to TrustedInstallers. I don’t know why Windows does this instead of showing Full Control in the Security tab display.  It does the same thing for Administrators and SYSTEM.  I’ll speculate that this is related to the way that inheritance for these accounts is specified in the DACL.

Windows folder

System32 folder

2Jakes wrote:

I have several services like McpManagerSrivce return errors in this case 1500 associated with access to files not being adequate.

System error code 1500 means “The Event log file is corrupted”. If you really mean code 15100 as displayed by services.msc then this is a cosmetic error due to a missing file.  It is not an access denied problem.  I have seen it many times and it does not interfere with starting the McpManagementService.

Reply | Quote

Sorry. I forgot to attach it but then I couldn’t edit is because it was waiting for the forum Administrator to approve it.
So, I made another posting with only the screenshot attached.
McpManagerService is not constant though it was 1500 in the Event log and I don’t have it in another installation.

I know about the Special permission. I use the Advanced and then the Effective Access tab where you can interrogate individual access rights for any object that can have rights. This is the issue; just because something has rights in the explorer properties it doesn’t mean that it is not affected by the amalgamation of rights. Indeed in the Advanced section Administrators have full access to the folder and then repeated for the files and nested files of the children’s folders but those are not the effective rights.

You can’t inspect TrustedInstaller though because it is not part of object categories in NT. So, I couldn’t see the effective rights. I think this is why when I used Nirsoft tool to run as TrustedInstaller, it didn’t work. So, the tick on special permission was not saying anything to me at that stage.

This time I RanAs NT Authority and managed to change access. So, I managed to sort out all the problems except for the 15100 in services for McpManagerService are now gone from Event Log.
I still have user services running under svchost with their specific PIDs but I am going to disable most of them.

All of this started when I decided to use the DNS client service as a reference point to setup a routing table to keep Wi-fi devices routed back to the desktop when they return into Wi-fi and are assigned a new IP from DHCP sever in the router.  For example when you link WhatsApp to Windows, I noticed that it kept losing the link and I had to create new links while the old link was still there. Then I realized that the linking was relying on the IP that had changed. This way, I can route the new device through its registration into the DNS, i.e. use a name rather than an Address. I thought it would be straight forward.

But Microsoft didn’t make it easy. I had to give Network Access to a lot of files and folders including logs to get it working.

I am not quite sure what DNS client service does if you don’t configure it and give LMHosts and Hosts additional access. Why should it be installed by default and started by default. But then again there a lot of services that seem superfluous.

Anyway,
Thank you.

Reply | Quote