Cannot write on WindowsApps directories and restore files

0

With two words, I cannot restore this file 

SQLite3Wrapper.dll

in their location 

c:\Program Files\WindowsApps\Microsoft.BingWeather_4.8.239.0_x86__8wekyb3d8bbwe

The story behind and what I have try.

All starts when Comodo antivirus gives me a virus alert about SQLite3Wrapper.dll and ask me to place it on quarantine. I say ok, lets place it on quarantine and check it out. So far so good. After I double check that this was a false alarm, I ask comodo to restore the file and here is my first fail because windows 10 did not let it write it back to their place. And after that all my tries fails…

First I take the ownership of the directory and give permission to administrator and my left for full access. Also disable all antivirus from comodo and windows.

  1. So after giving permission I try to copy but also fail.
  2. I start windows in safe mode but did not let me copy the file back
  3. I start windows in command mode but did not let me copy the file back
  4. I start windows with MsDart latest version but this is also don’t let me copy the file. This is the strangest because MsDart supposedly runs over the windows and never have this issue on older versions of windows.
  5. Then I try to restore the file using acronis backup that I have some days ago. Acronis also fail to write to that directory – did not ask to restore it on boot because I can not ask that from acronis, acronis did not recognize that can not write to that directory so is stack there for ever…
  6. I have try to copy it with explorer and with total commander and with simple command promt
  7. Also using Hyper-X and windows 10, I make more test and tries to copy a file on any of that directories but fail.

  8. Also checking the effecting access windows says that I can write on there

    enter image description here

    but something not let me:

    enter image description here

Some notes about my research

I am a programmer, and have give me administrator privilege, and have turn to minimum all the User Account Control Settings. Also have read and try this answer from here How to get access to C:\Program Files\WindowsApps? and here Where to find Windows Modern UI apps' source code? and many other similar answers and note on internet with out find a way to copy that file back to their place.

About the program it self

The program that is not working any more is the "MSN Weather" that exist on Microsoft store. I use this command Get-AppxPackage *bingweather* | Remove-AppxPackage and remove it, then reinstall it, but actually was never remove from the system, so that files never updated. I did that one time, second time with reboot, third time to double check it... etc... The file still missing from the directory and the program still not working.

Debug the process of copy

I also used Process Monitor from Sysinternals to find out what is stopping it from copying that file and here is the stack:

"Frame","Module","Location","Address","Path"
"0","FLTMGR.SYS","FltDecodeParameters + 0x18e1","0xfffff801e5066d21","C:\WINDOWS\System32\drivers\FLTMGR.SYS"   

"1","FLTMGR.SYS","FltDecodeParameters + 0x148c","0xfffff801e50668cc","C:\WINDOWS\System32\drivers\FLTMGR.SYS"    

"2","FLTMGR.SYS","FltQueryInformationFile + 0x723","0xfffff801e50962c3","C:\WINDOWS\System32\drivers\FLTMGR.SYS"    

"3","ntoskrnl.exe","ProbeForWrite + 0xc08","0xfffff803b7aa6d68","C:\WINDOWS\system32\ntoskrnl.exe"   

"4","ntoskrnl.exe","NtQueryInformationFile + 0x1026","0xfffff803b7a9d6d6","C:\WINDOWS\system32\ntoskrnl.exe"   

"5","ntoskrnl.exe","ObOpenObjectByNameEx + 0x1ec","0xfffff803b7a9c0dc","C:\WINDOWS\system32\ntoskrnl.exe"    

"6","ntoskrnl.exe","ObOpenObjectByName + 0x488","0xfffff803b7a89b78","C:\WINDOWS\system32\ntoskrnl.exe"    

"7","ntoskrnl.exe","NtCreateFile + 0x79","0xfffff803b7a896d9","C:\WINDOWS\system32\ntoskrnl.exe"    

"8","ntoskrnl.exe","setjmpex + 0x3943","0xfffff803b77ddca3","C:\WINDOWS\system32\ntoskrnl.exe"    

"9","ntdll.dll","NtCreateFile + 0x14","0x7ffbc09f5b24","C:\WINDOWS\SYSTEM32\ntdll.dll"   

"10","guard64.dll","Exported + 0xd341","0x7ffbbcda6161","C:\Windows\system32\guard64.dll"   

"11","<unknown>","0x7ffbc0da0052","0x7ffbc0da0052",""

My apologies for that long question

but I am frustrating, this is first for me, to not been able to take control of my computer and restore a file.
Of cource this is not the only file that not permitted to created on this directories... but inside that directories nothing allowed...

So how can I take the control of my computer, what I have miss here, what permission I must give, or what program I must to stop so I been able to restore that file ?

Running icacls

C:\Program Files>icacls WindowsApps
WindowsApps NT SERVICE\TrustedInstaller:(F)
            NT SERVICE\TrustedInstaller:(CI)(IO)(F)
            S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204:(RX)
            S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204:(OI)(CI)(IO)(RX)
            NT AUTHORITY\SYSTEM:(RX,W)
            NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
            BUILTIN\Administrators:(RX)
            BUILTIN\Administrators:(OI)(CI)(IO)(RX)
            NT AUTHORITY\LOCAL SERVICE:(Rc,S,X,RA)
            NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(IO)(RX)
            NT AUTHORITY\NETWORK SERVICE:(Rc,S,X,RA)
            NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(IO)(RX)
            Aristos\MyNameHere:(OI)(CI)(F)
            Mandatory Label\Low Mandatory Level:(OI)(CI)(NW)

Successfully processed 1 files; Failed processing 0 files

and

C:\Program Files\WindowsApps>icacls Microsoft.BingWeather_4.8.239.0_x86__8wekyb3d8bbwe
Microsoft.BingWeather_4.8.239.0_x86__8wekyb3d8bbwe NT AUTHORITY\SYSTEM:(OI)(CI)(F)
Aristos\MyName:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\Authenticated Users:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(CI)(F)
S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204:(OI)(CI)(RX)
NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(RX)
NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(RX)
NT SERVICE\TrustedInstaller:(I)(CI)(F)
S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204:(I)(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(RX)
NT AUTHORITY\LOCAL SERVICE:(I)(OI)(CI)(RX)
NT AUTHORITY\NETWORK SERVICE:(I)(OI)(CI)(RX)
Aristos\MyName:(I)(OI)(CI)(F)
Mandatory Label\Low Mandatory Level:(I)(OI)(CI)(NW)
S-1-19-512-4096:(OI)(CI)(RX,D,WDAC,WO,WA)

Aristos

Posted 2016-02-12T17:36:56.337

Reputation: 442

Why the -1 ? I do not understand.... – Aristos – 2016-02-12T19:52:44.653

Windows has change, move from 8, to 8.1 to 10. This question is about 10, the problem of permission is not the same as older questions... this is not duplicate and needs your attention and your research. – Aristos – 2016-02-13T15:30:05.527

Answers

1

Download PsExec (previous link) from Sysinternals, a Microsoft subsidiary. Open an administrative command prompt in the directory containing psexec.exe and type the following:

psexec -s -i cmd.exe

Wait a moment, and you'll be presented with a command prompt running as SYSTEM, which has effectively full access to the WindowsApps directory. Use that prompt to move the file to the correct location. When finished, you can close the prompt and the parent console as you would any other.

Ben N

Posted 2016-02-12T17:36:56.337

Reputation: 32 973

Nice idea, I just try it but its fail... ("access is denied") message. – Aristos – 2016-02-12T18:35:11.500

The process explorer show that cmd.exe is running under my account... I still check it a little more – Aristos – 2016-02-12T18:37:00.523

@Aristos Are you sure you launched psexec from an administrative command prompt? That matters. – Ben N – 2016-02-12T18:59:00.330

yes I just make it one more time, open with administrate the cmd, do exactly as you say here, and still access is denied. Try the same with virtual machine also... – Aristos – 2016-02-12T19:54:58.447

@Aristos Interesting - it works for me on Windows 8.1. Could you do icacls WindowsApps when your SYSTEM prompt is in the Program Files directory and put the output in your question? – Ben N – 2016-02-12T20:01:34.730

This is windows 10, I add both directories, because the problem is the inside directory, on the outside I can copy it. ! – Aristos – 2016-02-12T20:39:49.227

look at this last comment !!! http://superuser.com/a/889664/34248 I just see that S-1-19-512-4096 on the last command and looking on google I just fount that answer...

– Aristos – 2016-02-12T20:43:00.110

Link is broken by fewer characters than is permitted in an edit, but psexec can be found at https://technet.microsoft.com/en-us/sysinternals/pxexec.aspx . Yes that really says 'pxexec.'

– Steve Howard – 2016-09-01T17:55:12.347

@SteveHoward Weird, it worked before. I updated the answer with the current link. Thanks for the note! – Ben N – 2016-09-01T18:06:08.293

Asked: 2016-02-12T17:36:56.337

Viewed: 1 668 times

Active: 2016-10-27T06:14:34.293