Reset default ACLs for C:\Program Files\WindowsApps

7

5

I had to take ownership of the special folder C:\Program Files\WindowsApps to fix a problem with icons. The issue is now resolved, so I'd like to reset the permissions to the way they were before I took ownership of the folder.

I reverted NT SERVICE\TrustedInstaller to the owner and removed my account's permission entries: https://i.stack.imgur.com/wUQli.png

But I still have full control of the folder and can browse the folder in Explorer without getting the usual warning that I would have to take ownership: https://i.stack.imgur.com/Sb2Na.png

Is it possible to restore the default permissions of this folder?

Louis

Posted 2018-01-23T01:14:24.243

Reputation: 18 859

1NT SERVICE\TrustedInstaller not TrustedInstaller – Ramhound – 2018-01-23T01:51:15.460

You failed to remove the Administrator user group. – Ramhound – 2018-01-23T02:33:59.560

Good catch @Ramhound, but after making the change I can still traverse. This must be due to Users (HOSTNAME\Users) having Read & Execute, which it had before I changed anything. I am getting the feeling that I can't get the out-the-box experience... which may be okay...? – Louis – 2018-01-24T00:41:39.323

Answers

6

Like this to reset permission on this folder:

icacls "C:\Program Files\*" /q /c /t /reset

The things was:

/reset - Replaces ACLs with default inherited ACLs for all matching files.
/t     - Performs the operation on all specified files in the current
         directory and its subdirectories.

Kattee Lee

Posted 2018-01-23T01:14:24.243

Reputation: 511

Thanks, I'll try to adapt this to my needs. I don't think it shold be run as-is for the problem in question. WindowsApps has a different set of permissions from Program Files. – Louis – 2018-01-24T00:45:45.133

5

I found this answer when searching Google, and it led me to a solution.

ISSUE: Windows apps (such as Mail and Calendar) will not open. Start Menu will not open. Can't right-click taskbar icons.

  • Microsoft Store reported issues updating these applications.
  • Uninstall/reinstall failed.
  • In-place Windows Upgrade ("repair") did not fix the issues.
  • Inspecting permissions on the "WindowsApps" directory showed corrupted permissions.
  • Error codes 0x80246013, 0x80070005

FIX: Run the reset ACLs command Kattee posted from a Windows Install USB boot disk, using the built-in command prompt for troubleshooting.

  1. Follow the instructions on this page to create Windows Installation Media: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media.
  2. Boot from the USB/CD
  3. When you reach the "Install" button, click "Repair my computer" in the bottom left instead.
  4. Select "Troubleshoot"
  5. Select "Command Prompt"
  6. Locate your system drive
    • The command prompt won't start on your system drive. It will be on "X:\" which is where the USB/CD is mounted
    • You will need to navigate to each drive letter and type "dir" to find the right one, starting with C:
    • Note that this command prompt doesn't use "cd" to change drives (only directories). Simply type the drive letter to switch to that drive (e.g. "D:\")
  7. Once you've located the correct drive letter, and switched to it, enter a slightly modified version of Kattee's command, using the drive letter you just found (mine was D:):
    • icacls "D:\Program Files\WindowsApps" /q /c /t /reset
  8. Wait for the operation to complete, and check the final output line for any failures.
  9. Reboot!

That's what got me working again. Everything is fine after rebooting. No apps even needed to be reinstalled. Everything "just works."

Hope this helps someone else!

neatchee

Posted 2018-01-23T01:14:24.243

Reputation: 51

This is the only solution that works for me. – yuxhuang – 2019-12-28T05:31:03.197

Note that this command prompt doesn't use "cd" to change drives (only directories). Simply type the drive letter to switch to that drive (e.g. "D:\"): You should be able to use the /D switch to do this. Ex: cd /D D:\Program Files\WindowsApps should put you in the correct folder on the "D" drive. – Arvo Bowen – 2020-01-24T04:14:21.117

To skip a few steps, At #3, instead, use Shift+F10 to open a command prompt. Then skip to #6. – Arvo Bowen – 2020-01-24T04:33:33.277

3

I did not have to use the recovery disk option mentioned previously. I just had to run it from the command prompt in administrator mode:

icacls "C:\Program Files\WindowsApps" /reset /t /c /q

Parameter description:

  • /reset Replaces ACLs with default inherited ACLs for all matching files.
  • /t Performs the operation on all specified files in the current directory and its subdirectories.
  • /c Continues the operation despite any file errors. Error messages will still be displayed.
  • /q Suppresses success messages.

Reference: icacls command reference

Note: I think I may have also restarted the computer like suggested, but I don't think that is required.

Keplerian

Posted 2018-01-23T01:14:24.243

Reputation: 31

I tried this, but got "Access is denied" for a number of entries. Successfully processed 3693 files; Failed processing 20879 files – Matty Brown – 2018-09-12T12:53:30.063

@Matty Brown: Does your administrator group have permission to read/write/open the directory? – Keplerian – 2018-09-12T22:45:40.857

I also got "Access is denied", but I fixed it: Right click WindowsApps > Properties > Security > Advanced > click Change in the upper Owner field > enter your user name > OK. This will give you permission to reset permissions back with the "icacls" command. – Stian Høiland – 2019-05-30T02:54:08.973

As others have pointed out, this cannot work unless you have already explicitly given Administrators (group) permissions to read/write or full access; the Administrators group is not given these by default on the latest update of Win 10 (not sure about previous versions). – Ryan – 2019-08-14T12:45:55.040

2

Resetting permissions works in most cases, but you need SYSTEM permissions to run the command.

Easiest solution is to use psexec (from sysinternals).

Open an elevated command prompt or powershell an run psexec to get an SYSTEM-shell.

psexec.exe -s -i cmd

In that command prompt run the reset permission command

icacls "C:\Program Files\WindowsApps" /reset /t /c /q

JTE

Posted 2018-01-23T01:14:24.243

Reputation: 21

0

The following command will work in terms of fixing issues with WindowsApps not launching if that is your issue:

icacls "C:\Program Files\WindowsApps" /reset /t /c /q

The question however is how to "Reset default ACLs for C:\Program Files\WindowsApps" and there are two ways that I know of that actually reset permission to their defaults.

Option 1

Manually add the principals according this image:

The Defaults for WindowsApps folder

Option 2

If you happen to have a backup of Windows before the change, use that to restore the Program files/WindowsApps folder DO NOT overwrite existing folders/files restore it somewhere else then use the icacls commands:

  1. Open Command Prompt as Admin
  2. icacls "X:\PathToRestored\Program Files\WindowsApps" /save "X:\WhereToSave\WindowsApps.acl"
  3. icacls "%ProgramFiles%" /restore "X:\PathToSaved\WindowsApps.acl"
  4. icacls “%ProgramFiles%\WindowsApps” /setowner “NT Service\TrustedInstaller”

Blackkatt

Posted 2018-01-23T01:14:24.243

Reputation: 1

Asked: 2018-01-23T01:14:24.243

Viewed: 15 558 times

Active: 2020-01-21T09:36:07.563