What is the Safest way to Delete "Trusted Installer" files and folders? Win7

1

There are many tutorials on wasting the permissions, or taking over permissions, and even removing permission for the "trusted installer" most of the tutorials can have serious ramifications.

If a person wants to remove a single file or folder item, that is presently owned by the "trusted installer". At the same time the person does not wish to make changes beyond removal of that item.

If a person would want to do that in 1 click, instead of 10. That is is done within the GUI of the OS not the command prompt, If the person was Admin. Booting into a Unix/linux operating system is not 1 click :-) No Linux operating system exists in the scenario.

What have you found to be the quickest way to remove a "trusted installer" permissioned item , without making changes beyond that , that have ramifications beyond the removal of the item?

It is understood that the removal of the item itself is not deemed to be "safe" or that its removal does not have ramifications. That is not the question.

Example item for reference and testing: This folder C:\Windows\System32\zh-CN

Psycogeek

Posted 2011-09-28T23:03:58.160

Reputation: 8 067

1No easy way, command line may be a solution as there are few clicks. – Moab – 2011-09-28T23:27:52.623

So a batch in the sendto? that would still be 1 (right) click? with a batch at least I KNOW what is occuring exactally. I have found unlocker and takeownership , would they be safe things? – Psycogeek – 2011-09-28T23:37:08.397

Don't forget that the vast majority of T.I.-owned files are hardlinked from multiple locations, and deleting one hardlink will not delete the file. Additionally, System Resource Protection mechanisms may restore the missing system file. – kreemoweet – 2013-12-14T00:40:42.777

Answers

3

I found a custom "Take Ownership" you can install. This is for XP but should work for W7 also. You might set a manual restore point before applying this change.

The Context Menu entry "Take Ownership" is actually three separate commands. It first opens a Command Prompt window using cmd.exe, then runs takeown.exe to take ownership of the item you click on, and if it's a folder, takes ownership of the files and subfolders as well. If that is successful (and only if it is successful), it then runs icacls.exe to grant the Administrators Group Full Control permission, also done recursively if it's a folder. If takeown.exe fails you don't want to run icacls.exe as it will likely fail as well, but in some rare cases takeown.exe may return an error even if it succeeded, so icacls.exe never runs, so the permissions never get applied. Plus, the way it is configured depends on the system PATH variable to be able to find cmd.exe, takeown.exe, and icacls.exe, if any of those can't be found, it will fail, but the user may have no indication that it didn't work. And the .exe extension is not specified on takeown or icacls, so malware could easily replace those commands with a batchscript file located in another folder found earlier on the path, and could trick a user into clicking OK on a UAC prompt that will run malware instead of the Take Ownership option they think they are running.

I found a better version 2 that specifies the complete path to the file using the Systemroot variable, and uses the full file name including the extension.

Open an empty text file and copy the text below into it, then save it, then change the file extension to .reg then right click on it and select merge.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT*\shell\runas\command] @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 63,00,6d,00,64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,63,00,25,00,53,00,79,\ 00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,\ 73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,20,00,74,00,61,00,6b,00,65,00,6f,\ 00,77,00,6e,00,2e,00,65,00,78,00,65,00,20,00,2f,00,66,00,20,00,22,00,25,00,\ 31,00,22,00,20,00,26,00,26,00,20,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,\ 00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,\ 33,00,32,00,5c,00,69,00,63,00,61,00,63,00,6c,00,73,00,2e,00,65,00,78,00,65,\ 00,20,00,22,00,25,00,31,00,22,00,20,00,2f,00,67,00,72,00,61,00,6e,00,74,00,\ 20,00,61,00,64,00,6d,00,69,00,6e,00,69,00,73,00,74,00,72,00,61,00,74,00,6f,\ 00,72,00,73,00,3a,00,46,00,00,00

"IsolatedCommand"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 63,00,6d,00,64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,63,00,25,00,53,00,79,\ 00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,\ 73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,20,00,74,00,61,00,6b,00,65,00,6f,\ 00,77,00,6e,00,2e,00,65,00,78,00,65,00,20,00,2f,00,66,00,20,00,22,00,25,00,\ 31,00,22,00,20,00,26,00,26,00,20,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,\ 00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,\ 33,00,32,00,5c,00,69,00,63,00,61,00,63,00,6c,00,73,00,2e,00,65,00,78,00,65,\ 00,20,00,22,00,25,00,31,00,22,00,20,00,2f,00,67,00,72,00,61,00,6e,00,74,00,\ 20,00,61,00,64,00,6d,00,69,00,6e,00,69,00,73,00,74,00,72,00,61,00,74,00,6f,\ 00,72,00,73,00,3a,00,46,00,00,00

[HKEY_CLASSES_ROOT\Directory\shell\runas\command] @=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 63,00,6d,00,64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,63,00,20,00,25,00,53,\ 00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,\ 79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,74,00,61,00,6b,00,65,00,6f,\ 00,77,00,6e,00,2e,00,65,00,78,00,65,00,20,00,2f,00,66,00,20,00,22,00,25,00,\ 31,00,22,00,20,00,2f,00,72,00,20,00,2f,00,64,00,20,00,79,00,20,00,26,00,26,\ 00,20,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,\ 25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,69,00,63,\ 00,61,00,63,00,6c,00,73,00,2e,00,65,00,78,00,65,00,20,00,22,00,25,00,31,00,\ 22,00,20,00,2f,00,67,00,72,00,61,00,6e,00,74,00,20,00,61,00,64,00,6d,00,69,\ 00,6e,00,69,00,73,00,74,00,72,00,61,00,74,00,6f,00,72,00,73,00,3a,00,46,00,\ 20,00,2f,00,74,00,00,00

"IsolatedCommand"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\ 00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\ 63,00,6d,00,64,00,2e,00,65,00,78,00,65,00,20,00,2f,00,63,00,20,00,25,00,53,\ 00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,00,5c,00,53,00,\ 79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,74,00,61,00,6b,00,65,00,6f,\ 00,77,00,6e,00,2e,00,65,00,78,00,65,00,20,00,2f,00,66,00,20,00,22,00,25,00,\ 31,00,22,00,20,00,2f,00,72,00,20,00,2f,00,64,00,20,00,79,00,20,00,26,00,26,\ 00,20,00,25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,\ 25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,69,00,63,\ 00,61,00,63,00,6c,00,73,00,2e,00,65,00,78,00,65,00,20,00,22,00,25,00,31,00,\ 22,00,20,00,2f,00,67,00,72,00,61,00,6e,00,74,00,20,00,61,00,64,00,6d,00,69,\ 00,6e,00,69,00,73,00,74,00,72,00,61,00,74,00,6f,00,72,00,73,00,3a,00,46,00,\ 20,00,2f,00,74,00,00,00

Source of Information

Moab

Posted 2011-09-28T23:03:58.160

Reputation: 54 203

ok i will check it out, after my next full image backup of the system. – Psycogeek – 2011-09-29T01:26:25.300

I have contacted the Author to verify it works for W7, hopefully will hear from them this week. – Moab – 2011-09-29T01:34:25.677

I tested what you have posted there ^ it didnt work? I used it just to test if it could be used in its present form. Mabey i should have save it as Unicode or something? I removed that, and entered what was at the SOURCE, and it is working. – Psycogeek – 2011-10-02T15:10:49.487

Hex to texted it, and it looks like the same thing, so i saved as unicode, tried again, and it puts some stuff in, but still seems to be missing something ?? – Psycogeek – 2011-10-02T15:28:27.023

2

A few years too late, but here is a working example of the Take Ownership command, have included multi-lingual safe Well Known SID (S-1-5-32-544) of Administrators group to prevent failure of icacls command on non-english locales.

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shell\runas]
@="Take Ownership"
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\*\shell\runas\command]
@="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant *S-1-5-32-544:F"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" && icacls \"%1\" /grant *S-1-5-32-544:F"

[HKEY_CLASSES_ROOT\Directory\shell\runas]
@="Take Ownership"
"NoWorkingDirectory"=""

[HKEY_CLASSES_ROOT\Directory\shell\runas\command]
@="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant *S-1-5-32-544:F /t"
"IsolatedCommand"="cmd.exe /c takeown /f \"%1\" /r /d y && icacls \"%1\" /grant *S-1-5-32-544:F /t"

Knuckle-Dragger

Posted 2011-09-28T23:03:58.160

Reputation: 1 817

Asked: 2011-09-28T23:03:58.160

Viewed: 3 528 times

Active: 2013-12-13T23:25:57.100