Restoring 'TrustedInstaller' as owner for executable in Windows folder

After changing the ownership of executables in the Windows directory (explorer.exe, regedit.exe, etc.), I can't seem to change it back to TrustedInstaller using icacls.exe. Using the GUI method (Properties → Security → Advanced → Owner) works fine though.

Doing the same thing to any other file under Windows, that is not an executable, works fine. Tried the same under safe-mode, no luck.

These are the 2 basic commands I'm using:

takeown /F C:\Windows\explorer.exe /A
icacls C:\Windows\explorer.exe /setowner "NT SERVICE\TrustedInstaller"

Edit: Forgot to mention the error I'm receiving is 'Access denied'.

C:\Windows\System32>takeown /F c:\Windows\explorer.exe /A  
SUCCESS: The file (or folder): "c:\Windows\explorer.exe" now owned by the administrators group.

C:\Windows\System32>icacls c:\Windows\explorer.exe /setowner "NT SERVICE\TrustedInstaller"  
c:\Windows\explorer.exe: Access is denied.  
Successfully processed 0 files; Failed processing 1 files

BarCo

Posted 2015-03-16T18:25:57.070

Reputation: 71

There are tools that claim they can solve problems like this. You say it doesn't work but don't elaborate.

– Ramhound – 2015-03-16T18:31:37.770

My bad, I'll try to be more clear. The action fails, claiming access denied. Sadly, installing external tools isn't an option. Portable tools like sysinternals or setAcl should be fine. – BarCo – 2015-03-16T21:37:24.450

1Do you still regard this as an open question? If you consider it to be resolved, please post the solution (granting full permissions to the Administrators group) as an answer and remove it from the question. Then accept the answer. – G-Man Says 'Reinstate Monica' – 2017-07-10T16:03:46.037

@G-Man, done. Sorry for taking so long. – BarCo – 2017-09-11T15:36:28.547

Answers

The command works only after granting full permissions to the Administrators group, i. e.:

icacls c:\Windows\explorer.exe /grant Administrators:f

Even granting 'Modify' doesn't seem to be enough for some reason.

BarCo

Posted 2015-03-16T18:25:57.070

Reputation: 71

All answers here does not work anymore if original owner is TrustedInstaller. Tested on both takeown and icacls. Only direct editing through the context menu of the Windows Explorer has worked. Seems MS step by step injecting it's telemetry everythere without option to scriptingly disable it. – Andry – 2018-09-01T14:13:12.463

For example, such permissions can not be easely retaken from the C:\Windows\System32\CompatTelRunner.exe or something similar. – Andry – 2018-09-01T14:19:46.273

So the title says restoring TrustedInstaller.

Seems there is a missing part; removing the added Administrators group permissions.

takeown /F "C:\Windows\regedit.exe" /A
/F - file to become owner of
/A - means it will set the users group (ie. Administrators, not userxyz)

icacls "C:\Windows\regedit.exe" /grant Administrators:F
/grant - will add permissions
:F - Full Control

icacls "C:\Windows\regedit.exe" /setowner "NT SERVICE\TrustedInstaller"
/setowner - new owner

icacls "C:\Windows\regedit.exe" /grant:r Administrators:RX
/grant:r - will set permissions (removing higher ones)
:RX - Read and Execute

Reference: https://ss64.com/nt/icacls.html

fritolays

Posted 2015-03-16T18:25:57.070

Reputation: 41

1I’m not sure what you’re adding (what isn’t already in the question or the accepted answer). – Scott – 2018-05-09T22:22:43.700

1He is restoring the rights for Administrators to the original ones. Remember that Administrators has been assigned full permissions before, which is clearly against Microsoft's intentions, so this should be reverted after the action has been done. Hence, I think his answer is valuable. – Binarus – 2019-09-13T08:57:07.823

Works fine here (tested in Windows 7 64-bit).

Ensure you've started your command prompt in elevated mode (aka: "Run as administrator").

Ƭᴇcʜιᴇ007

Posted 2015-03-16T18:25:57.070

Reputation: 103 763

Only tried it on 32 bit, I'll test it on 64 shortly. Command prompt is indeed elevated, I even tried running it as 'NT Authority\System' using psexec. – BarCo – 2015-03-16T21:33:37.630

Did you modify the permissions for the Administrators after changing ownership? Also, what file did you try?

Side note, had the same behavior on win7-64bit. – BarCo – 2015-03-16T22:33:43.943