Microsoft Windows Vista Community Forums - Vistaheads
Recommended Download



Welcome to the Microsoft Windows Vista Community Forums - Vistaheads, YOUR Largest Resource for Windows Vista related information.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely free so , join our community today!

If you have any problems with the registration process or your account login, please contact us.

Driver Scanner

Pseudo-Admin can't set System32 ACLs?

microsoft.public.windows.vista.security






Speedup My PC
Reply
  #1 (permalink)  
Old 12-16-2006
Gerry Hickman
 

Posts: n/a
Pseudo-Admin can't set System32 ACLs?
Hi,

I have stand-alone clean install of Vista Business 32bit, all on
defaults, UAC is enabled.

I need to rename a file in System32 (long story), but my Pseudo-Admin
account only has read access, and it seems impossible to adjust the
permissions even after accepting the UAC prompt.

--
Gerry Hickman (London UK)
Reply With Quote
Sponsored Links
  #2 (permalink)  
Old 12-18-2006
Jimmy Brush
 

Posts: n/a
Re: Pseudo-Admin can't set System32 ACLs?
Hello,

This is one way that Windows protects its core operating system components
from being modified (system file protection). Generally, the core Windows OS
files should only be updated during a service pack install, so by default
the permissions on the files are set such that this is the ONLY way they can
be updated.

However, as an administrator you can (of course) give yourself permission to
have read/write access to these files.

1) Take ownership of the file

- Right click file, click properties
- Click Security Tab
- Click Advanced
- Click Owner Tab
- Click Edit
- Click Administrators group
- Click OK
- Click OK to the message
- Click OK twice more to close out all properties dialogs

Now that you are the owner of the file, you can change the permissions on
the file even though you do not have explicit permission to do so. However,
you still can't modify that file - you have to give yourself that
permission.

2) Change the permissions

- Right click file, click properties
- Click Security Tab
- Click Edit tab
- Click Administrators group
- Click Full Control (or however much permission you need)
- Click OK to the message
- Click OK
- Click OK

Once you have modified the file to give yourself more permissions, it is
good practice to remove those permissions so that the administrative
programs that you run do not have access to those files (since they don't
need this access).


--
- JB

Windows Vista Support Faq
http://www.jimmah.com/vista/

Reply With Quote
  #3 (permalink)  
Old 12-19-2006
Gerry Hickman
 

Posts: n/a
Re: Pseudo-Admin can't set System32 ACLs?
Hi Jimmy,

Ok, the real question is therefore about ownership. It would appear
there's a similar issue with "Program Files" and probably some others.

It would seem huge numbers of files are not fully accessible to the
genuine Administrator of the computer. They are owned by "Trusted
Installer" and I'm guessing you can't log in as that.

On my SERVERS, every file has full access by the Administrators group,
but not the Adminitrator account (unless it's a member which is usually
is). During server migrations I've had to use CACLS against EVERY file
on a big server. In client disaster recovery scenarios I've had to
replace things like ntoskrnl when it was corrupt. In longhorn, the
ownership will probably be like Vista.

On CLIENTS I guess it's not so important, you just FDISK and start
again, but I don't like the look of this. I think it could be used
against the legal owner of the machine.

Jimmy Brush wrote:
> Hello,
>
> This is one way that Windows protects its core operating system
> components from being modified (system file protection). Generally, the
> core Windows OS files should only be updated during a service pack
> install, so by default the permissions on the files are set such that
> this is the ONLY way they can be updated.
>
> However, as an administrator you can (of course) give yourself
> permission to have read/write access to these files.
>
> 1) Take ownership of the file
>
> - Right click file, click properties
> - Click Security Tab
> - Click Advanced
> - Click Owner Tab
> - Click Edit
> - Click Administrators group
> - Click OK
> - Click OK to the message
> - Click OK twice more to close out all properties dialogs
>
> Now that you are the owner of the file, you can change the permissions
> on the file even though you do not have explicit permission to do so.
> However, you still can't modify that file - you have to give yourself
> that permission.
>
> 2) Change the permissions
>
> - Right click file, click properties
> - Click Security Tab
> - Click Edit tab
> - Click Administrators group
> - Click Full Control (or however much permission you need)
> - Click OK to the message
> - Click OK
> - Click OK
>
> Once you have modified the file to give yourself more permissions, it is
> good practice to remove those permissions so that the administrative
> programs that you run do not have access to those files (since they
> don't need this access).
>
>



--
Gerry Hickman (London UK)
Reply With Quote
  #4 (permalink)  
Old 12-21-2006
=?Utf-8?B?SmltbXkgQnJ1c2g=?=
 

Posts: n/a
Re: Pseudo-Admin can't set System32 ACLs?
> It would seem huge numbers of files are not fully accessible to the
> genuine Administrator of the computer. They are owned by "Trusted
> Installer" and I'm guessing you can't log in as that.


TrustedInstaller is a service. And you are correct, you can't log in as that.

> On my SERVERS, every file has full access by the Administrators group,
> but not the Adminitrator account (unless it's a member which is usually
> is). During server migrations I've had to use CACLS against EVERY file
> on a big server. In client disaster recovery scenarios I've had to
> replace things like ntoskrnl when it was corrupt. In longhorn, the
> ownership will probably be like Vista.


There is nothing stoping you for performing these tasks on Vista. It just
takes an extra step (you have to take ownership and then change permissions).

> On CLIENTS I guess it's not so important, you just FDISK and start
> again, but I don't like the look of this. I think it could be used
> against the legal owner of the machine.


I don't see how, since you can still access those files.

- JB
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Accessing Admin Shares =?Utf-8?B?U2Vhbg==?= microsoft.public.windows.vista.networking sharing 2 02-07-2007 21:26




All times are GMT +1. The time now is 06:19.




Driver Scanner - Free Scan Now

Vistaheads.com is part of the Heads Network. See also XPHeads.com , Win7Heads.com and Win8Heads.com.


Design by Vjacheslav Trushkin for phpBBStyles.com.
Powered by vBulletin® Version 3.6.7
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.6.0 RC 2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120