SYSK 277: How-To Bring Back the TrustedInstaller


Are you getting ‘Unable to save permission changes on file_name.  Access is denied.’ error messages trying to modify a file or change permissions on a file that has TrustedInstaller as its owner? 


 


I’ve seen suggestions on the Internet recommending taking ownership on that file…  Often, these types of suggestions are followed by a comment like this one: “Once you change the owner of the file, you can’t change it back! This is because the TrustedIstaller group doesn’t exist as a normal group.”


 


Well, this is simply not correct!  I’ll explain in a moment how to restore ownership to TrustedInstaller, but first, a word about the TrustedInstaller itself…


 


There are a few so called “essential” resources (system files, folders, and registry keys) that are installed as part of Windows Vista. To prevent application and operating system failure, these resources are protected using Windows File Protection (WFP) in such way that applications or users don’t modify these resources.   The way this protection is implemented is by setting an ACL on these resources only to allow the TrustedInstaller user to modify them. Not only Administrator (elevated or not) cannot modify them, but neither can the System…


 


Beware, that setup applications trying to modify a protected system resource will not get an error above — the OS will detect that it’s an installation program, the request will be accepted and success code returned, but the resource will actually not be modified!


 


For the record: I strongly suggest you don’t mess with the protected system resources! 


 


Having said that, if you have moved the ownership to yourself so you could give yourself permissions to modify the resource, and now want to reset it back to TrustedInstaller as the owner, simply follow these steps:



  • Right mouse button click on the file and choose Properties

  • Click Security tab

  • Click Advanced button

  • Click Owner tab

  • Click Edit button

  • Click Other User or Group and type in NT SERVICE\TrustedInstaller

  • Press Ok on all dialogs until all property dialogs are closed

 


 


Comments (17)

  1. Reki says:

    How to add "NT SERVICETrustedInstaller" for some folder by calling win api, e.g AllocateAndInitializeSid and SetNamedSecurityInfo?

  2. irenake says:

    Using Windows Explorer, right mouse click on folder or file, choose Properties context menu item, then click on Security tab…

  3. SHawn says:

    WHat if the installer is a remote source? How do I enable it to modify, say, a .dll file?

  4. David Colonia says:

    In your procedure needs to add "Restart"

  5. Kevin Daly says:

    Is TrustedInstaller using TrustedInstaller.exe as a wrapper or shell? I’m debugging the following event from Windows Update Vista 64.

    Faulting application TrustedInstaller.exe, version 6.0.6000.16386, time stamp 0x4549b6e9, faulting module wcp.dll, version 6.0.6000.16386, time stamp 0x4549d331, exception code 0x80000003, fault offset 0x0000000000187d75, process id 0xb14, application start time 0x01c7e76866e06be8.

  6. William says:

    I had problem with the command

    NT SERVICETrustedInstaller on my Vista so wrote it like this instead.

    NT ServiceTrustedInstaller

    After that it found it.

  7. Good Point says:

    In your post you write "The way this protection is implemented is by setting an ACL on these resources only to allow the TrustedInstaller user to modify them."

    In my experience, an application with backup/restore privileges can modify files regardless of their ACL/DACL.  But these files can’t be modified unless the owner of the file is changed to something other than TrustedInstaller.  How is this protection accomplished by WFP?

  8. Ratael says:

    thank you a lot I modified some files and I wanted all back exactly as it was before, thank you!!!

  9. Vista User says:

    hi, i’m managing to repair my rundll32.exe at the system32 folder in the windows folder, i tried to add the TrustedInstaller permission, because it haven’t but, when i add the permission and press ok or apply, it says "Unable to save permission change on rundll32, access is denied" but, i activate the DISABLE UAC feature and reboot my computer (restart). please give me an idea, i want to install microsoft C++ 2005, to play warcraft 3:frozen throne version 1.22a and play at the battle.net, but i can’t install the C++ because of it.

  10. Zephan says:

    Anyone know how to get TrustedInstaller to delete (or change ownership) of files that only TrustedInstaller has full rights for?

    For some crazy reason in 2006 I copied 1GB of of system files to an external hard drive as part of a manual backup. These files are completely useless so I want to delete them… but as you might guess, I don’t have access even as member of the Administrator’s group. Thanks to article http://technet.microsoft.com/en-us/magazine/2007.06.acl.aspx I’ve looked through their ACLs and determined these files all have owner=TrustedInstaller and only TrustedInstaller has full rights. All other ACL entries (including local system and Administrators) only have read/write, so I can’t delete these files.

    Perhaps someone knows of a utility or steps that can either ignore NTFS ACLs for delete OR perhaps generate a manifest and trigger uninstall of specified target files.

  11. Chris Bering says:

    Open an elevated command prompt:

    takeown /F "G:pathgoeshere*" /A /R /D Y

    Then grant yourself full priviledges and delete away.

  12. David says:

    I tried this (Vista Home Premo). CL response was success but ownership was NOT changed.

  13. English Teacher says:

    Useless Americans, Why can you not use Real English?

  14. John says:

    I can't believe these forum comments to the effect that "No, no, no, children. You really ought not touch those files." I have a disk that was on another machine. It is full of totally worthless system files. I want to delete them but I cannot afford to format the drive just yet. I OUGHT TO BE ABLE TO DO THIS WITHOUT SPENDING HOURS SURFING THE NET AND ENDURING PATRONIZING LECTURES ABOUT WHAT FILES I REALLY OUGHT TO DELETE. Windows is the most expert-unfriendly operating system I have ever worked with and I loath it with a white hot passion. These insufferable comments telling me it is too dangerous to contemplate doing something that UNIX, Linux and Mac programmers do all day every day are too annoying for words.

  15. Christopher Burke says:

    So use Linux to delete the files.  Boot up with Linux on a DVD, use it to find the files, delete them (Windows cannot stop you as it's not activated) then reboot into Windows.  Or simply boot into DOS (via safe mode if necessary) and delete the files by hand. Just incase people don't know this, the relevant commands then would be 'CD' to change into another directory in DOS, 'RD' to remove an EMPTY directory (you have to go into it, delete all the files inside it, come back out of it, THEN delete the empty directory with RD which stands for Remove Directory)  DEL  to delete a file and the very useful asterisk (*) wildcard.  So if you wanted to delete all the files with extension .FRD (I made that extension up!) you'd say DEL *.FRD and if you wanted to delete everything on a disk/partition/in a directory you could say DEL *.* – anything with any extension!

    All this permission guff only is relevant if Windows is actually active.  If you boot with a different operating system then you can do what you like.  Heck, if you download Hiren's Boot Disc (free, check which version is most useful to you as they all seem to have different things on) you can even boot up with Mini Windows which is like Linux (as it boots from a DVD/CD) only better (because it's Windows and Linux, for all it has its advocates, is the biggest pain EVER to use – online repositories, everything CLI, umpteen different desktops and versions…. AAGH!!)  If you've booted with Mini WINDOWS, you can then delete whatever you like as main Windows is still deactivated.  

    I know I'm gonna get a ton of naysayers to this but I've actually done all of the above when rescuing virused hard drives (mine!) in the past.  The above works – I used it to delete the actual viruses.  If Windows isn't active (main, not mini which doesn't count) then the viruses aren't active either. You can run a virus checker via mini-Windows (that makes it better than Linux as you can use Windows-based virus checkers of which there are many and good, Linux virus checkers are few and God-awful) and the viruses get found without even waking up.  

    Yours respectfully, Chris!

  16. Jose says:

    On Windows 7, After a power failure, I had to change trustedinstaller ownership from C: since it seemed to be blocking all installs, even Windows update installs. I have the feeling that "trustedinstaller" group has disappeared, indeed (since I have a HOME edition, I can't use msc.exe to play with user and group permissions). trustedinstaller had the ownership of the full harddrive.

    After fixing harddisk, I want to restore both the ownership and the group. How can I re-create the "trustedinstaller" group and add windows services to such group?

  17. KHal says:

    Now how to add/restore trustedinstaller user to the security list of a particular file?