Поделиться через


SYSK 277: How-To Bring Back the TrustedInstaller

Are you getting ‘Unable to save permission changes on file_name. Access is denied.’ error messages trying to modify a file or change permissions on a file that has TrustedInstaller as its owner?

 

I’ve seen suggestions on the Internet recommending taking ownership on that file… Often, these types of suggestions are followed by a comment like this one: “Once you change the owner of the file, you can’t change it back! This is because the TrustedIstaller group doesn’t exist as a normal group.”

 

Well, this is simply not correct! I’ll explain in a moment how to restore ownership to TrustedInstaller, but first, a word about the TrustedInstaller itself…

 

There are a few so called “essential” resources (system files, folders, and registry keys) that are installed as part of Windows Vista. To prevent application and operating system failure, these resources are protected using Windows File Protection (WFP) in such way that applications or users don’t modify these resources. The way this protection is implemented is by setting an ACL on these resources only to allow the TrustedInstaller user to modify them. Not only Administrator (elevated or not) cannot modify them, but neither can the System…

 

Beware, that setup applications trying to modify a protected system resource will not get an error above -- the OS will detect that it’s an installation program, the request will be accepted and success code returned, but the resource will actually not be modified!

 

For the record: I strongly suggest you don’t mess with the protected system resources!

 

Having said that, if you have moved the ownership to yourself so you could give yourself permissions to modify the resource, and now want to reset it back to TrustedInstaller as the owner, simply follow these steps:

  • Right mouse button click on the file and choose Properties
  • Click Security tab
  • Click Advanced button
  • Click Owner tab
  • Click Edit button
  • Click Other User or Group and type in NT SERVICE\TrustedInstaller
  • Press Ok on all dialogs until all property dialogs are closed

Comments

  • Anonymous
    April 11, 2007
    How to add "NT SERVICETrustedInstaller" for some folder by calling win api, e.g AllocateAndInitializeSid and SetNamedSecurityInfo?

  • Anonymous
    April 12, 2007
    Using Windows Explorer, right mouse click on folder or file, choose Properties context menu item, then click on Security tab...

  • Anonymous
    May 14, 2007
    WHat if the installer is a remote source? How do I enable it to modify, say, a .dll file?

  • Anonymous
    July 20, 2007
    In your procedure needs to add "Restart"

  • Anonymous
    August 28, 2007
    Is TrustedInstaller using TrustedInstaller.exe as a wrapper or shell? I'm debugging the following event from Windows Update Vista 64. Faulting application TrustedInstaller.exe, version 6.0.6000.16386, time stamp 0x4549b6e9, faulting module wcp.dll, version 6.0.6000.16386, time stamp 0x4549d331, exception code 0x80000003, fault offset 0x0000000000187d75, process id 0xb14, application start time 0x01c7e76866e06be8.

  • Anonymous
    December 03, 2007
    I had problem with the command NT SERVICETrustedInstaller on my Vista so wrote it like this instead. NT ServiceTrustedInstaller After that it found it.

  • Anonymous
    January 11, 2008
    In your post you write "The way this protection is implemented is by setting an ACL on these resources only to allow the TrustedInstaller user to modify them." In my experience, an application with backup/restore privileges can modify files regardless of their ACL/DACL.  But these files can't be modified unless the owner of the file is changed to something other than TrustedInstaller.  How is this protection accomplished by WFP?

  • Anonymous
    October 06, 2008
    thank you a lot I modified some files and I wanted all back exactly as it was before, thank you!!!

  • Anonymous
    December 23, 2008
    hi, i'm managing to repair my rundll32.exe at the system32 folder in the windows folder, i tried to add the TrustedInstaller permission, because it haven't but, when i add the permission and press ok or apply, it says "Unable to save permission change on rundll32, access is denied" but, i activate the DISABLE UAC feature and reboot my computer (restart). please give me an idea, i want to install microsoft C++ 2005, to play warcraft 3:frozen throne version 1.22a and play at the battle.net, but i can't install the C++ because of it.

  • Anonymous
    April 02, 2009
    The comment has been removed

  • Anonymous
    April 19, 2009
    Open an elevated command prompt: takeown /F "G:pathgoeshere*" /A /R /D Y Then grant yourself full priviledges and delete away.

  • Anonymous
    July 06, 2009
    I tried this (Vista Home Premo). CL response was success but ownership was NOT changed.

  • Anonymous
    October 09, 2011
    Useless Americans, Why can you not use Real English?

  • Anonymous
    August 25, 2012
    The comment has been removed

  • Anonymous
    December 26, 2013
    The comment has been removed

  • Anonymous
    March 29, 2014
    On Windows 7, After a power failure, I had to change trustedinstaller ownership from C: since it seemed to be blocking all installs, even Windows update installs. I have the feeling that "trustedinstaller" group has disappeared, indeed (since I have a HOME edition, I can't use msc.exe to play with user and group permissions). trustedinstaller had the ownership of the full harddrive. After fixing harddisk, I want to restore both the ownership and the group. How can I re-create the "trustedinstaller" group and add windows services to such group?

  • Anonymous
    November 26, 2014
    Now how to add/restore trustedinstaller user to the security list of a particular file?