With two words, I cannot restore this file
SQLite3Wrapper.dll
in their location
c:\Program Files\WindowsApps\Microsoft.BingWeather_4.8.239.0_x86__8wekyb3d8bbwe
The story behind and what I have try.
All starts when Comodo antivirus gives me a virus alert about SQLite3Wrapper.dll and ask me to place it on quarantine. I say ok, lets place it on quarantine and check it out. So far so good. After I double check that this was a false alarm, I ask comodo to restore the file and here is my first fail because windows 10 did not let it write it back to their place. And after that all my tries fails…
First I take the ownership of the directory and give permission to administrator and my left for full access. Also disable all antivirus from comodo and windows.
- So after giving permission I try to copy but also fail.
- I start windows in safe mode but did not let me copy the file back
- I start windows in command mode but did not let me copy the file back
- I start windows with MsDart latest version but this is also don’t let me copy the file. This is the strangest because MsDart supposedly runs over the windows and never have this issue on older versions of windows.
- Then I try to restore the file using acronis backup that I have some days ago. Acronis also fail to write to that directory – did not ask to restore it on boot because I can not ask that from acronis, acronis did not recognize that can not write to that directory so is stack there for ever…
- I have try to copy it with explorer and with total commander and with simple command promt
- Also using Hyper-X and windows 10, I make more test and tries to copy a file on any of that directories but fail.
Also checking the effecting access windows says that I can write on there
but something not let me:
Some notes about my research
I am a programmer, and have give me administrator privilege, and have turn to minimum all the User Account Control Settings. Also have read and try this answer from here How to get access to C:\Program Files\WindowsApps? and here Where to find Windows Modern UI apps' source code? and many other similar answers and note on internet with out find a way to copy that file back to their place.
About the program it self
The program that is not working any more is the "MSN Weather" that exist on Microsoft store. I use this command Get-AppxPackage *bingweather* | Remove-AppxPackage and remove it, then reinstall it, but actually was never remove from the system, so that files never updated. I did that one time, second time with reboot, third time to double check it... etc... The file still missing from the directory and the program still not working.
Debug the process of copy
I also used Process Monitor from Sysinternals to find out what is stopping it from copying that file and here is the stack:
"Frame","Module","Location","Address","Path"
"0","FLTMGR.SYS","FltDecodeParameters + 0x18e1","0xfffff801e5066d21","C:\WINDOWS\System32\drivers\FLTMGR.SYS"
"1","FLTMGR.SYS","FltDecodeParameters + 0x148c","0xfffff801e50668cc","C:\WINDOWS\System32\drivers\FLTMGR.SYS"
"2","FLTMGR.SYS","FltQueryInformationFile + 0x723","0xfffff801e50962c3","C:\WINDOWS\System32\drivers\FLTMGR.SYS"
"3","ntoskrnl.exe","ProbeForWrite + 0xc08","0xfffff803b7aa6d68","C:\WINDOWS\system32\ntoskrnl.exe"
"4","ntoskrnl.exe","NtQueryInformationFile + 0x1026","0xfffff803b7a9d6d6","C:\WINDOWS\system32\ntoskrnl.exe"
"5","ntoskrnl.exe","ObOpenObjectByNameEx + 0x1ec","0xfffff803b7a9c0dc","C:\WINDOWS\system32\ntoskrnl.exe"
"6","ntoskrnl.exe","ObOpenObjectByName + 0x488","0xfffff803b7a89b78","C:\WINDOWS\system32\ntoskrnl.exe"
"7","ntoskrnl.exe","NtCreateFile + 0x79","0xfffff803b7a896d9","C:\WINDOWS\system32\ntoskrnl.exe"
"8","ntoskrnl.exe","setjmpex + 0x3943","0xfffff803b77ddca3","C:\WINDOWS\system32\ntoskrnl.exe"
"9","ntdll.dll","NtCreateFile + 0x14","0x7ffbc09f5b24","C:\WINDOWS\SYSTEM32\ntdll.dll"
"10","guard64.dll","Exported + 0xd341","0x7ffbbcda6161","C:\Windows\system32\guard64.dll"
"11","<unknown>","0x7ffbc0da0052","0x7ffbc0da0052",""
My apologies for that long question
but I am frustrating, this is first for me, to not been able to take control of my computer and restore a file.
Of cource this is not the only file that not permitted to created on this directories... but inside that directories nothing allowed...
So how can I take the control of my computer, what I have miss here, what permission I must give, or what program I must to stop so I been able to restore that file ?
Running icacls
C:\Program Files>icacls WindowsApps
WindowsApps NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204:(RX)
S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204:(OI)(CI)(IO)(RX)
NT AUTHORITY\SYSTEM:(RX,W)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(RX)
BUILTIN\Administrators:(OI)(CI)(IO)(RX)
NT AUTHORITY\LOCAL SERVICE:(Rc,S,X,RA)
NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(IO)(RX)
NT AUTHORITY\NETWORK SERVICE:(Rc,S,X,RA)
NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(IO)(RX)
Aristos\MyNameHere:(OI)(CI)(F)
Mandatory Label\Low Mandatory Level:(OI)(CI)(NW)
Successfully processed 1 files; Failed processing 0 files
and
C:\Program Files\WindowsApps>icacls Microsoft.BingWeather_4.8.239.0_x86__8wekyb3d8bbwe
Microsoft.BingWeather_4.8.239.0_x86__8wekyb3d8bbwe NT AUTHORITY\SYSTEM:(OI)(CI)(F)
Aristos\MyName:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
NT AUTHORITY\Authenticated Users:(OI)(CI)(F)
BUILTIN\Users:(OI)(CI)(F)
NT SERVICE\TrustedInstaller:(CI)(F)
S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204:(OI)(CI)(RX)
NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(RX)
NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(RX)
NT SERVICE\TrustedInstaller:(I)(CI)(F)
S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204:(I)(OI)(CI)(RX)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(RX)
NT AUTHORITY\LOCAL SERVICE:(I)(OI)(CI)(RX)
NT AUTHORITY\NETWORK SERVICE:(I)(OI)(CI)(RX)
Aristos\MyName:(I)(OI)(CI)(F)
Mandatory Label\Low Mandatory Level:(I)(OI)(CI)(NW)
S-1-19-512-4096:(OI)(CI)(RX,D,WDAC,WO,WA)
