1

I somehow botched up my C:\ (root folder) security settings on Windows 10. They remained botched even after an in-place reinstall and somewhat botched after a full (no-save) reinstall. Right now if I add a folder to C:\ from a (user) command prompt I get "access denied", but from Windows explorer I get four copies. This is weird but true. Here's a screenshot:

ScreenShot

I don't know how to reset these security settings properly, although I have examples from another virtual machine as to what they should be. Experimenting using the Windows explorer security properties information on a virtual machine, anything I add or subtract seems to be applied recursively.

I haven't tried using the icacls command as the sparse documentation on it doesn't really explain what the options really do. It's not clear from its documentation how or even whether this command relates to security properties.

So, what procedure do I use to update the C:\ (root) folder permissions but only that folder's permissions?

Improve this question
6
  • 1
    It’s not clear what your problem really is or if changing permissions is going to fix it or make things worse. Trying to create a folder on C:\ from a non-administrative command prompt will fail and that is how it is supposed to be. Creating a folder from explorer will not create “four folders” so it’s not a permission issue. Permissions are inherited and that too is how it is supposed to be. Trying to change permissions at root level is a recipe for disaster.
    – Appleoddity
    Commented Dec 14, 2018 at 2:13
  • Trying to create a folder on C:\ from a non-administrative command prompt will fail... that's not true. The default permissions on the root of volumes grants authenticated users permission to create directories but not files.
    – I say Reinstate Monica
    Commented Dec 14, 2018 at 2:43
  • I agree that it's not clear what my problem really is. I added a screen shot to show the current permissions. I also included the console command showing access denied and the result of ONE add new folder. I want to repair this root folder before attempting to clean up the subfolders, since the junk seems to propagate. I don't know why these confused security attributes didn't get repaired by a full reinstall.
    – FNE
    Commented Dec 14, 2018 at 3:55
  • @TwistyImpersonator right you are my friend. My mistake.
    – Appleoddity
    Commented Dec 14, 2018 at 4:20
  • Start by deleting any of the Deny permissions. They don't belong there.
    – I say Reinstate Monica
    Commented Dec 14, 2018 at 11:00

2 Answers 2

Reset to default
1

Your screen shot shows a number of Deny entries. Remove these. They're not part of the default permissions for the root of a volume and are certainly causing you trouble.

For your reference, here are the default permissions for the root of a boot volume on Windows 10:

Default NTFS permissions on the root of C:

Try to get your permissions to match these.

Edit: More detail on how to effect these changes.

Caution: For the root folder, NEVER click on propagate changes to all subfolders. Many subfolders have been given different security attributes that you don't want to change.

Warning: Make sure you have a backup plan in case this procedure fails. You may need to reinstall if something goes wrong.

1) In order to change the permissions, you need to take ownership. Click on the Blue change for the owner, and change the owner to Administrators. This is also for protection: Even administrators are not allowed to modify some subfolders.

2) Remove the Deny entries.

3) For the entries you are going to keep, make sure their permissions are set properly, using the advanced menu. For windows 10, you need to update BOTH the basic and advanced settings. The proper settings are detailed below.

4) Delete the other entries.

5) Apply the changes, and cross your fingers. You should get warnings that your changes did not propagate to some Windows owned subfolders and swapfile.sys.

6) Change the owner back to TrustedInstaller, whose actual name is "NT Service\TrustedInstaller".

Permissions detail:

Administrators, Full control, This folder, subfolders and files

Full control: All boxes in basic and advanced permissions should be checked.

SYSTEM, Full control, This folder, subfolders and files

Full control: All boxes in basic and advanced permissions should be checked.

Users, Read & excute, Subfolders and files only

Basic: Only Read&execute, List folder contents, Read
Advanced: Only
    Traverse folder / execute file
    List folder / read data
    Read attributes
    Read extended attributes
    Read permissions

Authenticated Users, Modify, Subfolders and files only

Basic: Only Modify, Read&execute, List folder contents, Read, Write
Advanced: Only
    Traverse folder / execute file
    List folder / read data
    Read attributes
    Read extended attributes
    Create files / write data
    Create folders / append data
    Write attributes
    Write extended attributes
    Delete
    Read permissions

Authenticated Users, Create folders / append data, This folder only

Basic: NONE
Advanced: Only Create folders / append data
Improve this answer
3
  • Thank you, this is almost what I did. There are some missing details, cautions, and how-to information that I'll add. This is my accepted answer, I don't have enough reputation points for it to count.
    – FNE
    Commented Dec 15, 2018 at 17:11
  • Feel free to edit my answer, which is encouraged on this site. You can also use the green check mark to indicate this is the accepted answer. You don't need reputation to do that.
    – I say Reinstate Monica
    Commented Dec 15, 2018 at 17:37
  • As an abundance of caution, I left in the TrustedInstaller entry that gives full control to this (the root) file only. All other extra entries were deleted. My backup plan was to reformat the disk and reinstall.
    – FNE
    Commented Dec 15, 2018 at 20:04
0

I have only access to a Windows 7 Pro machine at the moment, but I have seen that it's the same in later Windows versions (but please note that the UI might slightly differ):

The advanced dialog for changing permissions offers a drop-down box in its upper area, offering to apply the permissions to this folder, subfolders and files, files only and so on.

Furthermore, in the lower area of that dialog, there is a checkbox titled Apply these permissions to objects and/or containers within this container only.

You can see what I mean on the following screenshot:

Advanced Windows 7 Pro permission dialog

Unfortunately, you need to look at the problem from the perspective of the child folders as well. For example, if you have a folder c:\parent\child, and the child folder already inherits permissions from the parent folder, and you want different permissions in the parent and child folders, you first must disable the permission inheritance for the child folder.

You can do so at the following place (please note the checkbox labeled Include inheritable permissions from this object's parent):

enter image description here

I hope this answers your question.

Improve this answer
1
  • While this looks promising, it doesn't work as expected. As an experiment on a Win10 virtual machine, I gave Users full permissions checking that box. While the permissions did not change on subfolders the Administrator wasn't allowed to change, it did change on other subfolders. I got the same effect adding CREATOR OWNER to the root permissions.
    – FNE
    Commented Dec 15, 2018 at 19:51

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .