3

I read some threads about people who were able to modify metro apps files (WindowsApps dir) on Windows 8. However, I cannot do this on Windows 8.1. I am an administrator and even when I take the ownership over WindowsApps and all its subitems, I get "You require permissions from YOURSELF to make changes to this file" while trying to rename a file. I cannot modify the files either.

However, deleting and moving files out of WindowsApps is possible. I can move the whole dir for an app to the desktop and then there still exists the same read-only restriction. I managed to remove these "permissions" by adding the folder to a ZIP folder. BTW, bringing the folder back works, but Windows doesn't want to start the app anymore.

I am curious: How and where are these permissions set and can they be turned off? Is this only for the apps folder structure, or it is a general Windows feature?

Improve this question

1 Answer 1

Reset to default
1

Taking ownership doesn't let you do anything new except reading/writing the discretionary access control list (DACL). The WindowsApps folder doesn't have any special protection besides standard NTFS ACLs, it's just that those settings don't allow normal users to look in there. For the curious, this is the icacls listing for the folder's DACL:

NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(RX,W)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(RX)
BUILTIN\Administrators:(OI)(CI)(IO)(RX)
NT AUTHORITY\LOCAL SERVICE:(Rc,S,X,RA)
NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(IO)(RX)
NT AUTHORITY\NETWORK SERVICE:(Rc,S,X,RA)
NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(IO)(RX)
Mandatory Label\Low Mandatory Level:(OI)(CI)(NW)

The folder's owner is TrustedInstaller. Notice how only TrustedInstaller has full control or the write-DACL privilege on the folder itself.

Once you've taken ownership, however, you can open the permissions editor and grant yourself whatever control you want on the folder and its contents. If you want Windows apps to not break, however, you'll need to set these permissions as well:

  • Full control for TrustedInstaller on the folder itself
  • Full control for TrustedInstaller on subfolders
  • Read-and-execute and write for SYSTEM on the folder itself
  • Full control for SYSTEM on subfolders and files
  • Read-and-execute for Administrators on the folder itself
  • Read-and-execute for Administrators on subfolders and files
  • Read, synchronize, execute/traverse, and read-attributes for LOCAL SERVICE on the folder itself
  • Read-and-execute for LOCAL SERVICE on subfolders and files
  • (The above two, but for NETWORK SERVICE)
Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .