Wednesday, March 23, 2011

TrustedInstaller

On Windows 7, and a lot of files under C:\Windows\system32 are owned by "TrustedInstaller", and members of the Administrators group cannot change permissions. According to Windows Internals 5th Edition, the Windows Resource Protection(WRP) protects a lot of critical system files involved in the boot path by setting their owners to TrustedInstaller. This account is used to install updates as well.

WRP also has a backup cache of original files that are required to boot windows. To transfer ownership of a file from TrustedInstaller to Administrators group used the following command:

takeown /F FILENAME /A

In the days of Windows XP, the "sfc /scannow" command actually pulled files from this backup cache and restoring them if it detected any corruptions.

2 comments: