How can I reset permissions in system folders to the correct settings?

Background: Somehow the security permissions on many folders in ProgramData got changed to allow access only to my user account. This caused a variety of problems such as services not starting because the SYSTEM user couldn't access files. Using icacls and lots of googling I restored full access to SYSTEM and Administrators and read/execute access to Users, but there will still problems. Metro Apps (or whatever we are supposed to call them in Windows 10) were crashing immediately after opening. More googling revealed that I needed to add permissions for the "ALL APPLICATION PACKAGES" user. Now everything seems to be running okay, but I am left wondering what other permissions are still missing, waiting to cause problems in the future.

Question: Is there a way to restore the full set of necessary default permissions to system folders like ProgramData and Windows?


You're in the same boat I am.

This guide is hard to decipher but the info is there to set them ourselves:

https://helgeklein.com/blog/2012/08/windows-7-default-file-system-permissions-listing/

The ONLY difference between Window 7 & windows 10 permissions on programdata is there is a new security descriptor I haven't figured out fully myself: ALL APPLICATION PACKAGES

I would add this "user" or "group" whichever way you want to look at it, with "read & execute" and turn on system auditing for file system; then, set FAIL auditing entries for ALL APPLICATION PACKAGES to know where it needs write permissions.

Don't be quick to set write permissions just because it logs a failed write entry for 'ALL APP'; wait until you're using a program and see an error and then check the logs to see if it's relevant to you. This will keep you from putting security holes in your system. I'm unsure atm if "ALL APP" refers to desktop apps & metro apps or just one or just the other and I'm an MCSE :)

I accidentally clicked "make permissions inherit to subfolders & files" (Paraphrasing) myself before hitting apply because microsoft won't have a brain and fix it where you HAVE to click the checkbox instead of ability for accidentally enabling it, clicking on the right side of the window above apply. At least I didn't tell it to take ownership of the files & folders so it failed to apply it beyond the "microsoft" folder on IMPORTANT system files in the "windows" folder.

I did make a backup ACL of windows 7 default permissions and will upload it so you can use it if I can't figure out a more "windows 10" native way to reset them, without doing a repair.