How can I reset permissions in system folders to the correct settings?

windows-10 permissions

Background: Somehow the security permissions on many folders in ProgramData got changed to allow access only to my user account. This caused a variety of problems such as services not starting because the SYSTEM user couldn't access files. Using icacls and lots of googling I restored full access to SYSTEM and Administrators and read/execute access to Users, but there will still problems. Metro Apps (or whatever we are supposed to call them in Windows 10) were crashing immediately after opening. More googling revealed that I needed to add permissions for the "ALL APPLICATION PACKAGES" user. Now everything seems to be running okay, but I am left wondering what other permissions are still missing, waiting to cause problems in the future.

Question: Is there a way to restore the full set of necessary default permissions to system folders like ProgramData and Windows?


You're in the same boat I am.

This guide is hard to decipher but the info is there to set them ourselves:

https://helgeklein.com/blog/2012/08/windows-7-default-file-system-permissions-listing/

The ONLY difference between Window 7 & windows 10 permissions on programdata is there is a new security descriptor I haven't figured out fully myself: ALL APPLICATION PACKAGES

I would add this "user" or "group" whichever way you want to look at it, with "read & execute" and turn on system auditing for file system; then, set FAIL auditing entries for ALL APPLICATION PACKAGES to know where it needs write permissions.

Don't be quick to set write permissions just because it logs a failed write entry for 'ALL APP'; wait until you're using a program and see an error and then check the logs to see if it's relevant to you. This will keep you from putting security holes in your system. I'm unsure atm if "ALL APP" refers to desktop apps & metro apps or just one or just the other and I'm an MCSE :)

I accidentally clicked "make permissions inherit to subfolders & files" (Paraphrasing) myself before hitting apply because microsoft won't have a brain and fix it where you HAVE to click the checkbox instead of ability for accidentally enabling it, clicking on the right side of the window above apply. At least I didn't tell it to take ownership of the files & folders so it failed to apply it beyond the "microsoft" folder on IMPORTANT system files in the "windows" folder.

I did make a backup ACL of windows 7 default permissions and will upload it so you can use it if I can't figure out a more "windows 10" native way to reset them, without doing a repair.

Related

Rename User Account on Windows 10
Saving to CSV file always adds quotation marks in OpenOffice
Remove Properties and Personal Information - Batch mode or app
Why doesn't a using-declaration work to solve the diamond problem?
Github user email is null, despite user:email scope
Flutter: Get passed arguments from Navigator in Widget's state's initState
jQuery clone duplicate IDs
Best terminal environment for Cygwin/Windows?
How do I perform arithmetic in a makefile?
C++ class template of specific baseclass
Is there an R equivalent of the pythonic "if __name__ == "__main__": main()"?
AWS RDS instance upgrade down time [closed]