K
Keith Hill
For some reason, my Vista Enterprise system has reset permissions on a
number of EXEs in the windows system32 dir and now I have to elevate to
execute attrib.exe and subst.exe. This isn't the case on my home Vista
Ultimate PC. What's even weirder is that when the perms get screwed up the
properties dialog for that file looks like you are editing a .PIF file. It
has a whole bunch of extra tabs related to console stuff.
The following EXEs are affected:
C:\Windows\System32\at.exe
C:\Windows\System32\attrib.exe
C:\Windows\System32\cacls.exe
C:\Windows\System32\debug.exe
C:\Windows\System32\DRWATSON.EXE
C:\Windows\System32\edlin.exe
C:\Windows\System32\eventcreate.exe
C:\Windows\System32\ftp.exe
C:\Windows\System32\net.exe
C:\Windows\System32\net1.exe
C:\Windows\System32\netsh.exe
C:\Windows\System32\reg.exe
C:\Windows\System32\regedt32.exe
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\runas.exe
C:\Windows\System32\sc.exe
C:\Windows\System32\subst.exe
C:\Windows\System32\telnet.exe
Their ACLs are:
AccessToString : NT AUTHORITY\INTERACTIVE Allow ReadAndExecute, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
And they should be:
AccessToString : NT AUTHORITY\SYSTEM Allow ReadAndExecute, Synchronize
BUILTIN\Administrators Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow ReadAndExecute, Synchronize
NT SERVICE\TrustedInstaller Allow FullControl
What's annoying the hell out of me is that:
1) I can't add TrustedInstallers back to the ACLs list - it says it doesn't
exist
2) I add back Users with ReadAndExecute and a few days later that entry has
been stripped out (again)
Anybody have any idea what is going on? I suspect either Group Policy or
System File Protection but I'm not sure how to find out if that is what is
causing this.
number of EXEs in the windows system32 dir and now I have to elevate to
execute attrib.exe and subst.exe. This isn't the case on my home Vista
Ultimate PC. What's even weirder is that when the perms get screwed up the
properties dialog for that file looks like you are editing a .PIF file. It
has a whole bunch of extra tabs related to console stuff.
The following EXEs are affected:
C:\Windows\System32\at.exe
C:\Windows\System32\attrib.exe
C:\Windows\System32\cacls.exe
C:\Windows\System32\debug.exe
C:\Windows\System32\DRWATSON.EXE
C:\Windows\System32\edlin.exe
C:\Windows\System32\eventcreate.exe
C:\Windows\System32\ftp.exe
C:\Windows\System32\net.exe
C:\Windows\System32\net1.exe
C:\Windows\System32\netsh.exe
C:\Windows\System32\reg.exe
C:\Windows\System32\regedt32.exe
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\runas.exe
C:\Windows\System32\sc.exe
C:\Windows\System32\subst.exe
C:\Windows\System32\telnet.exe
Their ACLs are:
AccessToString : NT AUTHORITY\INTERACTIVE Allow ReadAndExecute, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl
And they should be:
AccessToString : NT AUTHORITY\SYSTEM Allow ReadAndExecute, Synchronize
BUILTIN\Administrators Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow ReadAndExecute, Synchronize
NT SERVICE\TrustedInstaller Allow FullControl
What's annoying the hell out of me is that:
1) I can't add TrustedInstallers back to the ACLs list - it says it doesn't
exist
2) I add back Users with ReadAndExecute and a few days later that entry has
been stripped out (again)
Anybody have any idea what is going on? I suspect either Group Policy or
System File Protection but I'm not sure how to find out if that is what is
causing this.