Restore original ACL rights of ...\system32\* - how ?

  • Thread starter Thread starter Tobias Alte
  • Start date Start date
T

Tobias Alte

Hi,

I know I should't have been messing around with the cacls.exe tool in this
folder, but unfortunatly it happend.

I am working in a one person/multi-user environment with a special user
account for internet access. This account has only non-priviledged user
rights ( using win xp home sp2 ). The thought of changing some ACL for
this non-priviledged user came up because I am using the CA ezArmor Suite
( Firewall / Anti-Virus ) to add some protection to my PC. Using the
non-priviledged internet account I was not able to use the Autodownload
feature to update the virus definitions because of missing priviledges. So
it came up to me to change the ACLs in the softwares folder ( ..\CA\* )
which worked out quit nice.

But now to the problem: During the operation I was using the
non-priviledged account and so had to use the runas command to have the
needed priviledges to run cacls.exe .

At the directory above the one I was going to chang I was using this
command:

d:\programs\security\ca\>runas /profile /user:<COMPNAME>\admin "cacls * /T
/E /G VORDEFINIERT\Benutzer:F"

( note: I am using a german windows so I guess the VORDEFINIERT\Benutzer
would be something like PREDEFINED\User in a english version )

As expected after password input a commandline window was poping-up that
performed the requested operations, but to my surprise it was working on
the c:\windows\system32 directory and not as the expected one
( d:\programs\security\ca\ ). So I did CTRL-C as fast as I could to stop
the process, but of course was not fast enough.

So now I have a windows\system32 directory with Full access for
non-priviledged users which is quite annoying from the security
perspective I wanted to improve by using the non-priviledged account for
internet access.

So my question is:

Is there a way to restore the original ACL settings for the
c:\windows\ directory without a fresh install of the system ?

Or an other way ? I know cacls.exe may do the job but how do you grant
special rights only ( like GENERIC_READ, GENERIC_EXECUTE or
FILE_GENERIC_READ ) which had been the original rights of some folders
( catroot ) for the non-priviledge user ?


Thx for advice
Tobias Alte
 
Tobias Alte said:
Hi,

I know I should't have been messing around with the cacls.exe tool in this
folder, but unfortunatly it happend.

I am working in a one person/multi-user environment with a special user
account for internet access. This account has only non-priviledged user
rights ( using win xp home sp2 ). The thought of changing some ACL for
this non-priviledged user came up because I am using the CA ezArmor Suite
( Firewall / Anti-Virus ) to add some protection to my PC. Using the
non-priviledged internet account I was not able to use the Autodownload
feature to update the virus definitions because of missing priviledges. So
it came up to me to change the ACLs in the softwares folder ( ..\CA\* )
which worked out quit nice.

But now to the problem: During the operation I was using the
non-priviledged account and so had to use the runas command to have the
needed priviledges to run cacls.exe .

At the directory above the one I was going to chang I was using this
command:

d:\programs\security\ca\>runas /profile /user:<COMPNAME>\admin "cacls * /T
/E /G VORDEFINIERT\Benutzer:F"

( note: I am using a german windows so I guess the VORDEFINIERT\Benutzer
would be something like PREDEFINED\User in a english version )

As expected after password input a commandline window was poping-up that
performed the requested operations, but to my surprise it was working on
the c:\windows\system32 directory and not as the expected one (
d:\programs\security\ca\ ). So I did CTRL-C as fast as I could to stop
the process, but of course was not fast enough.

So now I have a windows\system32 directory with Full access for
non-priviledged users which is quite annoying from the security
perspective I wanted to improve by using the non-priviledged account for
internet access.

So my question is:

Is there a way to restore the original ACL settings for the c:\windows\
directory without a fresh install of the system ?

Or an other way ? I know cacls.exe may do the job but how do you grant
special rights only ( like GENERIC_READ, GENERIC_EXECUTE or
FILE_GENERIC_READ ) which had been the original rights of some folders
( catroot ) for the non-priviledge user ?


Thx for advice
Tobias Alte

--
Click to expand...

How To Reset Security Settings Back to the Defaults (Windows XP)
http://support.microsoft.com/default.aspx?scid=kb;en-us;313222
 
Hi Tobias,

The replies so far are not going to help you out, as you
said this is XP Home, and the tools mentioned in the XP
specific KB in one reply will refuse to run in Home if one
does load them from some other (Pro) system. The KB
for W2k/NT is not appropriate for XP/W2k3

Your real problem is that you used cacls to grant to the
built-in Users group (? I think). If you had made the grant
to a custom group, like MyUsers, then you could now
reverse this with a cacls * /e /t /r MyUsers

With Home, about the only way you are going to work out
from your current situation is to look at the secsetup.inf
and apply equivalents using correctly ordered cacls command
sequence. If you try this, what you will rapidly discover is that
the permissions are encoded as SDDL in secsetup.inf and
you would need a Pro or Server version to view this info in
a user convenient form.
 
Back
Top