Administrator account lost write permission in C:\Program Files ?   Windows 7

Posted on 2014-01-02
Last Modified: 2014-01-11
I noticed that on my Windows 7 64 PC I've lost write/modify permissions, but only under C:\Program Files and C:\Program Files (x86).

I know this because suddenly
1) I can't "Save" any documents under those folders or any sub folders.  I can create "New Folders", just can do much in else.  It's not simply UAC warnings, it's access denied where any "Save" reverts to a "Save As" and not in those folders.    And
2)  I also noticed that in Windows Explorer, right click in one of those folders, menu Item "New" only shows one item "New folder" with an interesting little shield icon...   In all other folders I get a full list of "New" items I usually see such as New Word Document, etc.
My Windows 7 User ID is the same I've always used, and is "Administrator".  The PC is clean, up-to-date with WUS, and virus-free.

Solution I found, which I think is unacceptable:   Under Control Panel , Users, if I change UAC (user account control) to the Minimum everything works AOK.    Any setting higher then the bottom setting then I'm back to losing the access to C:\Program Files and C:\Program Files (x86).

Since I haven't changed anything that I'm aware of on my PC I suspect either  a) a recent Windows Update or b) something impacted the access rights of these folders where my windows user ID got demoted somehow.

500 points.    I can reply with more info or print screens if that would be helpful.
Question by:JReam
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +3
LVL 15

Accepted Solution

jerseysam earned 200 total points
ID: 39751240
It seems the program files folders permissions are tied into the UAC settings.

The 2 "Program Files" folders have super-duper protections on them. Unfortunately in Windows8 I don't think there is a way to remove it because it is tied in to UAC and you can't turn off UAC any more.

The workaround is that while you cannot directly save to the "Program Files" folders (for example, from notepad) you can copy files into it. So to change a ini file or something like that you have to:

    load the file
    edit it
    save it to desktop or "My Documents"
    move it from its location to the Program Files area
    Answer the UAC prompt that yes, you really do know what you are doing and yes, you really do actually want to do it

This is why I created a "c:\MyPrograms" folder and install everything into it

Taken from post:
LVL 19

Expert Comment

by:Raheman M. Abdul
ID: 39751245
Try to run the dos command:

TAKEOWN /F "c:\program files" /R /A
LVL 78

Assisted Solution

arnold earned 150 total points
ID: 39751372
From which application are you trying to save files into those locations?
UAC likely prevents the application from running as Administrator (lowers/lowered privileges)

if you navigate to the location, and use notepad/wordpad or simply right-click in the folder and select create a new file, does it give you the same error?
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 44

Assisted Solution

Darr247 earned 100 total points
ID: 39751551
The default owner in the Program Files, Program Files (x86) and Windows trees is the special user "TrustedInstaller."

Typically you're not supposed to be saving files to those locations with programs that don't understand User Account Control access restrictions. e.g. Notepad.
Try starting the program you're using by right-clicking its shortcut and choosing Run as administrator and I bet you'll be able to save the files where you want. But if it's Notepad you're using, forget it... Notepad is not ownership aware (I'm not sure why microsoft still includes it if they're not going to fix it). You'll have to take ownership of the folders to make Notepad work there.

You should not be running the Administrator account as an everyday user, by the way. Microsoft disables it by default for good reason... using it is like running as root all the time in linux distros.
LVL 54

Assisted Solution

McKnife earned 50 total points
ID: 39751566

You say you are using the built-in Administrator account. By default, for this account, the UAC is off, while being on for other accounts. Please note I wrote "by default". So the defaults have been changed. Please verify this:
LVL 54

Expert Comment

ID: 39751580
"Notepad is not ownership aware" - what are you talking about, starting notepad elevated will lead to successful saving just as with any other program.

Author Comment

ID: 39753848
I'm still researching and trying things.    I really think something changed, probably via WUS, for UAC and Windows accounts and access to many folders, including C:\ root.

I created a brand new TempAdmin account, an Administrator account, to check for newly created accounts to see if also restricted to C:\.  Yes, also restricted.

So my not-so-good solution remains:  Under Control Panel , Users, change UAC (user account control) to the Minimum everything works AOK.  

Two print screens:  

1) The working FULL list of  Windows Explorer, right click, menu Item "New" shows everything I would normally expect to see.

2)  And only when I have UAC at the minimum setting as shown.

Windows Explorer "New" shows everything as expected
UAC at the minimum setting
LVL 78

Expert Comment

ID: 39754038
If you need to install an application and run as administrator the setup. Do you get a deny error?

Do you have any Enterprise class anti-virus.

If you navigate to any location, right click in the folder and select new file, is the file created or do you get an error?

cacls c:\
xcacls c:
what is being returned?
LVL 54

Expert Comment

ID: 39756121
Why no feedback on my comment? You would not need to turn off UAC if you indeed use the built-in administrator and the policy is reset to defaults.

Author Comment

ID: 39759182
Wow, McKnife, sorry for the delay?    We all do multiple things in our lives.  Thanks for your patience.

Assisted Solution

JReam earned 0 total points
ID: 39759246
OP.   Final post.    I guess I was mistaken from the start.  

I've thoroughly re-tested Administrator Account vs User in Administrators group.  

For the User in Administrators group it does appear that the User UAC settings do control and limit the access rights to the system & Program Files folders.    To me this seems illogical since if the User is in the Administrators group he really should have Administrators Access regardless of UAC.  

So the UAC levels determine the access for the User in Administrators group.   But the UAC level screen doesn't offer any hint or imply this big step up or denial of access from the bottom setting to the next one up.  

Adding to my confusion, Windows Explorer does NOT honor "Run As Administrator", while Notepad does.  So Explorer's menu item 'New' is basically empty.

Bottom line:   The User, despite the fact that he's in Admin group, can't go into Program File application sub folders via Windows Explorer Right Click and create an innocent Notes.Txt file.....  big boo.
LVL 54

Expert Comment

ID: 39759287
That's how UAC works, and I would call it everything else but "big boo". Treat admins as users until they actively elevate. Exception: Accounts "System" and "Administrator" - those run elevated by default.

As Explorer is the whole shell and not only file explorer (or a single process like notepad), logically it should not be made possible to run it elevated.
The only nasty thing we see here is that some applications are UAC aware (explorer), while others are not (notepad for example). Notepad does not trigger elevation.

Author Closing Comment

ID: 39773113
My final original poster comment summerizes the solution.

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
You need to know the location of the Office templates folder, so that when you create new templates, they are saved to that location, and thus are available for selection when creating new documents.  The steps to find the Templates folder path are …
The viewer will learn how to create two correlated normally distributed random variables in Excel, use a normal distribution to simulate the return on different levels of investment in each of the two funds over a period of ten years, and, create a …
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question