Administrator account lost write permission in C:\Program Files ?   Windows 7

Posted on 2014-01-02
Last Modified: 2014-01-11
I noticed that on my Windows 7 64 PC I've lost write/modify permissions, but only under C:\Program Files and C:\Program Files (x86).

I know this because suddenly
1) I can't "Save" any documents under those folders or any sub folders.  I can create "New Folders", just can do much in else.  It's not simply UAC warnings, it's access denied where any "Save" reverts to a "Save As" and not in those folders.    And
2)  I also noticed that in Windows Explorer, right click in one of those folders, menu Item "New" only shows one item "New folder" with an interesting little shield icon...   In all other folders I get a full list of "New" items I usually see such as New Word Document, etc.
My Windows 7 User ID is the same I've always used, and is "Administrator".  The PC is clean, up-to-date with WUS, and virus-free.

Solution I found, which I think is unacceptable:   Under Control Panel , Users, if I change UAC (user account control) to the Minimum everything works AOK.    Any setting higher then the bottom setting then I'm back to losing the access to C:\Program Files and C:\Program Files (x86).

Since I haven't changed anything that I'm aware of on my PC I suspect either  a) a recent Windows Update or b) something impacted the access rights of these folders where my windows user ID got demoted somehow.

500 points.    I can reply with more info or print screens if that would be helpful.
Question by:JReam
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +3
LVL 15

Accepted Solution

jerseysam earned 200 total points
ID: 39751240
It seems the program files folders permissions are tied into the UAC settings.

The 2 "Program Files" folders have super-duper protections on them. Unfortunately in Windows8 I don't think there is a way to remove it because it is tied in to UAC and you can't turn off UAC any more.

The workaround is that while you cannot directly save to the "Program Files" folders (for example, from notepad) you can copy files into it. So to change a ini file or something like that you have to:

    load the file
    edit it
    save it to desktop or "My Documents"
    move it from its location to the Program Files area
    Answer the UAC prompt that yes, you really do know what you are doing and yes, you really do actually want to do it

This is why I created a "c:\MyPrograms" folder and install everything into it

Taken from post:
LVL 19

Expert Comment

by:Raheman M. Abdul
ID: 39751245
Try to run the dos command:

TAKEOWN /F "c:\program files" /R /A
LVL 79

Assisted Solution

arnold earned 150 total points
ID: 39751372
From which application are you trying to save files into those locations?
UAC likely prevents the application from running as Administrator (lowers/lowered privileges)

if you navigate to the location, and use notepad/wordpad or simply right-click in the folder and select create a new file, does it give you the same error?
IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

LVL 44

Assisted Solution

Darr247 earned 100 total points
ID: 39751551
The default owner in the Program Files, Program Files (x86) and Windows trees is the special user "TrustedInstaller."

Typically you're not supposed to be saving files to those locations with programs that don't understand User Account Control access restrictions. e.g. Notepad.
Try starting the program you're using by right-clicking its shortcut and choosing Run as administrator and I bet you'll be able to save the files where you want. But if it's Notepad you're using, forget it... Notepad is not ownership aware (I'm not sure why microsoft still includes it if they're not going to fix it). You'll have to take ownership of the folders to make Notepad work there.

You should not be running the Administrator account as an everyday user, by the way. Microsoft disables it by default for good reason... using it is like running as root all the time in linux distros.
LVL 55

Assisted Solution

McKnife earned 50 total points
ID: 39751566

You say you are using the built-in Administrator account. By default, for this account, the UAC is off, while being on for other accounts. Please note I wrote "by default". So the defaults have been changed. Please verify this:
LVL 55

Expert Comment

ID: 39751580
"Notepad is not ownership aware" - what are you talking about, starting notepad elevated will lead to successful saving just as with any other program.

Author Comment

ID: 39753848
I'm still researching and trying things.    I really think something changed, probably via WUS, for UAC and Windows accounts and access to many folders, including C:\ root.

I created a brand new TempAdmin account, an Administrator account, to check for newly created accounts to see if also restricted to C:\.  Yes, also restricted.

So my not-so-good solution remains:  Under Control Panel , Users, change UAC (user account control) to the Minimum everything works AOK.  

Two print screens:  

1) The working FULL list of  Windows Explorer, right click, menu Item "New" shows everything I would normally expect to see.

2)  And only when I have UAC at the minimum setting as shown.

Windows Explorer "New" shows everything as expected
UAC at the minimum setting
LVL 79

Expert Comment

ID: 39754038
If you need to install an application and run as administrator the setup. Do you get a deny error?

Do you have any Enterprise class anti-virus.

If you navigate to any location, right click in the folder and select new file, is the file created or do you get an error?

cacls c:\
xcacls c:
what is being returned?
LVL 55

Expert Comment

ID: 39756121
Why no feedback on my comment? You would not need to turn off UAC if you indeed use the built-in administrator and the policy is reset to defaults.

Author Comment

ID: 39759182
Wow, McKnife, sorry for the delay?    We all do multiple things in our lives.  Thanks for your patience.

Assisted Solution

JReam earned 0 total points
ID: 39759246
OP.   Final post.    I guess I was mistaken from the start.  

I've thoroughly re-tested Administrator Account vs User in Administrators group.  

For the User in Administrators group it does appear that the User UAC settings do control and limit the access rights to the system & Program Files folders.    To me this seems illogical since if the User is in the Administrators group he really should have Administrators Access regardless of UAC.  

So the UAC levels determine the access for the User in Administrators group.   But the UAC level screen doesn't offer any hint or imply this big step up or denial of access from the bottom setting to the next one up.  

Adding to my confusion, Windows Explorer does NOT honor "Run As Administrator", while Notepad does.  So Explorer's menu item 'New' is basically empty.

Bottom line:   The User, despite the fact that he's in Admin group, can't go into Program File application sub folders via Windows Explorer Right Click and create an innocent Notes.Txt file.....  big boo.
LVL 55

Expert Comment

ID: 39759287
That's how UAC works, and I would call it everything else but "big boo". Treat admins as users until they actively elevate. Exception: Accounts "System" and "Administrator" - those run elevated by default.

As Explorer is the whole shell and not only file explorer (or a single process like notepad), logically it should not be made possible to run it elevated.
The only nasty thing we see here is that some applications are UAC aware (explorer), while others are not (notepad for example). Notepad does not trigger elevation.

Author Closing Comment

ID: 39773113
My final original poster comment summerizes the solution.

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You need to know the location of the Office templates folder, so that when you create new templates, they are saved to that location, and thus are available for selection when creating new documents.  The steps to find the Templates folder path are …
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Learn how to make your own table of contents in Microsoft Word using paragraph styles and the automatic table of contents tool. We'll be using the paragraph styles in Word’s Home toolbar to help you create a table of contents. Type out your initial …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question