Solved

Administrator account lost write permission in C:\Program Files ?   Windows 7

Posted on 2014-01-02
13
9,037 Views
Last Modified: 2014-01-11
I noticed that on my Windows 7 64 PC I've lost write/modify permissions, but only under C:\Program Files and C:\Program Files (x86).

I know this because suddenly
1) I can't "Save" any documents under those folders or any sub folders.  I can create "New Folders", just can do much in else.  It's not simply UAC warnings, it's access denied where any "Save" reverts to a "Save As" and not in those folders.    And
2)  I also noticed that in Windows Explorer, right click in one of those folders, menu Item "New" only shows one item "New folder" with an interesting little shield icon...   In all other folders I get a full list of "New" items I usually see such as New Word Document, etc.
My Windows 7 User ID is the same I've always used, and is "Administrator".  The PC is clean, up-to-date with WUS, and virus-free.

Solution I found, which I think is unacceptable:   Under Control Panel , Users, if I change UAC (user account control) to the Minimum everything works AOK.    Any setting higher then the bottom setting then I'm back to losing the access to C:\Program Files and C:\Program Files (x86).

Since I haven't changed anything that I'm aware of on my PC I suspect either  a) a recent Windows Update or b) something impacted the access rights of these folders where my windows user ID got demoted somehow.

500 points.    I can reply with more info or print screens if that would be helpful.
0
Comment
Question by:JReam
  • 4
  • 4
  • 2
  • +3
13 Comments
 
LVL 15

Accepted Solution

by:
jerseysam earned 200 total points
ID: 39751240
It seems the program files folders permissions are tied into the UAC settings.

The 2 "Program Files" folders have super-duper protections on them. Unfortunately in Windows8 I don't think there is a way to remove it because it is tied in to UAC and you can't turn off UAC any more.

The workaround is that while you cannot directly save to the "Program Files" folders (for example, from notepad) you can copy files into it. So to change a ini file or something like that you have to:

    load the file
    edit it
    save it to desktop or "My Documents"
    move it from its location to the Program Files area
    Answer the UAC prompt that yes, you really do know what you are doing and yes, you really do actually want to do it

This is why I created a "c:\MyPrograms" folder and install everything into it


Taken from post:

http://social.technet.microsoft.com/Forums/windows/en-US/7b3ada32-181d-4c55-9259-ee44f5f83b82/cant-write-to-program-files-folder?forum=w8itprogeneral
0
 
LVL 19

Expert Comment

by:Raheman M. Abdul
ID: 39751245
Try to run the dos command:

TAKEOWN /F "c:\program files" /R /A
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 150 total points
ID: 39751372
From which application are you trying to save files into those locations?
UAC likely prevents the application from running as Administrator (lowers/lowered privileges)

if you navigate to the location, and use notepad/wordpad or simply right-click in the folder and select create a new file, does it give you the same error?
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 44

Assisted Solution

by:Darr247
Darr247 earned 100 total points
ID: 39751551
The default owner in the Program Files, Program Files (x86) and Windows trees is the special user "TrustedInstaller."

Typically you're not supposed to be saving files to those locations with programs that don't understand User Account Control access restrictions. e.g. Notepad.
Try starting the program you're using by right-clicking its shortcut and choosing Run as administrator and I bet you'll be able to save the files where you want. But if it's Notepad you're using, forget it... Notepad is not ownership aware (I'm not sure why microsoft still includes it if they're not going to fix it). You'll have to take ownership of the folders to make Notepad work there.

You should not be running the Administrator account as an everyday user, by the way. Microsoft disables it by default for good reason... using it is like running as root all the time in linux distros.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 50 total points
ID: 39751566
Hi.

You say you are using the built-in Administrator account. By default, for this account, the UAC is off, while being on for other accounts. Please note I wrote "by default". So the defaults have been changed. Please verify this: http://technet.microsoft.com/en-us/library/dd834795.aspx
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39751580
@Darr247
"Notepad is not ownership aware" - what are you talking about, starting notepad elevated will lead to successful saving just as with any other program.
0
 
LVL 1

Author Comment

by:JReam
ID: 39753848
I'm still researching and trying things.    I really think something changed, probably via WUS, for UAC and Windows accounts and access to many folders, including C:\ root.

I created a brand new TempAdmin account, an Administrator account, to check for newly created accounts to see if also restricted to C:\.  Yes, also restricted.

So my not-so-good solution remains:  Under Control Panel , Users, change UAC (user account control) to the Minimum everything works AOK.  

Two print screens:  

1) The working FULL list of  Windows Explorer, right click, menu Item "New" shows everything I would normally expect to see.

2)  And only when I have UAC at the minimum setting as shown.

Windows Explorer "New" shows everything as expected
UAC at the minimum setting
0
 
LVL 77

Expert Comment

by:arnold
ID: 39754038
If you need to install an application and run as administrator the setup. Do you get a deny error?

Do you have any Enterprise class anti-virus.

If you navigate to any location, right click in the folder and select new file, is the file created or do you get an error?

cacls c:\
xcacls c:
what is being returned?
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39756121
Why no feedback on my comment? You would not need to turn off UAC if you indeed use the built-in administrator and the policy is reset to defaults.
0
 
LVL 1

Author Comment

by:JReam
ID: 39759182
Wow, McKnife, sorry for the delay?    We all do multiple things in our lives.  Thanks for your patience.
0
 
LVL 1

Assisted Solution

by:JReam
JReam earned 0 total points
ID: 39759246
OP.   Final post.    I guess I was mistaken from the start.  

I've thoroughly re-tested Administrator Account vs User in Administrators group.  

For the User in Administrators group it does appear that the User UAC settings do control and limit the access rights to the system & Program Files folders.    To me this seems illogical since if the User is in the Administrators group he really should have Administrators Access regardless of UAC.  

So the UAC levels determine the access for the User in Administrators group.   But the UAC level screen doesn't offer any hint or imply this big step up or denial of access from the bottom setting to the next one up.  

Adding to my confusion, Windows Explorer does NOT honor "Run As Administrator", while Notepad does.  So Explorer's menu item 'New' is basically empty.

Bottom line:   The User, despite the fact that he's in Admin group, can't go into Program File application sub folders via Windows Explorer Right Click and create an innocent Notes.Txt file.....  big boo.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39759287
That's how UAC works, and I would call it everything else but "big boo". Treat admins as users until they actively elevate. Exception: Accounts "System" and "Administrator" - those run elevated by default.

As Explorer is the whole shell and not only file explorer (or a single process like notepad), logically it should not be made possible to run it elevated.
The only nasty thing we see here is that some applications are UAC aware (explorer), while others are not (notepad for example). Notepad does not trigger elevation.
0
 
LVL 1

Author Closing Comment

by:JReam
ID: 39773113
My final original poster comment summerizes the solution.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office Picture Manager is not included in Office 2013. This comes as a shock to users upgrading from earlier versions of Office, such as 2007 and 2010, where Picture Manager was included as a standard application. This article explains how…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
The viewer will learn how to use the =DISCRINV command to create a discrete random variable, use this command to model a set of probabilities and outcomes in a Monte Carlo simulation, and learn how to find the standard deviation of a set of probabil…
The viewer will learn how to create two correlated normally distributed random variables in Excel, use a normal distribution to simulate the return on different levels of investment in each of the two funds over a period of ten years, and, create a …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question