Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Administrator account lost write permission in C:\Program Files ?   Windows 7

Posted on 2014-01-02
13
Medium Priority
?
9,664 Views
Last Modified: 2014-01-11
I noticed that on my Windows 7 64 PC I've lost write/modify permissions, but only under C:\Program Files and C:\Program Files (x86).

I know this because suddenly
1) I can't "Save" any documents under those folders or any sub folders.  I can create "New Folders", just can do much in else.  It's not simply UAC warnings, it's access denied where any "Save" reverts to a "Save As" and not in those folders.    And
2)  I also noticed that in Windows Explorer, right click in one of those folders, menu Item "New" only shows one item "New folder" with an interesting little shield icon...   In all other folders I get a full list of "New" items I usually see such as New Word Document, etc.
My Windows 7 User ID is the same I've always used, and is "Administrator".  The PC is clean, up-to-date with WUS, and virus-free.

Solution I found, which I think is unacceptable:   Under Control Panel , Users, if I change UAC (user account control) to the Minimum everything works AOK.    Any setting higher then the bottom setting then I'm back to losing the access to C:\Program Files and C:\Program Files (x86).

Since I haven't changed anything that I'm aware of on my PC I suspect either  a) a recent Windows Update or b) something impacted the access rights of these folders where my windows user ID got demoted somehow.

500 points.    I can reply with more info or print screens if that would be helpful.
0
Comment
Question by:JReam
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +3
13 Comments
 
LVL 15

Accepted Solution

by:
jerseysam earned 800 total points
ID: 39751240
It seems the program files folders permissions are tied into the UAC settings.

The 2 "Program Files" folders have super-duper protections on them. Unfortunately in Windows8 I don't think there is a way to remove it because it is tied in to UAC and you can't turn off UAC any more.

The workaround is that while you cannot directly save to the "Program Files" folders (for example, from notepad) you can copy files into it. So to change a ini file or something like that you have to:

    load the file
    edit it
    save it to desktop or "My Documents"
    move it from its location to the Program Files area
    Answer the UAC prompt that yes, you really do know what you are doing and yes, you really do actually want to do it

This is why I created a "c:\MyPrograms" folder and install everything into it


Taken from post:

http://social.technet.microsoft.com/Forums/windows/en-US/7b3ada32-181d-4c55-9259-ee44f5f83b82/cant-write-to-program-files-folder?forum=w8itprogeneral
0
 
LVL 19

Expert Comment

by:Raheman M. Abdul
ID: 39751245
Try to run the dos command:

TAKEOWN /F "c:\program files" /R /A
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 600 total points
ID: 39751372
From which application are you trying to save files into those locations?
UAC likely prevents the application from running as Administrator (lowers/lowered privileges)

if you navigate to the location, and use notepad/wordpad or simply right-click in the folder and select create a new file, does it give you the same error?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
LVL 44

Assisted Solution

by:Darr247
Darr247 earned 400 total points
ID: 39751551
The default owner in the Program Files, Program Files (x86) and Windows trees is the special user "TrustedInstaller."

Typically you're not supposed to be saving files to those locations with programs that don't understand User Account Control access restrictions. e.g. Notepad.
Try starting the program you're using by right-clicking its shortcut and choosing Run as administrator and I bet you'll be able to save the files where you want. But if it's Notepad you're using, forget it... Notepad is not ownership aware (I'm not sure why microsoft still includes it if they're not going to fix it). You'll have to take ownership of the folders to make Notepad work there.

You should not be running the Administrator account as an everyday user, by the way. Microsoft disables it by default for good reason... using it is like running as root all the time in linux distros.
0
 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 200 total points
ID: 39751566
Hi.

You say you are using the built-in Administrator account. By default, for this account, the UAC is off, while being on for other accounts. Please note I wrote "by default". So the defaults have been changed. Please verify this: http://technet.microsoft.com/en-us/library/dd834795.aspx
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39751580
@Darr247
"Notepad is not ownership aware" - what are you talking about, starting notepad elevated will lead to successful saving just as with any other program.
0
 
LVL 1

Author Comment

by:JReam
ID: 39753848
I'm still researching and trying things.    I really think something changed, probably via WUS, for UAC and Windows accounts and access to many folders, including C:\ root.

I created a brand new TempAdmin account, an Administrator account, to check for newly created accounts to see if also restricted to C:\.  Yes, also restricted.

So my not-so-good solution remains:  Under Control Panel , Users, change UAC (user account control) to the Minimum everything works AOK.  

Two print screens:  

1) The working FULL list of  Windows Explorer, right click, menu Item "New" shows everything I would normally expect to see.

2)  And only when I have UAC at the minimum setting as shown.

Windows Explorer "New" shows everything as expected
UAC at the minimum setting
0
 
LVL 79

Expert Comment

by:arnold
ID: 39754038
If you need to install an application and run as administrator the setup. Do you get a deny error?

Do you have any Enterprise class anti-virus.

If you navigate to any location, right click in the folder and select new file, is the file created or do you get an error?

cacls c:\
xcacls c:
what is being returned?
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39756121
Why no feedback on my comment? You would not need to turn off UAC if you indeed use the built-in administrator and the policy is reset to defaults.
0
 
LVL 1

Author Comment

by:JReam
ID: 39759182
Wow, McKnife, sorry for the delay?    We all do multiple things in our lives.  Thanks for your patience.
0
 
LVL 1

Assisted Solution

by:JReam
JReam earned 0 total points
ID: 39759246
OP.   Final post.    I guess I was mistaken from the start.  

I've thoroughly re-tested Administrator Account vs User in Administrators group.  

For the User in Administrators group it does appear that the User UAC settings do control and limit the access rights to the system & Program Files folders.    To me this seems illogical since if the User is in the Administrators group he really should have Administrators Access regardless of UAC.  

So the UAC levels determine the access for the User in Administrators group.   But the UAC level screen doesn't offer any hint or imply this big step up or denial of access from the bottom setting to the next one up.  

Adding to my confusion, Windows Explorer does NOT honor "Run As Administrator", while Notepad does.  So Explorer's menu item 'New' is basically empty.

Bottom line:   The User, despite the fact that he's in Admin group, can't go into Program File application sub folders via Windows Explorer Right Click and create an innocent Notes.Txt file.....  big boo.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39759287
That's how UAC works, and I would call it everything else but "big boo". Treat admins as users until they actively elevate. Exception: Accounts "System" and "Administrator" - those run elevated by default.

As Explorer is the whole shell and not only file explorer (or a single process like notepad), logically it should not be made possible to run it elevated.
The only nasty thing we see here is that some applications are UAC aware (explorer), while others are not (notepad for example). Notepad does not trigger elevation.
0
 
LVL 1

Author Closing Comment

by:JReam
ID: 39773113
My final original poster comment summerizes the solution.
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
We live in a world of interfaces like the one in the title picture. VBA also allows to use interfaces which offers a lot of possibilities. This article describes how to use interfaces in VBA and how to work around their bugs.
Learn how to make your own table of contents in Microsoft Word using paragraph styles and the automatic table of contents tool. We'll be using the paragraph styles in Word’s Home toolbar to help you create a table of contents. Type out your initial …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question