WIndows Server 2012 & IIS 8.5 System32 and SysWow64 Folder Ownership Problem

Out of the box Windows Server 2012 creates system folders System32 & SysWow64 and makes them owned by TrustedInstaller.

So you want to run the server as a Webserver and register your application DLLs on the server.  In order to do this you need to create a website with an Application Pool that has an identity. So you can use inbuilt user ISUR or create a new user and make it part of the user group IIS_IUSRS group.

So you have a problem as you need to give ISUR or the IIS_IUSRS group Read and Read & Execute permissions on the System32 & SysWow64 but the machine Administrator is unable to do this.

First you must take ownership of these folders and replace the TrustedInstaller with the real machine Administrator. You can then grant access to the ISUR etc.

I am presuming that this is the only way you can setup a webserver or am I missing something? There is a lot of advice suggesting that taking ownership of System32 is not a good idea.  But I cannot see any other way of doing it?
LVL 17
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
Not sure I understand exactly what are getting at... but, never have I had to play with modifying any part of the core OS directory structure, when deploying an IIS server.  And I have been working with IIS since version 3.

So, what do you mean when you need to register your apps DLLs?

Typically your DLLs exist in 1 or 2 places:

1. the Global assembly Cache.  aka: the GAC
--- link:
2. web app local bin directory... i.e.:  c:\inetpub\wwwroot\YourWebAppRoot\bin

reference link for when and where to store DLLs:

To deploy a .NET based web application (my preferred method):
1. create a root directory on the web server (i.e.:  c:\webroot\
2. copy the contents of you project (site) to the location in step #1
3. in IIS Manager, create a new Application Pool (i.e:
3a. select the appropriate .NET Framework
4. in IIS Manager, create a new web site
5. point the content root to the directory created in step #1
6. point the web site to the AppPool created in step #3
7. make sure both the AppPool and the website are started
8. if it makes you comfortable, recycle the AppPool

These are the minimal actions you need to take to deploy a website to an IIS Server.  The steps above will start up a web app on 80/tcp on all available IP addresses on the server.  (the site binding is defaulted to *).  Unless the Windows Firewall is blocking access to port 80/tcp, you should be able to see the site with the following URLs:

- http://<YourServerIpAddress>/
- http://servername.yourdomain.ext/

That's it on setting up a basic .NET web site in IIS on Windows Server.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David Johnson, CD, MVPOwnerCommented:
All users have read/execute permissions on these folders already
inthedarkAuthor Commented:
Thanks for the information Dan. The snag is that some of the dlls are legacy 32bit apps that live in the SysWow64 folder.

It can be made to work by making the Application Poole Identity the machine Administrator but I do not like doing this.

And David thanks for that I see that the Machine\Users group is given read access to these system folder.  So I have added the specific user accounts that I want to grant access to these folders to the Machine\Users group.

Lets see if it works.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Dan McFaddenSystems EngineerCommented:
Those 32bit DLLs do not need to be in the SysWoW64 folder.  You need to enable 32bit for the AppPool to run as a 32bit process.

Reference link:

Then the DLL can be moved to the application's bin directory.

I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
Dan McFaddenSystems EngineerCommented:
I disagree.

The question was able how to setup a website on IIS.  For whatever reason, various system directories were assumed to be involved.  An explanation was posted on how to properly setup a website on the specific version of the server OS and IIS.

An outlined setup was given along with several reference links to help move the issue along.


inthedarkAuthor Commented:
I did find Dan's comments very useful although not the complete answer. Thanks Dan.

I wanted to use legacy products I was able to get them all working. MS of course said it cannot be done. With a bit of research, I created a script which would take ownership of all of the system folders which then allowed me to deploy the legacy components I wanted to.  I was also able to grant permissions where I needed to and thus I was able to do the same in Windows 10 pro.
I created a script so that I could make it work on any machine anywhere whenever I needed.
takeown /f "C:\Windows\System32" /R /D Y
takeown /f "C:\Windows\SysWow64" /R /D Y
takeown /f "C:\Program Files" /R /D Y
takeown /f "C:\Program Files (x86)" /R /D Y
takeown /f "C:\Windows\System32\drivers\etc" /R /D Y
takeown /f "C:\Windows\Resources" /R /D Y
takeown /f "C:\Windows\System32\inetsrv" /R /D Y

Then I used ICALS to grant relevant permissions to Administrators, Users and the legacy users that I needed like Interactive      etc. Adding multiple users/groups per line made it much faster example:
icacls "C:\Windows\Resources" /grant Administrator:(OI)(CI)F /grant Administrators:(OI)(CI)F /T /C /Q
I was then able to install Office 97, Office 2000 & VB6 – unfortunately need to provide support for these old products. I can now interactively debug 32bit VB6 IIS DLLs on a 64bit machine. Which is where I needed to get to.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.