We help IT Professionals succeed at work.

SYSTEM security group keeps getting removed from %tmp% folder

A Windows 10 64-bit domain joined computer has an issue where the SYSTEM security group keeps getting removed from the %tmp% folder. This temp folder is located within the default location of C:\Users\username\AppData\Local\Temp.

This creates issues such as programs not being able to upgrade and the user not being able to print.

This computer currently has all latest Windows 10 updates installed and according to Malwarebytes it is completely clean and doesn't have any malware or harmful software installed. the SFC and DISM commands have also been run and the event viewer logs don't display any serious issues or warnings.

While this issue can be fixed by adding the SYSTEM security group back within the  Security tab (with the full control permissions) it is a hassle to keep doing this.

What can be done to prevent this issue from occurring?
Watch Question

This sound slike the domain has a registry change each time you sign into the network.

Does this happen when you log in locally
IT GuyNetwork Engineer


Yes this has been happening intermittently for all logon accounts on this computer both local and domain accounts.

What can be done to prevent this from happening?
Senior Systems Admin
Top Expert 2010
Make sure Inheritance is enabled on the folder above the temp folder (AppData or Local). More than likely Inheritance was disabled on the folder's security settings. Go into the Advanced security window and check it out there. If Inheritance isn't enabled, the manual permission settings could get reset as part of a system or application process on reboot.
Distinguished Expert 2019

Why do you want/need system to have access to user tmp space?
Anti-virus tools run a component under user credentials and have access to all user's space.

Local/temp is an equivalent to the %userprofiel%\local settings in a roaming profike setup this gets discarded when the roaming profile is copied out to the server on logoff and recreated on logon.