Friday, September 21, 2007

Windows Vista TrustedInstaller account.

In Windows Vista, the "TrustedInstaller" account is more trusted than all administrator accounts, so administrators can only _read_ files owned by the TrustedInstaller account. You cannot delete or change permissions of these files.

The problem is that system files in Vista are owned by this account, hence they cannot be touched. I recently had some problems installing the latest and greatest VPN client for Vista from Cisco, and I had to roll back to a previous restore point. So I couldn't delete the leftover files (or mess with permissions, not even in safe mode). I tried everything from procmon and file monitors, and nothing worked until I found some command line tools that allowed me to take over permissions for these files.

The commands that allow you to delete these files are: "takeown" to recover access to a file that was denied by re-assigning file ownership and "cacls" (depreciated by "icacls") to modify file ACLs (access control lists).

And example on how these would work (just run them from powershell or cmd):

takeover /f "C:\Program Files\Cisco"
cacls "C:\Program Files\Cisco" /G cmihai:F

If that won't work:

cd "C:\Program Files\Cisco"
takeover /f *; cacls * /G Administrator:F

Now you should be able to delete those files. If you still have issues, take it one file at a time, or try to reboot to safe mode.