I want to change permissions on a protected file.
Using WMIC.EXE as an example, I want to change Administrators to F from R.
CACLS c:\windows\system32\wbem\wmic.exe
Returns:
NT SERVICE\TrustedInstaller:F
BUILTIN\Administrators:R
NT AUTHORITY\SYSTEM:R
BUILTIN\Users:R
CACLS c:\windows\system32\wbem\wmic.exe /P BUILTIN\Administrators:F
Returns: Access Denied
This also fails in a batch file called by a RunOnce registry key.
TL;DR -
Details -
The hurdles here may not be obvious. The first is the lack of permissions granted to the "administrators" group. On this file, "administrators" only has read and execute permissions. So that needs to change. But....how to change when you don't have rights to change?
In Windows, an administrator may always take ownership of a securable object - like a file or directory. Also, an object owner may always modify the object's security descriptor - even when the security descriptor shows they have no access. These principals are key here.
So, we're an admin, so we can take ownership of the file, then change the permissions to give ourselves (or anyone else) access. The
cacls.exe
can't help us with the first part, so instead we'll turn totakeown.exe
. The/f
arg targets a file, and/a
targets the "administrators" group rather than the single individual running the command.Now as owner, we are free to add/modify an ACE to the DACL in the security descriptor (aka grant permissions). We can use either
cacls.exe
oricacls.exe
, but I always recommend the latter, since the former is decpreciated. But I'll leave that to you.Later, after you do whatever you need to... If you want to replace the original permissions, we have to return ownership to "TrustedInstaller", and change "full control" back to "read+execute" for the administrators group.
icacls.exe
can do both jobs: