Helpforsure

Microsoft Windows Experts

QuickTip: File on a Windows 2008 or Vista system is owned by trusted installer and can’t be replaced or modified October 7, 2011

Filed under: Misc — helpforsure @ 12:06 am
Tags: , , , , , ,

In Windows 2008 Server or Windows Vista, Various Files are by default owned by the ‘Trusted Installer’ account. The administrator may have read only access to these files.At various times, you may be instructed by Microsoft Support to replace versions of these protected files.
In addition, various configuration files are owned by the Trusted installer and you may need to make modification to these files to enable tracing or make other configuration changes. If you manually take ownership of the files, you will not be able to restore the default configuration since the GUI doesn’t display the account ‘trusted installer’ in the owner dialog. It is highly recommended that after making the needed changes, you restore the ACLs to their previous default configuration. The proper procedure for this is to first backup the ACLs using icacls and then later restore the ACLs back on the file(s) once the operation is complete.
These ACL’s can be backed up by typing the following command at the command prompt (use an elevated command prompt if UAC is enabled by right clicking a cmd.exe shortcut and choosing ‘run as administrator’)

icacls %windir%\system32\CustomApp.exe /save C:\BackedUpACLs.txt

After this you should take ownership of the file and modify the permissions. This will allow you to replace the file (after making a copy of it first) or make the needed modifications.

When you are finished making your changes and are ready to return the permissions to the default, you can use the following command to restore the ACLs that you previously backed up. This will allow Trusted Installer to become the owner of the file again.

icacls c:\windows\system32\ /restore c:\BackedUpACLs.txt

This file is text based and can be viewed with the following command:
notepad c:\MyBackedUpACLs.txt

Note: You may use wildcards, but keep in mind that it’ll fail if you haven’t taken ownership of all of the files that match your wildcard mask and changed the permissions to grant yourself control. In other words, if you back all of the executables in System32 with the following command:

icacls %windir%\system32\*.exe /save c:\BackedUpACLs.txt

Then, you would have to take ownership of ALL of the .exe files which ‘trusted installer’ owned and change thier permissions to grant your logged in account rights to the file. This is because the restore operation will attempt to restore ALL of the .exe’s that matched your wildcard mask. If it finds a file that it cannot access, the entire opreation will stop and the files that normally would have worked will never be reached.

Advertisements
 

Howto: Backup Application/System Event logs via WMI Queries January 25, 2011

Filed under: Scripts — helpforsure @ 5:38 am
Tags: , , , , , , , , ,

The following Visual Basic scripts(WMI) will allow you to take a backup of your Event Viewer .evtx log files by running WMI Queries:

=================================

Backup Application Event Log

=================================

strComputer = “.”
Set objWMIService = GetObject(“winmgmts:\\” & strComputer & “\root\CIMV2”)
‘ Obtain an instance of the the class
‘ using a key property value.
Set objShare = objWMIService.Get(“Win32_NTEventlogFile.Name=’C:\Windows\System32\Winevt\Logs\Application.evtx'”) (more…)