Starting Point: New Win7 SP1 installation, NOT on a domain. Now I want to lock down a few files to only admins. We'll try to lock down c:\windows\system32\at.exe.
First image is my starting/default permissions. I'm logged in as local admin. I now delete Users so only Admins can run the executable. Once I delete Users, I get the error message of the 2nd image. If I try to Run
as Administrator, I get the same error message. The current ownership of the file is TrustedInstallers - if I take ownership it still gives me the error message. If I look at Effective Permissions for the account, I see that the local admin
account DOES have the correct read/execute rights.
I'm now officially stumped. What am I missing here? Does the same thing happen on your systems?
Thanks in advance for any help you can provide. <Frank>

Need to support users over the internet? click here try our remote control online beta

I was just about to post this, too. I have the exact same problem. Trying to only allow SYSTEM and Administrators to access "cmd.exe". I get the dialog that Frank posted when I try to run it. The problem goes away if I add "Users" or "INTERACTIVE", but
then that means that any user can access cmd.exe, which defeats the purpose. :/

There is an amazing pack of free network admin tools. click here to download it

Hi Frank,


First, I would like to assure that the security option about c:\windows\system32\at.exe is the same as my test machine. It is not suggested to change the default permission.


Meanwhile, please understand that TrustedInstaller.exe is Windows Module Installer service which is part of Windows Resource Protection.


Windows Resource Protection (WRP) is a technology that restricts access to certain core system files, folders, and registry keys that are part of the Windows installation. WRP prevents files with .dll, .exe, .ocx, and .sys file extensions from being modified
or replaced.


Protecting these key resources is important to overall system stability, and, as such, they can only be modified by the Windows Module Installer service (TrustedInstaller.exe). If someone with administrative rights attempts to modify or replace a file that
is protected by WRP, he will be presented with the message "Access Denied".


If you change TrustedInstaller settings, you put your system at risk and your system may not function properly. Its not suggested to remove it.





Regarding the current issue, please try to set the security setting to default to test the issue. In addition, you can also temporarily disable UAC to test the issue.


Hope this helps

Vincent Wang
TechNet Community Support

There is an amazing pack of free network admin tools. click here to download it

Hi Frank,


First, I would like to assure that the security option about c:\windows\system32\at.exe is the same as my test machine. It is not suggested to change the default permission.


Meanwhile, please understand that TrustedInstaller.exe is Windows Module Installer service which is part of Windows Resource Protection.


Windows Resource Protection (WRP) is a technology that restricts access to certain core system files, folders, and registry keys that are part of the Windows installation. WRP prevents files with .dll, .exe, .ocx, and .sys file extensions from being modified
or replaced.


Protecting these key resources is important to overall system stability, and, as such, they can only be modified by the Windows Module Installer service (TrustedInstaller.exe). If someone with administrative rights attempts to modify or replace a file that
is protected by WRP, he will be presented with the message "Access Denied".


If you change TrustedInstaller settings, you put your system at risk and your system may not function properly. Its not suggested to remove it.





Regarding the current issue, please try to set the security setting to default to test the issue. In addition, you can also temporarily disable UAC to test the issue.


Hope this helps

Vincent Wang
TechNet Community Support

There is an amazing pack of free network admin tools. click here to download it

So, by default, an executable (such as Frank's "at.exe" and my "cmd.exe") *has* to be able to be executed by everyone? How would you go about locking something down so only Administrators can access it? The moment I try doing that, I get the same message
as in Frank's 2nd image.

Thanks,
Pedro

Need to support users over the internet? click here try our remote control online beta