Setting System to have permission to write to a folder via powershell

1
votes

I've got a specific folder (C:\Windows\winsxs\amd64_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.1.7601.17514_none_a926cbb502a97a6e) that I need to be able to change the permissions of via a powershell script.

I need to be able to give System the ability to create files in this folder.

When I checked the Get-Acl command, it shows that NT Authority\System is the owner of folder already? What would be the best command to run via Set-ACL to give that system account the ability to create files?

Thanks in advance.

(I've tried this code so far... But I'm getting an access denied)

$folder = "C:\Windows\winsxs\amd64_microsoft-windows-wpd-portabledeviceapi_31bf3856ad364e35_6.1.7601.17514_none_a926cbb502a97a6e"
$myUser = "NT AUTHORITY\SYSTEM"
$acl = Get-Acl $folder
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$myUser", "ReadData", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$myUser", "CreateFiles", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule("$myUser", "AppendData", "ContainerInherit, ObjectInherit", "None", "Allow")
$acl.AddAccessRule($rule)
Set-Acl $folder $acl

Set-Acl : Attempted to perform an unauthorized operation.
At line:10 char:1
+ Set-Acl $folder $acl
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : PermissionDenied: (C:\Windows\wins...926cbb502a97a6e:String) [Set-Acl], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.PowerShell.Commands.SetAclCommand
1
powershellacl
Are you running this from an elevated prompt? - Matt
I am running it from an elevated prompt. If I just wanted to allowed access to the specific folder inside of Winsxs to allow System to create files (no deletion etc), what would I need to script? Would I be best just using takeown on the folder and then running my script above? - MatCornish

1 Answers

3
votes

C:\Windows\winsxs is the Windows component store. Be very, very careful when tampering with anything in there.

The reason why you're getting "access denied" is most likely because the component store is owned by the NT Authority\TrustedInstaller security principal. Administrators and even SYSTEM have only read/execute access there. If you want to be able to modify permissions on one of the subfolders you need to take ownership of the winsxs folder first and grant administrators full access.

Take particular care to return ownership back to NT Authority\TrustedInstaller (and restore permissions that may have been removed when taking ownership) after you finished whatever changes you made.

Something like this should work (not tested, though, so handle with due care):

$fldr = 'C:\Windows\winsxs'

# get backup copy of folder ACL
$aclBackup = Get-Acl $fldr

try {
  # take ownership 
  $acl = Get-Acl $fldr
  $admins = New-Object Security.Principal.NTAccount('Builtin', 'Administrators')
  $acl.SetOwner($admins)
  Set-Acl -AclObject $acl -Path $fldr

  # not certain if taking ownership and adding permissions in one step works,
  # thus using two steps
  $acl = Get-Acl $fldr
  $ace = New-Object Security.AccessControl.FileSystemAccessRule('Builtin\Administrators', 'FullControl', 'ContainerInherit, ObjectInherit', 'InheritOnly', 'Allow')
  $acl.AddAccessRule($ace)
  Set-Acl -AclObject $acl -Path $fldr

  # change permissions of subfolder
  $sf = "$fldr\amd64_microsoft-windows-..."
  $acl = Get-Acl $sf
  $ace = New-Object Security.AccessControl.FileSystemAccessRule('NT Authority\SYSTEM', 'FullControl', 'ContainerInherit, ObjectInherit', 'InheritOnly', 'Allow')
  $acl.AddAccessRule($ace)
  Set-Acl -AclObject $acl -Path $sf

  # ...
  # more stuff
  # ...
} finally {
  # always restore original ACL on winsxs folder (error or not)
  Set-Acl -AclObject $aclBackup -Path $fldr
}