Permissions on SUBST.EXE, ATTRIB.EXE, et al getting reset

Discussion in 'Windows Vista Security' started by Keith Hill, Sep 27, 2007.

  1. Keith Hill

    Keith Hill Guest

    For some reason, my Vista Enterprise system has reset permissions on a
    number of EXEs in the windows system32 dir and now I have to elevate to
    execute attrib.exe and subst.exe. This isn't the case on my home Vista
    Ultimate PC. What's even weirder is that when the perms get screwed up the
    properties dialog for that file looks like you are editing a .PIF file. It
    has a whole bunch of extra tabs related to console stuff.

    The following EXEs are affected:

    C:\Windows\System32\at.exe
    C:\Windows\System32\attrib.exe
    C:\Windows\System32\cacls.exe
    C:\Windows\System32\debug.exe
    C:\Windows\System32\DRWATSON.EXE
    C:\Windows\System32\edlin.exe
    C:\Windows\System32\eventcreate.exe
    C:\Windows\System32\ftp.exe
    C:\Windows\System32\net.exe
    C:\Windows\System32\net1.exe
    C:\Windows\System32\netsh.exe
    C:\Windows\System32\reg.exe
    C:\Windows\System32\regedt32.exe
    C:\Windows\System32\regsvr32.exe
    C:\Windows\System32\runas.exe
    C:\Windows\System32\sc.exe
    C:\Windows\System32\subst.exe
    C:\Windows\System32\telnet.exe

    Their ACLs are:

    AccessToString : NT AUTHORITY\INTERACTIVE Allow ReadAndExecute, Synchronize
    NT AUTHORITY\SYSTEM Allow FullControl
    BUILTIN\Administrators Allow FullControl

    And they should be:

    AccessToString : NT AUTHORITY\SYSTEM Allow ReadAndExecute, Synchronize
    BUILTIN\Administrators Allow ReadAndExecute, Synchronize
    BUILTIN\Users Allow ReadAndExecute, Synchronize
    NT SERVICE\TrustedInstaller Allow FullControl

    What's annoying the hell out of me is that:

    1) I can't add TrustedInstallers back to the ACLs list - it says it doesn't
    exist
    2) I add back Users with ReadAndExecute and a few days later that entry has
    been stripped out (again)

    Anybody have any idea what is going on? I suspect either Group Policy or
    System File Protection but I'm not sure how to find out if that is what is
    causing this.
     
    Keith Hill, Sep 27, 2007
    #1
    1. Advertisements

  2. Keith Hill

    Jesper Guest

    Could there be a group policy that is setting these permissions? Do you have
    some third-party security guide installed?

    TrustedInstaller doesn't exist. It is a service, not a user. You would need
    to use icacls to add it to an ACL.
     
    Jesper, Sep 28, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.