Users group can't run attrib.exe or subst.exe

For some reason, my Vista Enterprise system has reset permissions on a
number of EXEs in the windows system32 dir and now I have to elevate to
execute
attrib.exe and subst.exe. The following EXEs are affected:

C:\Windows\System32\at.exe
C:\Windows\System32\attrib.exe
C:\Windows\System32\cacls.exe
C:\Windows\System32\debug.exe
C:\Windows\System32\DRWATSON.EXE
C:\Windows\System32\edlin.exe
C:\Windows\System32\eventcreate.exe
C:\Windows\System32\ftp.exe
C:\Windows\System32\net.exe
C:\Windows\System32\net1.exe
C:\Windows\System32\netsh.exe
C:\Windows\System32\reg.exe
C:\Windows\System32\regedt32.exe
C:\Windows\System32\regsvr32.exe
C:\Windows\System32\runas.exe
C:\Windows\System32\sc.exe
C:\Windows\System32\subst.exe
C:\Windows\System32\telnet.exe

Their ACLs are:

AccessToString : NT AUTHORITY\INTERACTIVE Allow ReadAndExecute, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
BUILTIN\Administrators Allow FullControl

And they should be:

AccessToString : NT AUTHORITY\SYSTEM Allow ReadAndExecute, Synchronize
BUILTIN\Administrators Allow ReadAndExecute, Synchronize
BUILTIN\Users Allow ReadAndExecute, Synchronize
NT SERVICE\TrustedInstaller Allow FullControl

What's annoying the hell out of me is that:

1) I can't add TrustedInstallers back to the ACLs list - it says it doesn't
exist
2) I add back Users with ReadAndExecute and a few days later that entry has
been stripped out (again)

Anybody have any idea what is going on? I suspect either Group Policy or
System File Protection but I'm not sure how to find out if that is what is
causing this.

 

Hello Keith,
|> 1) I can't add TrustedInstallers back to the ACLs list - it says it
doesn't
|> exist
There isn't an easy way if any way to add the TrustedInstaller ACL back to
files

|> 2) I add back Users with ReadAndExecute and a few days later that entry
has
|> been stripped out (again)
|>
|> Anybody have any idea what is going on? I suspect either Group Policy or
|> System File Protection but I'm not sure how to find out if that is what
is
|> causing this.

System file protection would not strip the ACL from the file. It could be
Group Policy, it could be a security template that is being pushed out by
an administrator
You can check the SFC entries by examining this log file:
At the command prompt, type the following command, and then press ENTER:
findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >sfcdetails.txt


Thanks,
Darrell Gorter[MSFT]

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------
|> From: "Keith Hill [MVP]" <_no_spam_I>
|> Subject: Users group can't run attrib.exe or subst.exe
|> Date: Wed, 26 Sep 2007 18:53:51 -0600
|> Lines: 1
|> Message-ID: <>
|> MIME-Version: 1.0
|> Content-Type: text/plain;
|> format=flowed;
|> charset="iso-8859-1";
|> reply-type=original
|> Content-Transfer-Encoding: 7bit
|> X-Priority: 3
|> X-MSMail-Priority: Normal
|> Importance: Normal
|> X-Newsreader: Microsoft Windows Live Mail 12.0.1184
|> X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1184
|> X-MS-CommunityGroup-MessageCategory:
{E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
|> X-MS-CommunityGroup-PostID: {7CF30A86-854B-4F06-965D-7CF28F87FBFE}
|> Newsgroups:
microsoft.public.windows.vista.administration_accounts_passwords
|> NNTP-Posting-Host: cosiapat1.net.americas.agilent.com 192.25.240.225
|> Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
|> Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.administration_accounts_passwords:5701
|> X-Tomcat-NG:
microsoft.public.windows.vista.administration_accounts_passwords
|>
|> For some reason, my Vista Enterprise system has reset permissions on a
|> number of EXEs in the windows system32 dir and now I have to elevate to
|> execute
|> attrib.exe and subst.exe. The following EXEs are affected:
|>
|> C:\Windows\System32\at.exe
|> C:\Windows\System32\attrib.exe
|> C:\Windows\System32\cacls.exe
|> C:\Windows\System32\debug.exe
|> C:\Windows\System32\DRWATSON.EXE
|> C:\Windows\System32\edlin.exe
|> C:\Windows\System32\eventcreate.exe
|> C:\Windows\System32\ftp.exe
|> C:\Windows\System32\net.exe
|> C:\Windows\System32\net1.exe
|> C:\Windows\System32\netsh.exe
|> C:\Windows\System32\reg.exe
|> C:\Windows\System32\regedt32.exe
|> C:\Windows\System32\regsvr32.exe
|> C:\Windows\System32\runas.exe
|> C:\Windows\System32\sc.exe
|> C:\Windows\System32\subst.exe
|> C:\Windows\System32\telnet.exe
|>
|> Their ACLs are:
|>
|> AccessToString : NT AUTHORITY\INTERACTIVE Allow ReadAndExecute,
Synchronize
|> NT AUTHORITY\SYSTEM Allow FullControl
|> BUILTIN\Administrators Allow FullControl
|>
|> And they should be:
|>
|> AccessToString : NT AUTHORITY\SYSTEM Allow ReadAndExecute, Synchronize
|> BUILTIN\Administrators Allow ReadAndExecute,
Synchronize
|> BUILTIN\Users Allow ReadAndExecute, Synchronize
|> NT SERVICE\TrustedInstaller Allow FullControl
|>
|> What's annoying the hell out of me is that:
|>
|> 1) I can't add TrustedInstallers back to the ACLs list - it says it
doesn't
|> exist
|> 2) I add back Users with ReadAndExecute and a few days later that entry
has
|> been stripped out (again)
|>
|> Anybody have any idea what is going on? I suspect either Group Policy or
|> System File Protection but I'm not sure how to find out if that is what
is
|> causing this.
|>
|> --
|> Keith
|>
|>
|>
|>
|>
|>
|>

 

It finds nothing. Further info is that since posting my original post, the
perms have been reset again but the last modified dates on both the CBS log
files haven't been updated since before I reset the perms.