Users group can't run attrib.exe or subst.exe

Discussion in 'Windows Vista Administration' started by Keith Hill [MVP], Sep 27, 2007.

  1. For some reason, my Vista Enterprise system has reset permissions on a
    number of EXEs in the windows system32 dir and now I have to elevate to
    execute
    attrib.exe and subst.exe. The following EXEs are affected:

    C:\Windows\System32\at.exe
    C:\Windows\System32\attrib.exe
    C:\Windows\System32\cacls.exe
    C:\Windows\System32\debug.exe
    C:\Windows\System32\DRWATSON.EXE
    C:\Windows\System32\edlin.exe
    C:\Windows\System32\eventcreate.exe
    C:\Windows\System32\ftp.exe
    C:\Windows\System32\net.exe
    C:\Windows\System32\net1.exe
    C:\Windows\System32\netsh.exe
    C:\Windows\System32\reg.exe
    C:\Windows\System32\regedt32.exe
    C:\Windows\System32\regsvr32.exe
    C:\Windows\System32\runas.exe
    C:\Windows\System32\sc.exe
    C:\Windows\System32\subst.exe
    C:\Windows\System32\telnet.exe

    Their ACLs are:

    AccessToString : NT AUTHORITY\INTERACTIVE Allow ReadAndExecute, Synchronize
    NT AUTHORITY\SYSTEM Allow FullControl
    BUILTIN\Administrators Allow FullControl

    And they should be:

    AccessToString : NT AUTHORITY\SYSTEM Allow ReadAndExecute, Synchronize
    BUILTIN\Administrators Allow ReadAndExecute, Synchronize
    BUILTIN\Users Allow ReadAndExecute, Synchronize
    NT SERVICE\TrustedInstaller Allow FullControl

    What's annoying the hell out of me is that:

    1) I can't add TrustedInstallers back to the ACLs list - it says it doesn't
    exist
    2) I add back Users with ReadAndExecute and a few days later that entry has
    been stripped out (again)

    Anybody have any idea what is going on? I suspect either Group Policy or
    System File Protection but I'm not sure how to find out if that is what is
    causing this.
     
    Keith Hill [MVP], Sep 27, 2007
    #1
    1. Advertisements

  2. Hello Keith,
    |> 1) I can't add TrustedInstallers back to the ACLs list - it says it
    doesn't
    |> exist
    There isn't an easy way if any way to add the TrustedInstaller ACL back to
    files

    |> 2) I add back Users with ReadAndExecute and a few days later that entry
    has
    |> been stripped out (again)
    |>
    |> Anybody have any idea what is going on? I suspect either Group Policy or
    |> System File Protection but I'm not sure how to find out if that is what
    is
    |> causing this.

    System file protection would not strip the ACL from the file. It could be
    Group Policy, it could be a security template that is being pushed out by
    an administrator
    You can check the SFC entries by examining this log file:
    At the command prompt, type the following command, and then press ENTER:
    findstr /c:"[SR]" %windir%\logs\cbs\cbs.log >sfcdetails.txt


    Thanks,
    Darrell Gorter[MSFT]

    This posting is provided "AS IS" with no warranties, and confers no rights
    --------------------
    |> From: "Keith Hill [MVP]" <_no_spam_I>
    |> Subject: Users group can't run attrib.exe or subst.exe
    |> Date: Wed, 26 Sep 2007 18:53:51 -0600
    |> Lines: 1
    |> Message-ID: <>
    |> MIME-Version: 1.0
    |> Content-Type: text/plain;
    |> format=flowed;
    |> charset="iso-8859-1";
    |> reply-type=original
    |> Content-Transfer-Encoding: 7bit
    |> X-Priority: 3
    |> X-MSMail-Priority: Normal
    |> Importance: Normal
    |> X-Newsreader: Microsoft Windows Live Mail 12.0.1184
    |> X-MimeOLE: Produced By Microsoft MimeOLE V12.0.1184
    |> X-MS-CommunityGroup-MessageCategory:
    {E4FCE0A9-75B4-4168-BFF9-16C22D8747EC}
    |> X-MS-CommunityGroup-PostID: {7CF30A86-854B-4F06-965D-7CF28F87FBFE}
    |> Newsgroups:
    microsoft.public.windows.vista.administration_accounts_passwords
    |> NNTP-Posting-Host: cosiapat1.net.americas.agilent.com 192.25.240.225
    |> Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
    |> Xref: TK2MSFTNGHUB02.phx.gbl
    microsoft.public.windows.vista.administration_accounts_passwords:5701
    |> X-Tomcat-NG:
    microsoft.public.windows.vista.administration_accounts_passwords
    |>
    |> For some reason, my Vista Enterprise system has reset permissions on a
    |> number of EXEs in the windows system32 dir and now I have to elevate to
    |> execute
    |> attrib.exe and subst.exe. The following EXEs are affected:
    |>
    |> C:\Windows\System32\at.exe
    |> C:\Windows\System32\attrib.exe
    |> C:\Windows\System32\cacls.exe
    |> C:\Windows\System32\debug.exe
    |> C:\Windows\System32\DRWATSON.EXE
    |> C:\Windows\System32\edlin.exe
    |> C:\Windows\System32\eventcreate.exe
    |> C:\Windows\System32\ftp.exe
    |> C:\Windows\System32\net.exe
    |> C:\Windows\System32\net1.exe
    |> C:\Windows\System32\netsh.exe
    |> C:\Windows\System32\reg.exe
    |> C:\Windows\System32\regedt32.exe
    |> C:\Windows\System32\regsvr32.exe
    |> C:\Windows\System32\runas.exe
    |> C:\Windows\System32\sc.exe
    |> C:\Windows\System32\subst.exe
    |> C:\Windows\System32\telnet.exe
    |>
    |> Their ACLs are:
    |>
    |> AccessToString : NT AUTHORITY\INTERACTIVE Allow ReadAndExecute,
    Synchronize
    |> NT AUTHORITY\SYSTEM Allow FullControl
    |> BUILTIN\Administrators Allow FullControl
    |>
    |> And they should be:
    |>
    |> AccessToString : NT AUTHORITY\SYSTEM Allow ReadAndExecute, Synchronize
    |> BUILTIN\Administrators Allow ReadAndExecute,
    Synchronize
    |> BUILTIN\Users Allow ReadAndExecute, Synchronize
    |> NT SERVICE\TrustedInstaller Allow FullControl
    |>
    |> What's annoying the hell out of me is that:
    |>
    |> 1) I can't add TrustedInstallers back to the ACLs list - it says it
    doesn't
    |> exist
    |> 2) I add back Users with ReadAndExecute and a few days later that entry
    has
    |> been stripped out (again)
    |>
    |> Anybody have any idea what is going on? I suspect either Group Policy or
    |> System File Protection but I'm not sure how to find out if that is what
    is
    |> causing this.
    |>
    |> --
    |> Keith
    |>
    |>
    |>
    |>
    |>
    |>
    |>
     
    Darrell Gorter[MSFT], Sep 28, 2007
    #2
    1. Advertisements

  3. It finds nothing. Further info is that since posting my original post, the
    perms have been reset again but the last modified dates on both the CBS log
    files haven't been updated since before I reset the perms.
     
    Keith Hill [MVP], Sep 28, 2007
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.