Vista : Reset TrustedInstaller Permissions

Are you getting ‘Unable to save permission changes on file_name. Access is denied.’ error messages trying to modify a file or change permissions on a file that has TrustedInstaller as its owner?
You can take ownership on that file… Often, these types of suggestions are followed by a comment like this one: “Once you change the owner of the file, you can’t change it back! This is because the TrustedIstaller group doesn’t exist as a normal group.”
Well, this is simply not correct! I’ll explain in a moment how to restore ownership to TrustedInstaller, but first, a word about the TrustedInstaller itself…
There are a few so called “essential” resources (system files, folders, and registry keys) that are installed as part of Windows Vista. To prevent application and operating system failure, these resources are protected using Windows File Protection (WFP) in such way that applications or users don’t modify these resources. The way this protection is implemented is by setting an ACL on these resources only to allow the TrustedInstaller user to modify them. Not only Administrator (elevated or not) cannot modify them, but neither can the System…
Beware, that setup applications trying to modify a protected system resource will not get an error above -- the OS will detect that it’s an installation program, the request will be accepted and success code returned, but the resource will actually not be modified!
If you have moved the ownership to yourself so you could give yourself permissions to modify the resource, and now want to reset it back to TrustedInstaller as the owner, simply follow these steps:

  • Right mouse button click on the file and choose Properties

  • Click Security tab

  • Click Advanced button

  • Click Owner tab

  • Click Edit button

  • Click Other User or Group and type in NT SERVICETrustedInstaller

  • Press Ok on all dialogs until all property dialogs are closed