Permissions broken in system32

[Bill Grimm]

It is all my fault, but I need some help to fix it. I was trying to track down a problem with my audio driver so took ownership of the system32 directory to remove the audio driver and related files from it to start with a clean slate, but now I can't get the ownership to revert (like a fool, I did not set a restore point). That is, I was able to get the ownership back to TrustedInstaller, but now things are broken.

Basically, I need to reset permissions in the system32 directory (and yes, subdirectories, because I am a complete idiot) to what they should be by default (if such a thing exists). Now, the computer still works, but it has been compromised in various ways. Troubleshooters no longer run (in the details is listed "Context: Elevated"). Also, many things now have User Account Control dialogs (such as Resource Monitor) that didn't used to be there (my user account is an administrator account). Also, there is an even longer pause now than there used to be before such a dialog would appear.

I've tried to run the MGADiag tool that I've seen mentioned on other threads on this forum, but it becomes unresponsive (according to the Task Manager). I am able to run ICACLS, and I have included the output from a set of commands suggested on another thread having to do with mangled permissions:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\NetworkService\AppData
C:\Windows\ServiceProfiles\NetworkService\AppData NT AUTHORITY\SYSTEMI)(OI)(CI
)(F)
BUILTIN\AdministratorsI)(OI)
(CI)(F)
NT AUTHORITY\NETWORK SERVICE
I)(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles\Networkservice
C:\Windows\ServiceProfiles\Networkservice NT AUTHORITY\SYSTEMOI)(CI)(F)
BUILTIN\AdministratorsOI)(CI)(F)
NT AUTHORITY\NETWORK SERVICEOI)(CI)(
F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\ServiceProfiles
C:\Windows\ServiceProfiles NT SERVICE\TrustedInstallerI)(F)
NT SERVICE\TrustedInstallerI)(CI)(IO)(F)
NT AUTHORITY\SYSTEMI)(F)
NT AUTHORITY\SYSTEMI)(OI)(CI)(IO)(F)
BUILTIN\AdministratorsI)(F)
BUILTIN\AdministratorsI)(OI)(CI)(IO)(F)
BUILTIN\UsersI)(RX)
BUILTIN\UsersI)(OI)(CI)(IO)(GR,GE)
CREATOR OWNERI)(OI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows
C:\Windows NT SERVICE\TrustedInstallerF)
NT SERVICE\TrustedInstallerCI)(IO)(F)
NT AUTHORITY\SYSTEMM)
NT AUTHORITY\SYSTEMOI)(CI)(IO)(F)
BUILTIN\AdministratorsM)
BUILTIN\AdministratorsOI)(CI)(IO)(F)
BUILTIN\UsersRX)
BUILTIN\UsersOI)(CI)(IO)(GR,GE)
CREATOR OWNEROI)(CI)(IO)(F)

Successfully processed 1 files; Failed processing 0 files

C:\Windows\system32>ICACLS C:\Windows\System32
C:\Windows\System32 CREATOR OWNEROI)(CI)(IO)(F)
NT AUTHORITY\SYSTEMOI)(CI)(IO)(F)
NT AUTHORITY\SYSTEMM)
BUILTIN\AdministratorsOI)(CI)(F)
BUILTIN\UsersOI)(CI)(RX)
NT SERVICE\TrustedInstallerCI)(F)

Successfully processed 1 files; Failed processing 0 files


I need someone to tell me if these are wrong and what I can do to fix them. Also, the audio driver files that I replaced in system32 (which I did when I was the owner of system32 -- and all subdirectories) now show up in the sfc /scannow log as "Access denied" (which I am only able to look at with the builtin administrator account). The most notable thing about the permissions list for those files is the absence of CREATOR OWNER permissions. Part of the problem, I fear, is that I checked (or unchecked) the inheritance box, and that has led to much of the problem I now have. Sorry! Any help would be greatly appreciated (though not deserved by a long shot...sorry again)!

I've seen the trustedinstaller.exe file sometimes doing things in the background when I have a lot of idle time on the computer, and I was wondering if that executable is able to restore the permissions? I don't know, and I haven't looked into it yet since it seems like a long shot. Anyway, that aside, I am looking for some help!

 

[samuria]

Welcome to the forum. Did you just add you as owner or did you change other permission like system. System should be owner if you haven't messed with others you may be able to set I back if you changed others that's a problem

 

[file3456]

At this point I'd try a repair install, but you may want to let others chime in here and see what they say. Repair Install

Was this driver without the .exe and just a bunch of files including the .inf? This is how that's done. Using an INF File to Install a File System Filter Driver - Windows drivers | Microsoft Docs

Sometimes that won't work due to how the driver is made. So you have to try this method: How to Update Drivers (Windows 10, 8, 7, Vista, XP)

 

[Bill Grimm]

I'm trying to avoid a repair install if possible. If that's my only option, then it is probably time to get a new machine.

The original owner of system32 was TrustedInstaller. I changed it to my user (a user with admin privileges), though as I say, I did check the inheritance box when I did so ("change owner on subcontainers and objects"). I then got rid of the main offending file, usbaudio.sys, to see if that would fix the problem. I let the computer do a plug and play to install the driver from Windows Update, and all seemed to be working. I then changed the system32 owner back to TrustedInstaller (checking the inheritance box), but now I have various issues like those listed in my original post.

Edit: I didn't change any specific permissions beyond ownership, except: On the audio driver files

system32\drivers\dmk.sys
system32\drivers\ksthunk.sys
system32\drivers\portcls.sys
system32\drivers\USBAUDIO.sys
system32\SysFxUI.dll
system32\WMALFXGFXDSP.dll

I was specifically listed by user name as having special permissions which included everything in the list. I removed my special permissions to those files by removing my user name from the permissions list. But as I say, those files no longer have the CREATOR OWNER permissions, or administrator permissions now that I look back at them. There are only permissions set for SYSTEM, Users, and TrustedInstaller.

 

[samuria]

Have you tred selecting security on system32 and giving trusted installer ownership?

 

[Bill Grimm]

Samuria, yes, I had done that previously as I mentioned and TrustedInstaller is the current owner of system32 and all subdirectories and files. I don't know if that is how it was before, but that's how it is now.

 

[Bill Grimm]

Maybe I've not been clear about what sort of help I need with this problem. What I need is someone with Windows 7 to tell me what the permissions should be on system32 and a few key subfolders along with what the correct inheritance settings should be so I can try to figure out why resources in that folder are no longer working as expected. If there is a program I can run that would give that person the output they need with regard the current permissions situation I have on system32, I would be happy to do that. But I need some guidance, please.

 

[samuria]

Full list of correct permissions Windows 7 Default File System Permissions Listing • Helge Klein

 

[Bill Grimm]

Ah, very nice -- thank you, Samuria. I think I happened upon that site before, but didn't realize what was there.

As I mentioned in my initial post, one of the things that broke when all this was done was the windows troubleshooters no longer run. They had been operational before (I had used the Playing Audio troubleshooter to try to find out what was wrong with my audio driver), but now all of the troubleshooters return the same error that suggests the troubleshooters can only be run by the system. When I try to run them using psexec, it tells me I need to enter a passkey...any idea where this might be found?

Thanks for the help!

 

[Bill Grimm]

The complete error response in the troubleshooter is:

Package ID: AudioPlaybackDiagnostic
Path: Unknown
Error code: 0x800705B4
Source: Engine
User: MyUserName
Context: Elevated

 

[samuria]

I assume its asking for password on the pc your connecting to PSexec Tutorial - YouTube

 

[Bill Grimm]

No. I'm not attempting to connect to any other computer as shown in the video. I am using psexec on my local machine to attempt to run the troubleshooter under the system account: psexec -s -i msdt.exe -id AudioPlaybackDiagnostic

It runs inasmuch as any of the troubleshooters are running on this machine, producing the error shown in my last post. (I was able to get rid of the passkey request -- I think I must have typed the command incorrectly to generate that since I cannot now replicate that behavior.)

Anyway, I was trying to run the troubleshooter under the system account to see if that might address the "context: elevated" portion of the error. It didn't make any difference. The error is apparently trying to tell me something else. I did get some of the troubleshooters to give me a "context: restricted" code. All of the troubleshooters with a shield return "context: elevated"; those without the shield return "context: restricted".



Any ideas?