In this article I’ll explain how to get permissions to modify/replace a protected system file. We will use authui.dll as an example. You can do this either via the GUI or via the Command Line. If you have problems with permissions, check the Troubleshooting section or ask your question at the forum. Remember: always make a backup before modifying/replacing system files!
GUI
The first 3 steps help you to get ownership over the file; the last 2 gives yourself permission to edit/replace the file.
Taking Ownership
1. Start Windows Explorer, go to the folder or file you want to get ownership for, right click the file and choose Properties. Now go to the Security tab.
2. In the Security tab click the Advanced button. In the window that opens now go to the Owner tab and click Edit.
3. From the list select the user or group you want to give ownership, click OK and click OK when a notification window appears. Now close all windows by clicking OK.
Setting Permissions
4. Reopen the properties of the file by right clicking the file and choosing Properties. Now go to the Permissions tab again.
5.Click the Edit button and choose in the Permissions window the user you want to edit the permissions from. Check the Full control checkbox if you want to give the selected user all permissions and click OK when you are done. Click Yes when a warning appears about setting the permissions of System folders.
6. Now you have permissions to replace/edit/delete the files or folder you just took ownership of.
Command Line
Start the Command Prompt by clicking Run in the Start menu, entering cmd.exe and clicking OK. Browse to the file or folder you want to set permissions from and use the following commands.
Give ownership of a file to current user
- C:\Windows\System32>takeown /F authui.dll
- SUCCESS: The file (or folder): “C:\Windows\System32\authui.dll” now owned by user “WIN2008WS\Administrator”.
Give ownership of a file to Administrators group
- C:\Windows\System32>takeown /A /F authui.dll
- SUCCESS: The file (or folder): “C:\Windows\System32\authui.dll” now owned by the administrators group.
Give ownership of a folder to current user
- C:\Windows\System32>takeown /R /F Boot
- SUCCESS: The file (or folder): “C:\Windows\System32\Boot” now owned by user “WIN2008WS\Administrator”.
- SUCCESS: The file (or folder): “C:\Windows\System32\Boot\en-US” now owned by user “WIN2008WS\Administrator”.
- SUCCESS: The file (or folder): “C:\Windows\System32\Boot\winload.exe” now owned by user “WIN2008WS\Administrator”.
- <cut for brevity>
Give ownership of a folder to Administrators group
- C:\Windows\System32>takeown /R /A /F Boot
- SUCCESS: The file (or folder): “C:\Windows\System32\Boot” now owned by the administrators group.
- SUCCESS: The file (or folder): “C:\Windows\System32\Boot\en-US” now owned by the administrators group.
- SUCCESS: The file (or folder): “C:\Windows\System32\Boot\winload.exe” now owned by the administrators group.
- <cut for brevity>
Edit the permissions of the file authui.dll to give full permissions to the Administrator user. Administrator can be replaced by any user or group.
- C:\Windows\System32>icacls authui.dll /grant Administrator:F
- processed file: authui.dll
- Successfully processed 1 files; Failed processing 0 files
Edit the permissions of the Boot folder in C:\Windows\System32 to give full permissions to the Administrator user. Administrator can be replaced by any user or group.
- C:\Windows\System32>icacls Boot /T /grant Administrator:F
- processed file: Boot
- processed file: Boot\en-US
- processed file: Boot\winload.exe
- processed file: Boot\winresume.exe
- processed file: Boot\en-US\winload.exe.mui
- processed file: Boot\en-US\winresume.exe.mui
- Successfully processed 6 files; Failed processing 0 files
References:
* Microsoft Technet: Icacls parameters
* Microsoft Technet: Takeown parameters
Troubleshooting
Q: After setting ownership and permissions I still get a You need permission to continue message when modifying files or folders.
A: Try disabling User Account Control (UAC): Start -> Control Panel -> User Accounts -> Turn User Account Control on or off -> uncheck -> OK -> Restart.
Q: How can I restore a file I backed up previously?
A: There are multiple possibilities to do this:
Possibility 1: Safe Mode
1. Go to the boot menu by repeatedly pressing F8 before Windows is loading and select Safe Mode.
2. Remove the edited file and replace it with your backupped file.
Possibility 2: Windows Boot DVD
If your pc couldn’t even boot in Safe Mode, you have to use an external medium to restore the backup file(s).
1. Insert the Windows Server 2008 Installation DVD (download iso) into the dvd drive and boot from it.
2. Click Next at the Language Settings screen.
3. In the next screen choose the Repair your computer link, select the Windows Server 2008 operating system you want to recover from the list and click Next again.
4. At the System Recovery Options screen choose the Commandline Prompt option.
5. Copy the backupped files back to their original location overwriting the edited ones. Reboot your computer when done!
icacls 用法
- C:\Users\Administrator>icacls /?
- ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
- 将所有匹配名称的 ACL 存储到 aclfile 中以便将来用于 /restore。
- ICACLS directory [/substitute SidOld SidNew […]] /restore aclfile
- [/C] [/L] [/Q]
- 将存储的 ACL 应用于目录中的文件。
- ICACLS name /setowner user [/T] [/C] [/L] [/Q]
- 更改所有匹配名称的所有者。
- ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
- 查找包含显式提及 SID 的 ACL 的所有匹配名称。
- ICACLS name /verify [/T] [/C] [/L] [/Q]
- 查找其 ACL 不规范或长度与 ACE 计数不一致的所有文件。
- ICACLS name /reset [/T] [/C] [/L] [/Q]
- 为所有匹配文件使用默认继承的 ACL 替换 ACL
- ICACLS name [/grant[:r] Sid:perm[…]]
- [/deny Sid:perm […]]
- [/remove[:g|:d]] Sid[…]] [/T] [/C] [/L]
- [/setintegritylevel Level:policy[…]]
- /grant[:r] Sid:perm 授予指定的用户访问权限。如果使用 :r,
- 这些权限将替换以前授予的所有显式权限。
- 如果不使用 :r,这些权限将添加到以前授予的所有显式权限。
- /deny Sid:perm 显式拒绝指定的用户访问权限。
- 将为列出的权限添加显式拒绝 ACE,
- 并删除所有显式授予的权限中的相同权限。
- /remove[:[g|d]] Sid 删除 ACL 中所有出现的 SID。使用
- :g,将删除授予该 SID 的所有权限。使用
- :d,将删除拒绝该 SID 的所有权限。
- /setintegritylevel [(CI)(OI)] 级别将完整性 ACE 显式添加到所有
- 匹配文件。要指定的级别为以下级别之一:
- L[ow]
- M[edium]
- H[igh]
- 完整性 ACE 的继承选项可以优先于级别,但只应用于
- 目录。
- /inheritance:e|d|r
- e – 启用继承
- d – 禁用继承并复制 ACE
- r – 删除所有继承的 ACE
- 注意:
- Sid 可以采用数字格式或友好的名称格式。如果给定数字格式,
- 那么请在 SID 的开头添加一个 *。
- /T 指示在以该名称指定的目录下的所有匹配文件/目录上
- 执行此操作。
- /C 指示此操作将在所有文件错误上继续进行。仍将显示错误消息。
- /L 指示此操作在符号链接本身而不是其目标上执行。
- /Q 指示 icacls 应该禁止显示成功消息。
- ICACLS 保留 ACE 项的规范顺序:
- 显式拒绝
- 显式授予
- 继承的拒绝
- 继承的授予
- perm 是权限掩码,可以两种格式之一指定:
- 简单权限序列:
- F – 完全访问权限
- M – 修改权限
- RX – 读取和执行权限
- R – 只读权限
- W – 只写权限
- 在括号中以逗号分隔的特定权限列表:
- D – 删除
- RC – 读取控制
- WDAC – 写入 DAC
- WO – 写入所有者
- S – 同步
- AS – 访问系统安全性
- MA – 允许的最大值
- GR – 一般性读取
- GW – 一般性写入
- GE – 一般性执行
- GA – 全为一般性
- RD – 读取数据/列出目录
- WD – 写入数据/添加文件
- AD – 附加数据/添加子目录
- REA – 读取扩展属性
- WEA – 写入扩展属性
- X – 执行/遍历
- DC – 删除子项
- RA – 读取属性
- WA – 写入属性
- 继承权限可以优先于每种格式,但只应用于
- 目录:
- (OI) – 对象继承
- (CI) – 容器继承
- (IO) – 仅继承
- (NP) – 不传播继承
- 示例:
- icacls c:\windows\* /save AclFile /T
- – 将 c:\windows 及其子目录下所有文件的
- ACL 保存到 AclFile。
- icacls c:\windows\ /restore AclFile
- – 将还原 c:\windows 及其子目录下存在的 AclFile 内
- 所有文件的 ACL
- icacls file /grant Administrator:(D,WDAC)
- – 将授予用户对文件删除和写入 DAC 的管
- 理员权限
- icacls file /grant *S-1-1-0:(D,WDAC)
- – 将授予由 sid S-1-1-0 定义的用户对文件删
- 除和写入 DAC 的权限