0

I recently suffered from some kind of MFT corruption that caused all permissions on my entire installation to be wiped. This made the disk "unaccessable" from another Windows installation which made me believe the disk was damaged in some kind of way. My goal is not to do an "in place upgrade", I know it's possible to repair Windows, even if it's severely broken and to most users completely unusable, especially since I know what the problem is but not how to properly fix it.

Symptoms of the problem:

  • The computer booted but got stuck on the spinning dots with a black screen. After left on for a couple hours it would go to sleep and upon being turned back on display a black screen with a cursor. This is a typical indication of a problem accessing the disk, more specifically it indicates that the system is unable to write to the disk during boot (or that's what I assume since I have seen identical symptoms from having a 100% full disk. And I don't mean a disk that's full when inside Windows, I mean a disk that's filled to 100% while the system on it is offline.).
  • The disk was not showing the amount of used storage when loaded in a different Windows installation. It also refused to load the contents of the disk if the user tries to open it. Oddly enough Windows 7 does show the contents of the disk (perhaps fully blocking disk access is a new feature on W8), but not a single folder or file on it can be opened.
  • A warning that the recycle bin on the disk is corrupt.
  • After resetting the permissions with icacls, all UWP apps fail to open, often the text is completely missing causing everything to be blank like dialogs without text and desktop icons with no name.

After a bit of messing around I found out it was just the permissions on the disk, I started by checking the permissions on the disk itself and it gave a message that the owner couldn't be displayed. After changing the owner to Administrators I could use icacls to "reset" all permissions on the disk to "default" and the system on the disk was bootable again. The problem is that the permissions by icacls are just some generic default permissions and NOT the actual permissions a stock installation would have. For example, the UWPs do not work anymore, since these run in special app containers that have special permissions for each container separately. There are also many problems with .NET and other apps like Visual Studio that don't work due to insufficient permissions.

I checked all the logs I could find and every time any app crashes again it's an error code 5 "Access is denied." or a "File not found." or "Permission denied" which I expect to be part of the same simple problem.

Clearly the guides online suggesting to use icacls * /t /c /q /reset are for generic circumstances but don't actually completely reset the permissions to the actual default.

From my understanding of icacls it's actually possible to back up the permissions and restore them. You can dot that with a command like this:

icacls C:\Windows\* /save C:\WindowsAcs.txt /T

This file contains the user permissions stored as paths relative to the path provided when running icacls with /save. If we for example provide "C:\Windows*" it will put all the folders with their full path but "C:\Windows" stripped from the full path. It also contains what I assume are the SID (Security Identifier) of each user that has permission and the attributes in the following format:

D:AI(A;OICIID;FA;;;BA)(A;OICIID;0x1200a9;;;BU)(A;OICIID;FA;;;AU)

This is what the default permissions look like in a backup where the permissions are defined by running icacls /reset.

A second way to restore the permissions I found out is to actually "delete" a system folder by renaming it or moving it to the trash or some other temporary directory for testing and then running sfc /scannow immediately afterwards. This puts back the deleted system files from the default module in WinSXS. If the module in WinSXS is damaged you can repair it using dism with /cleanup-image /restorehealth, which to my understanding repairs the component store with copies of the same version of the module from Microsoft's servers.

I tested this by renaming C:\Windows\SystemApps and running sfc. This resulted in the SystemApps folder being recreated and after checking the permissions on them they sure enough are all completely restored to normal judging by the UWP specific "all application packages" and also a specific application package for each app separately. I chose this folder since I know the container apps are very sensitive to file permissions but despite them being fully restored now, I still can't run apps like the shell experience host which keeps the start menu from working, suggesting to me that there must be some other libraries in a different directory that also require special permissions.

What I want to try now is to get a backup like this made from a working computer and restore it onto the damaged system. Is this the right way to do it or are there better ways to restore all permissions? Is there somewhere I can get official permissions from a stock installation or can I perhaps fetch them from the installation disk by mounting or extracting the wim/esd? If there are no tools for automating this process, I might have to make one myself.

I know there are permissions for the system files in the component store (C:\Windows\WinSXS) so is it possible to use the command line or anything else to restore all permissions from there?

Foxyz
  • 429
  • 1
    Your operating system looks too far gone to be a file permission issue. You likely need to back up and install windows fresh. Restore backup and then sort out file permissions. – John Jan 20 '24 at 14:08
  • 2
    “perhaps fully blocking disk access is a new feature on W8” - It’s not – Ramhound Jan 20 '24 at 14:10
  • @Ramhound That makes me very curious to see why Windows 7 lets me read a disk without any permissions set. – Foxyz Jan 20 '24 at 14:44
  • @John I have repaired many installations deemed "too far gone" but in my book as long as you got a registry backup Windows should always be repairable, even if it means manually copying the files from installation disk and doing everything manually, I know for a fact that it's possible to repair my installation. I am typing this from the broken installation and it's slowly starting to work again. I have just finished creating an export of the ACLs from the installation disk used for my Windows install. I expect it to work after restoring them. – Foxyz Jan 20 '24 at 14:46
  • 2
    I would recommend installing a VM, install a fresh copy of Windows 10 on it, then export its icals, and import it back to your main drive. That should fix the permissions. – LPChip Jan 20 '24 at 16:42
  • @LPChip I was able to first mount the installation ISO, then use powershell with mount-windowsimage to mount the right index of install.wim to an NTFS folder. I used Icacls to backup and restore the permissions and at first sight it seemed great, but I quickly saw it came out even worse, which is not what I expected. I did notice some SIDs in the export that might not be right for my system since the SIDs are unique for each installation. Either way, I need my Windows to work, I have gotten it to boot so I'll admit defeat this time. At least I can now do in-place upgrade and keep my settings! – Foxyz Jan 21 '24 at 03:29
  • 1
    If you install a VM, you can at least look at which user or group has permissions on the folders you need, and then manually set them yourself. I bet they are stuff like TRUSTEDINSTALLER etc – LPChip Jan 21 '24 at 11:41
  • 1
    Doing a Repair Install of Windows might help. – harrymc Jan 21 '24 at 18:54
  • 1
    I'm unable to find it, but we've answered this question in the past here. If the issue truly is file permissions, there is not a single correct way to restore default file permissions, and there are too many possible factors involved to provide any sort of authoritative guide to restore these due to the nature of file permissions and the way(s) they could be set incorrectly and broken. Backing up your data and reinstalling Windows is the correct way to do this. – music2myear Jan 22 '24 at 16:43
  • @harrymc I managed to use icacls to get it in a state stable enough to run the setup from within windows without having the setup throw some error and managed to do a successful repair install. The funny thing is that now everything works again in the desktop environment, like Visual Studio and all other Win32 apps. UWP apps still don't work unfortunately, it simply moved the WindowsApps folder and AppRepository from the old installation. Now store apps either throw a COM: App Activation or Activate Extension, which are both permission related (one is of app itself, other is extra app data). – Foxyz Jan 23 '24 at 04:40
  • See Reset default ACLs for C:\Program Files\WindowsApps. – harrymc Jan 23 '24 at 08:59

0 Answers0