share
Super UserReset default ACLs for C:\Program Files\WindowsApps
[+30] [11] Louis Waweru
[2018-01-23 01:14:24]
[ windows windows-10 permissions acl ]
[ https://superuser.com/questions/1288014/reset-default-acls-for-c-program-files-windowsapps ]

I had to take ownership of the special folder C:\Program Files\WindowsApps to fix a problem with icons [1]. The issue is now resolved, so I'd like to reset the permissions to the way they were before I took ownership of the folder.

I reverted NT SERVICE\TrustedInstaller to the owner and removed my account's permission entries:

enter image description here

But I still have full control of the folder and can browse the folder in Explorer without getting the usual warning that I would have to take ownership:

enter image description here

Is it possible to restore the default permissions of this folder?

How to Restore the Default Permissions for WindowsApps folder - w32sh
[+22] [2020-01-21 09:36:07] JTE

UPDATE: based on the comments, don't use this command anymore. Use the voted answer or the tool provided by: Agentrev -> https://github.com/AgentRev/WindowsAppsUnfukker

(Btw, never hat a Problem with the /reset on my windows 10 PC, but there were a ton of changed in UWP)

Resetting permissions works in most cases, but you need SYSTEM permissions to run the command.

The easiest solution is to use PsExec [1] (from Sysinternals).

Open an elevated Command Prompt or PowerShell and run psexec to get a SYSTEM shell.

psexec.exe -s -i cmd

In that Command Prompt, run the reset permission command:

icacls "C:\Program Files\WindowsApps" /reset /t /c /q
[1] https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

(6) Or psexec.exe -s icacls "C:\Program Files\WindowsApps" /reset /t /c /q for even shorter - antak
(7) Warning! The /reset /t command will break most UWP apps by deleting special permissions that are unique to every folder inside WindowsApps. In many cases, Windows will explicitly validate the presence of these special permissions before allowing a UWP app to start, and will abort with an error if they are missing. Attempting to restore these special permissions is exceptionally difficult without a backup. Make sure to use /save <ACLfile> /t to grab a backup before reset. - AgentRev
(14) Out of extreme frustration caused by the after effects of the command suggested by this answer, I made a script to fix everything back: github.com/AgentRev/WindowsAppsUnfukker - AgentRev
(2) THIS ANSWER WILL BREAK THINGS WORSE. Use @AgentRev tool instead. It works very well. After running it everything worked fine! - GregRos
(1) There needs to be a way for the community to promote a comment and make it an answer! @AgentRev you are the man! - Satyajit
I updated the answer! I never had any problem back in 2020, but there were a ton of changes in UWP so nowadays this should not be used! - JTE
1
[+13] [2022-07-05 16:10:25] Gidsik [ACCEPTED]

I struggled with this issues A LOT.

First of all DO NOT USE icacls "C:\Program Files\WindowsApps" /reset /t /c /q. It will remove special conditional permissions from folder and give it windows default and inherited ACLs which is should not be done to WindowsApps.

Here is answer I found that worked for me (Win10 and Win11 21H2) and didn't cause any troubles (at least troubles i know about)

  1. Firstly open the Command Prompt with Administrative Privileges

  2. Ensure that you have ownership of WindowsApps folder by running next command

takeown /f "%ProgramFiles%\WindowsApps"
  1. Restore innitial permissions to that folder by running this
cacls "%programfiles%\WindowsApps" /s:"D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;OICIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204)(A;OICIIO;GXGR;;;S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;CI;0x1200a9;;;BA)(A;OICI;0x1200a9;;;LS)(A;OICI;0x1200a9;;;NS)(A;OICI;0x1200a9;;;RC)(XA;;0x1200a9;;;BU;(Exists WIN://SYSAPPID))"

OR if cacls is not accesible, use icacls. To do so create temp.txt file with next content and save it somewhere, for example to c:\

windowsapps
D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;OICIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204)(A;OICIIO;GXGR;;;S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;CI;0x1200a9;;;BA)(A;OICI;0x1200a9;;;LS)(A;OICI;0x1200a9;;;NS)(A;OICI;0x1200a9;;;RC)(XA;;0x1200a9;;;BU;(Exists WIN://SYSAPPID))

and then run

icacls "%programfiles%" /restore c:\temp.txt
  1. give ownership of WindowsApps back to trustedinstaller
icacls "%programfiles%\WindowsApps" /setowner "nt service\trustedinstaller"

if it doesn't work from cmd - right click on WindowsApps folder in explorer, open properties and go to security tab, click Advanced and click Change button against Owner. There enter NT Service\TrustedInstaller (with space between NT and Service and without quotes) and click Check Names button. Click OK and finnaly apply changes.

After this manipulations permissions on WindowsApps folder should be restored to default and all UWP apps should work fine (wt.exe for example)

P.S. Default ACLs for WindowsApps is

NT SERVICE\TrustedInstaller:(F)
NT SERVICE\TrustedInstaller:(OI)(CI)(IO)(F)
S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204:(RX)
S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204:(OI)(CI)(IO)(GR,GE)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Administrators:(CI)(RX)
NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(RX)
NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(RX)
NT AUTHORITY\RESTRICTED:(OI)(CI)(RX)
BUILTIN\Users:(Rc,S,RD,REA,X,RA)

and commands above is meant to set it so.

Most usefull info I took from winhelponline blog, so credit to it. I chose to write big answer and not to just give a link because I think it's better to keep useful info at many places and not just at one blog.


(1) Interesting, never saw the takedown command before. Seems to be an alias for ConvertFrom-SddlString. Just curious, did you get to try AgentRev’s program? It seems well written. - Louis Waweru
(3) @LouisWaweru it's takeown command, not takedown. And yeah, I saw AgentRev's script, but at the moment when I found it, I already fixed ACLs issue myself. Anyway I read it and I think that it is definitely a thing to be mention and I'll use it next time my WindowsApps broke. - Gidsik
Thank you for your extensive clarification, rather than to just post one mysterious single line command that combines lots of commands into one. Sometimes it's useful to see how things work. - desbest
@Gidsik When finally resetting permissions back to TI, do you check the box "Replace owner on subcontainers and objects"? - fmotion1
@fmotion1 sorry for late answer! Actually I guess it doesn't matter if you give ownership to TrustedInstaller on WindowsApps only or not, but yes, better to give ownership on subfolders as well - Gidsik
@Gidsik no problemo. Just wanted to make sure, thanks for the clarification! - fmotion1
2
[+9] [2018-01-23 09:21:42] Kattee Lee

Like this to reset permission on this folder:

icacls "C:\Program Files\*" /q /c /t /reset

The things was:

/reset - Replaces ACLs with default inherited ACLs for all matching files.
/t     - Performs the operation on all specified files in the current
         directory and its subdirectories.

3
[+9] [2018-06-06 07:21:32] neatchee

I found this answer when searching Google, and it led me to a solution.

ISSUE: Windows apps (such as Mail and Calendar) will not open. Start Menu will not open. Can't right-click taskbar icons.

  • Microsoft Store reported issues updating these applications.
  • Uninstall/reinstall failed.
  • In-place Windows Upgrade ("repair") did not fix the issues.
  • Inspecting permissions on the "WindowsApps" directory showed corrupted permissions.
  • Error codes 0x80246013, 0x80070005

FIX: Run the reset ACLs command Kattee posted from a Windows Install USB boot disk, using the built-in command prompt for troubleshooting.

  1. Follow the instructions on this page to create Windows Installation Media: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media.
  2. Boot from the USB/CD
  3. When you reach the "Install" button, click "Repair my computer" in the bottom left instead.
  4. Select "Troubleshoot"
  5. Select "Command Prompt"
  6. Locate your system drive
    • The command prompt won't start on your system drive. It will be on "X:\" which is where the USB/CD is mounted
    • You will need to navigate to each drive letter and type "dir" to find the right one, starting with C:
    • Note that this command prompt doesn't use "cd" to change drives (only directories). Simply type the drive letter to switch to that drive (e.g. "D:\")
  7. Once you've located the correct drive letter, and switched to it, enter a slightly modified version of Kattee's command, using the drive letter you just found (mine was D:):
    • icacls "D:\Program Files\WindowsApps" /q /c /t /reset
  8. Wait for the operation to complete, and check the final output line for any failures.
  9. Reboot!

That's what got me working again. Everything is fine after rebooting. No apps even needed to be reinstalled. Everything "just works."


This is the only solution that works for me. - yuxhuang
(1) Note that this command prompt doesn't use "cd" to change drives (only directories). Simply type the drive letter to switch to that drive (e.g. "D:\"): You should be able to use the /D switch to do this. Ex: cd /D D:\Program Files\WindowsApps should put you in the correct folder on the "D" drive. - Arvo Bowen
(2) To skip a few steps, At #3, instead, use Shift+F10 to open a command prompt. Then skip to #6. - Arvo Bowen
(1) I'd love to say this works, unfortunately, it does not. Every file passes successfully, but the error related with it (in my case Win32BridgeServer.exe, which resides in WindowsApps) still raises an "Invalid parameter error". Also, just as a heads up: enabling inheritiance of ACL-rights from the tier above (C.\Program Files) might not be the correct troubleshooting process at all, since afaik, WIndowsApps-folder has far more restrictive ACLs set by default. - Yannik Z.
@YannikZ."Invalid Parameter Error" doesn't sound like what this is meant to fix. This solution is specifically for permission-related errors ("access denied", etc). Additionally, /t flag says to set the ACLs for all objects in the directory, not the directory itself. I've verified this locally on my system (where I've performed this operation before). - neatchee
Okay, my mistake.I really thought both errors are related, becaus this error appeared after messing around with WindowsApps-ACLs to gain access to the its directory and subdirectorys (like OP described). . - Yannik Z.
I made a script to fix the invalid parameter errors: github.com/AgentRev/WindowsAppsUnfukker - AgentRev
4
[+6] [2018-08-30 00:41:24] keplerian

I did not have to use the recovery disk option mentioned previously. I just had to run it from the command prompt in administrator mode:

icacls "C:\Program Files\WindowsApps" /reset /t /c /q

Parameter description:

  • /reset Replaces ACLs with default inherited ACLs for all matching files.
  • /t Performs the operation on all specified files in the current directory and its subdirectories.
  • /c Continues the operation despite any file errors. Error messages will still be displayed.
  • /q Suppresses success messages.

Reference: icacls command reference [1]

I may have also restarted the computer but I don't think that is required.

[1] https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

I tried this, but got "Access is denied" for a number of entries. Successfully processed 3693 files; Failed processing 20879 files - Matty Brown
@Matty Brown: Does your administrator group have permission to read/write/open the directory? - keplerian
I also got "Access is denied", but I fixed it: Right click WindowsApps > Properties > Security > Advanced > click Change in the upper Owner field > enter your user name > OK. This will give you permission to reset permissions back with the "icacls" command. - Stian Høiland
As others have pointed out, this cannot work unless you have already explicitly given Administrators (group) permissions to read/write or full access; the Administrators group is not given these by default on the latest update of Win 10 (not sure about previous versions). - Ryan
5
[+4] [2022-11-18 23:28:10] franzbischoff

Listen to @agentrev!!!

I lost 2 days of work until I got his script and fixed all again!

https://github.com/AgentRev/WindowsAppsUnfukker

edit:

If, for any reason, the main link disappears from this world, there is a snapshot of the script in webarchive here: link [1]

For further reviewers, sometimes we cannot copy & paste the answer here. This script certainly saved hours of work for many people and has enough stars on github to be trusted.

[1] https://web.archive.org/web/20240118165118/https://raw.githubusercontent.com/AgentRev/WindowsAppsUnfukker/main/WindowsAppsUnfukker.ps1

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. - Community
While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - From Review - Rohit Gupta
(1) This is the answer that worked for me. I ran ICACLS as showed here in the answers and then ran that script to restore special permissions and all that stuff. And my store and apps are now working. - Alberto Juliao O.
6
[+3] [2019-12-06 12:35:30] Blackkatt

The following command will work in terms of fixing issues with WindowsApps not launching if that is your issue:

icacls "C:\Program Files\WindowsApps" /reset /t /c /q

The question however is how to "Reset default ACLs for C:\Program Files\WindowsApps" and there are two ways that I know of that actually reset permission to their defaults.

Option 1

Manually add the principals according this image:

The Defaults for WindowsApps folder

Option 2

If you happen to have a backup of Windows before the change, use that to restore the Program files/WindowsApps folder DO NOT overwrite existing folders/files restore it somewhere else then use the icacls [1] commands:

  1. Open Command Prompt as Admin
  2. icacls "X:\PathToRestored\Program Files\WindowsApps" /save "X:\WhereToSave\WindowsApps.acl"
  3. icacls "%ProgramFiles%" /restore "X:\PathToSaved\WindowsApps.acl"
  4. icacls “%ProgramFiles%\WindowsApps” /setowner “NT Service\TrustedInstaller”
[1] https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

7
[0] [2020-05-26 16:37:16] Tomasz

This post has been very helpful. Let me explain how I used the information in this post to fix the problem for myself.

I had to access the files in /Program Files/WindowsApps - which at first I needed to give myself ownership and subsequently permission to do. What I did not know is how this would affect me being able to download apps from Microsoft Store as well as the Xbox Beta PC App.

To change it back and restore my downloads, I followed the following steps:

1) While still being the owner of the folder in question, I opened Command Prompt with elevated privileges (right click > run as administrator) and typed in the following command:

icacls "C:\Program Files\WindowsApps" /reset /t /c /q

2) Pressed enter after entering this command, closing the Command Prompt window afterwards.

3) Went back into permissions for the folder (right click > properties > security tab > advanced) and clicked on "change" next to owner (at the top).

4) In the text box at the bottom of the next dialog, typed in the following and then clicked on "Check Names" box on the right hand side.

NT Service\TrustedInstaller

5) Clicked apply and ok on all dialog boxes, closing them all and restarting my machine.

There. Now you should have changed the permissions of the folder back to defaults, while being the owner. Then, you gave ownership back to the TrustedInstaller user which is used by Windows Update (and Microsoft Store / Xbox App) to install apps and games.

You should now be able to install things again.

If you still can't install things, make sure to follow the following steps:

1) Hold Windows Key and press R

2) Type "services.msc" and press enter.

3) Scroll down until you see "Windows Update" and right click, then select "Start".

Hope this helps!


(4) This does not seem to differ significantly from the existing answers. If you found an answer helpful you should upvote it instead of submitting the same information from existing answer. - Ramhound
8
[0] [2021-10-25 16:55:57] Derek Ziemba

I got fed up with the permissions after Windows wouldn't let me extract a folder to Program Files due to permissions issue. So I added myself and THIS BROKE EVERYTHING.

I couldn't even start task manager. I'm using Win10 20H2. I almost did a system restore but that would take me back a full week. I did not want to do that.

I think I fixed it with:

  1. WinKey, type "cmd", right click "cmd" and click "Run as Administrator"
  2. Run takeown /SKIPSL /R /F "C:\Program Files"
    • This took > 5 minutes. If you don't do it first then the next command won't achieve jack.
  3. Run icacls "C:\Program Files" /reset /t /c /q
  4. Restart the computer
  5. All UWP apps will still be broken. Give up and do the system restore....

(7) I made a script to fix UWP apps: github.com/AgentRev/WindowsAppsUnfukker - AgentRev
9
[0] [2023-06-28 03:42:36] Q.Z. Lin

I haven't enough reputation to add a comment
In Gidsik's answer [1]:
To make icacls "%programfiles%" /restore c:\temp.txt work.
You may need UTF-16 encoding when create temp.txt

[1] https://superuser.com/a/1730061/1569192

(1) Please repeat the answer with the correction, then its an answer. As it is, it may get deleted. And dont forget to mention that you have improved Gidisk's answer - Rohit Gupta
(1) To other reviewers, I didn't wan to mark it delete, and lose valuable information. - Rohit Gupta
10
[-1] [2022-06-22 04:44:54] GeekyShiva

cacls "%programfiles%\WindowsApps" /s:"D:PAI(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;OICIIO;GA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464)(A;;0x1200a9;;;S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204)(A;OICIIO;GXGR;;;S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;CI;0x1200a9;;;BA)(A;OICI;0x1200a9;;;LS)(A;OICI;0x1200a9;;;NS)(A;OICI;0x1200a9;;;RC)(XA;;0x1200a9;;;BU;(Exists WIN://SYSAPPID))"

Run this as admin


(2) As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center. - Community
11