When you try to delete or modify some system files or folders in Windows 10, you may face an error:
Folder Access Denied
You need the permissions to perform this action
You require permission from TrustedInstaller to make changes this folder
This error occurs even when you are logged-in under the built-in Administrator account. Starting with Windows 7, all Windows versions use Windows Resource Protection technology to protect critical registry keys, system files, and folders (instead of Windows File Protection, which was used in Windows XP).
Windows Resource Protection sets special DACLs and ACLs on a protected file system and registry objects. As a result, write access to protected objects is granted only to the processes running from the Windows Modules Installer service (TrustedInstaller.exe). Those, even the administrator cannot delete or modify important system files.
Make sure that the TrustedInstaller account is the owner of the files or folder you want to delete/modify. In File Explorer, open the file/folder properties, go to the Security tab, click on the Advanced button.
Make sure that the TrustedInstaller is set as an object Owner.
If you want to delete a file or folder owned by TrustedInstaller, you need to take ownership of this folder/file. After that, you need to edit the NTFS file permissions, grant yourself write permission and delete/replace/change the file. After this, do not forget to revert ownership back to TrustedInstaller.
Hint. Deleting or modifying protected system files owned by TrustedInstaller may cause Windows to crash. Before deleting any system file, we recommend you to make a copy of it. We recommend changing permissions on protected files only in extreme cases, when you understand exactly what you are doing.
In order to change the TrustedInstaller folder ownership:
- In the Advanced Security Settings window, click the Change button;
- If your account is added to the local Administrator group (otherwise you cannot change the system file ownership), specify the group name and click Check Names;
- Make sure that the object Owner has changed. If you change the folder ownership, check the option “Replace owner on subcontainers and objects”;
- Click OK > Apply;
- Now you need to grant permission to the folder for your group. To do this, click the Edit button on the Security tab.
- Select the Administrators group and grant Full Control permissions for this group;
Now you can edit or delete a file that was previously protected by TrustedInstaller.
You can also change the file/folder ownership from TrustedInstaller with the command prompt using takeown and icacls tools. Run the elevated command prompt. For example, you want to delete the protected system folder C:\Windows\ADFS\ar. Run the following commands:
takeown /F "C:\Windows\ADFS\ar" /r /d y icacls "C:\Windows\ADFS\ar" /grant Administrators:F /t rd "C:\Windows\ADFS\ar" /S /Q
If you edited the system file, be sure to change the owner of the file back to TrustedInstaller. Otherwise, your Windows may not work properly.
To do this, open the Advanced Security Settings window, click the Change button and specify the NT SERVICE\TrustedInstaller account as a file owner. Click OK > OK to apply the changes.
Now TrustedInstaller again has become the owner of the file, and the administrator cannot delete or modify it.
