Getting TrustedInstaller Permissions on Windows 10

When you try to delete or modify some system files or folders in Windows 10, you may face an error:

Folder Access Denied

You need the permissions to perform this action

You require permission from TrustedInstaller to make changes this folder


This error occurs even when you are logged-in under the built-in Administrator account. Starting with Windows 7, all Windows versions use Windows Resource Protection technology to protect critical registry keys, system files, and folders (instead of Windows File Protection, which was used in Windows XP).

TrustedInstaller Permissions

Windows Resource Protection sets special DACLs and ACLs on a protected file system and registry objects. As a result, write access to protected objects is granted only to the processes running from the Windows Modules Installer service (TrustedInstaller.exe). Those, even the administrator cannot delete or modify important system files.

Make sure that the TrustedInstaller account is the owner of the files or folder you want to delete/modify. In File Explorer, open the file/folder properties, go to the Security tab, click on the Advanced button.


Make sure that the TrustedInstaller is set as an object Owner.

If you want to delete a file or folder owned by TrustedInstaller, you need to take ownership of this folder/file. After that, you need to edit the NTFS file permissions, grant yourself write permission and delete/replace/change the file. After this, do not forget to revert ownership back to TrustedInstaller.

Hint. Deleting or modifying protected system files owned by TrustedInstaller may cause Windows to crash. Before deleting any system file, we recommend you to make a copy of it. We recommend changing permissions on protected files only in extreme cases, when you understand exactly what you are doing.

In order to change the TrustedInstaller folder ownership:

  1. In the Advanced Security Settings window, click the Change button;
  2. If your account is added to the local Administrator group (otherwise you cannot change the system file ownership), specify the group name and click Check Names;
    you require permission from trustedinstaller
  3. Make sure that the object Owner has changed. If you change the folder ownership, check the option “Replace owner on subcontainers and objects”;
  4. Click OK > Apply;
  5. Now you need to grant permission to the folder for your group. To do this, click the Edit button on the Security tab.
  6. Select the Administrators group and grant Full Control permissions for this group;
    you need permission from trustedinstaller

Now you can edit or delete a file that was previously protected by TrustedInstaller.

You can also change the file/folder ownership from TrustedInstaller with the command prompt using takeown and icacls tools. Run the elevated command prompt. For example, you want to delete the protected system folder C:\Windows\ADFS\ar. Run the following commands:

takeown /F "C:\Windows\ADFS\ar" /r /d y

icacls "C:\Windows\ADFS\ar" /grant Administrators:F /t

rd "C:\Windows\ADFS\ar" /S /Q

trustedinstaller windows 10

If you edited the system file, be sure to change the owner of the file back to TrustedInstaller. Otherwise, your Windows may not work properly.

To do this, open the Advanced Security Settings window, click the Change button and specify the NT SERVICETrustedInstaller account as a file owner. Click OK > OK to apply the changes.

windows trustedinstaller

Now TrustedInstaller again has become the owner of the file, and the administrator cannot delete or modify it.

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Latest posts by Cyril Kardashevsky (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.