Every file or folder in a NTFS volume has a owner. Certain system files are owned by TrustedInstaller, some by SYSTEM account and others by the “Administrators” group. If a user creates a file or folder, that user is usually the owner of the file or folder. The owner is the one who can assign permissions (Allow or Deny) to other users for that object.
If a user is not the owner of a file or folder, or the user has no permissions to access the file, he gets the “Access is Denied” error when accessing the object. If that user is an administrator, he can take ownership of the object using the file or folder’s Properties – Security tab, and assign himself the required permissions.
This post tells you how to take ownership of a file or folder, and assign required permissions for it using the command-line instead of GUI.
- Taking ownership of a file using takeown.exe
- Assign file permissions using icacls.exe
- Taking ownership of a folder using takeown.exe
- Assign folder permissions using icacls.exe
- Take Ownership & Assign Permissions via Right-click Menu or Script [Tweaks]
- Revert back the Ownership to TrustedInstaller
Windows includes a command-line tool named Takeown.exe which can be used from an Admin Command Prompt to change the ownership of a file or folder quickly. Here is how to take ownership of a file or folder and then assign permissions for an account using command-line.
Open an elevated Command Prompt window. Use the following syntax to take ownership of a file:
TAKEOWN /F <filename>
Replace <filename> with the actual file name with full path.
If the operation was successful, you should see the following message:
"SUCCESS: The file (or folder): "filename" now owned by user "Computer Name\User name"."
Then to grant Administrators Full Control permissions for the file, use ICACLS. Here is the syntax:
ICACLS <filename> /grant administrators:F
Another example: To assign Full Control permissions for the currently logged on user, use this command:
ICACLS <filename> /grant %username%:F
%username% represents the account name of the currently logged on user. ICacls accepts this variable directly.
Use the following syntax:
takeown /f <foldername> /r /d y
Then to assign the Administrators group Full Control Permissions for the folder, use this syntax:
icacls <foldername> /grant administrators:F /T
The /T parameter is added so that the operation is carried out through all the sub-directories and files within that folder.
To know the complete usage information for Takeown.exe and ICacls.exe, run these commands from a Command Prompt window.
To further simplify the process of taking ownership, Tim Sneath of Microsoft provides a .CMD file (Windows Command Script) which takes ownership and assigns Full Control Permissions to Administrators for the directory which is passed as a parameter to the CMD file. For more information, read Tim’s post Secret #11: Deleting the Undeletable.
Add "Take Ownership" command to the right-click menu
This again uses the special runas verb in Windows Vista and higher, which I’ve covered earlier (REF RunAs).
Download takeown_context.reg and save to Desktop. Right-click on the file and choose Merge. Click Yes when asked for confirmation. This adds an extended command named Take Ownership in the context menu for files and directories. To access the command, you need to press and hold the SHIFT key, and then right-click on a file or folder.
^^ You can read more about the tweak in article Take Ownership of File or Folder via Right-click Context Menu in Windows.
Sometimes, to fix an issue you may need to alter a data file such as XML or a registry key that’s owned by TrustedInstaller. For that, you need to take ownership of the file, folder or the registry key, alter the files or settings.
After modifying the files or settings, you need to revert the ownership back to TrustedInstaller, if TrustedInstaller was the previous or original owner. To set the ownership back to TrustedInstaller, use these steps:
The Windows Modules Installer service or TrustedInstaller enables installation, modification, and removal of Windows updates and optional components. By default, TrustedInstaller is also the owner of many critical registry keys and system files.
1. Right-click on a file or registry key, and click Permissions.
2. Click Advanced to open the Advanced Security Settings dialog.
3. Near “Owner:”, click Change.
4. In the Select User or Group dialog, type “
NT SERVICE\TrustedInstaller” and press ENTER.
5. Click Apply, OK.
This changes the ownership of the object (file, folder or registry key) to TrustedInstaller or Windows Modules Installer.
Using Command-line to set TrustedInstaller as the owner of a file
From an elevated Command Prompt window, use the following command-line syntax:
icacls "path\filename" /setowner "NT Service\TrustedInstaller"
icacls "C:\Windows\PolicyDefinitions\WindowsStore.admx" /setowner "NT Service\TrustedInstaller"
TrustedInstaller now owns the file WindowsStore.admx. That’s it!
About the author
Ramesh Srinivasan founded Winhelponline.com back in 2005. He is passionate about Microsoft technologies and he has been a Microsoft Most Valuable Professional (MVP) for 10 consecutive years from 2003 to 2012.