You are here:Home»KB»PC»Windows Family»Windows General»Reset Windows permissions via the command line
Thursday, 25 February 2010 20:24

Reset Windows permissions via the command line

Written by

Reset a Windows User Profile permissions

This has been tested and works well on Windows 10.

Modify and run the code below from a command prompt with administrator rights.

ICACLS "I:\Users\peter" /grant Everyone:F /C /T

 

Quick way to reset all security permissions to default

This works for Windows Vista but it works also for windows 7. It might also work for later versions.

Some of the permissions have been changed and I would like to find a way to reset all the permissions to the default settings. Can anyone provide a quick way to reset all permissions to default?

Instructions

Just run in a evalated prompt the following command.

secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

Links

 

Reset the Registry and File Permissions

This was last used by me on Windows XP. Some of this might work on later versions of Windows but has not been tested.

Occassionally the permissions on the windows registry or files become corrupt or altered. The methods below can restore access to all files and registry keys.

Programs will not install if the permissions are not correct in the registry.

SubInACL is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain.

Instructions

Here are some steps that can be used to download and run the SubInACL tool to repair file and registry permissions that are often needed to successfully install programs on Windows, particularly for MSI-based (Windows Installer) setups:

  1. Download the SubInACL tool and install it.  By default it will install to
    c:\Program Files\Windows Resource Kits\Tools

    Or get it from a system with SubInACL installed, can be run like a nbromal DOS program (ie same folder)
     
  2. If you are running Windows Vista, click on the Start menu, choose All Programs, then Accessories, then right-click on the item named Command Prompt and choose Run as administrator
  3. If you are running an OS other than Windows Vista, go to the Start menu, choose Run, type cmd and click OK
  4. In the cmd prompt, type notepad reset.cmd and click yes to open Notepad.exe and create a new text file named reset.cmd
  5. Copy and paste the following contents into reset.cmd
    cd /d "%programfiles%\Windows Resource Kits\Tools"
    
    subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators > %temp%\subinacl_output.txt
    subinacl /keyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators >> %temp%\subinacl_output.txt
    
    subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    subinacl /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    
    subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    subinacl /keyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    
    
    subinacl /subdirectories %programfiles%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    
    subinacl /subdirectories %windir%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
  6. Change the values named YOURUSERNAME to be the Windows user account that you are logged in with.

    Note:  The YOURUSERNAME value should match the name of your user folder at c:\Documents and Settings (or c:\users on Windows Vista and higher).  You can also find the value to use for YOURUSERNAME by launching Task Manager and looking at the user name listed in the User Name column of the Processes tab.
     
  7. Save and close reset.cmd.
  8. In the cmd prompt, type reset.cmd and press enter to run the SubInACL tool.  This tool will take several minutes to run, and it requires that the user account you are using has administrator privileges on the system.  This is why it is necessary to run it from an elevated cmd prompt on Windows Vista.  Step 2 above can be used to start an elevated cmd prompt on Windows Vista.
  9. After reset.cmd completes, try to install the product that previously failed to install correctly on your system.

Note: There are a couple of scenarios where installing or running SubInAcl can fail.  For example, some non-English versions of Windows have the name of the Administrators group translated to another language, and the command lines listed above will fail in that case.  I have posted workarounds for the issues that I know of in this separate blog post.

Also note: Running the above command lines will cause SubInAcl to create a log file named %temp%\subinacl_output.txt.  If you see any errors reported in the cmd prompt after running SubInAcl, you can look in this log file for more detailed information about what file(s), folder(s) or registry value(s) are causing the errors.  To open this log file, you can click on the Start menu, choose Run, type notepad %temp%\subinacl_output.txt and click OK.

When looking at this log file, you may see some errors reported with error code 5.  That error code means Access Denied, and it is typically caused by Windows or some other program running on your system that is holding files, folders or registry values in use so that SubInAcl is unable to update the permissions for them.  Most of the time, that type of error in the SubInAcl output can be safely ignored, but you may need to try to reboot and then manually fix the permissions for these files, folders or registry keys as a workaround.


Alternate verions of the script

subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
subinacl /subdirectories %SystemDrive% /grant=administrators=f subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
subinacl /subdirectories %SystemDrive% /grant=system=f

Using SECEDIT.EXE (for Windows XP Professional)

In Windows XP Professional, you may use the following secedit command-line to reset the file and registry permissions to defaults.

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

For more information, see article How to reset security settings back to the defaults.


This is an alternative permissions reset method using SetACL.exe

SetACL.exe -on "C:\windows" -ot file -actn setprot -op "dacl:np;sacl:nc" -rec cont_obj -actn setowner -ownr "n:S-1-5-32-544;s:y" E:\SetACL.exe -on "C:\windows" -ot file -actn setprot -op "dacl:np;sacl:nc" -rec cont_obj -actn setowner -ownr "n:S-1-5-32-544;s:y"
Read 3423 times Last modified on Thursday, 14 December 2017 11:09