Changing Windows® Folder Owner

This page illustrates how a “member of” the local Administrators security group can “Take Ownership” of the Windows® directory.  After they own the folder they can grant the “Full Control” access permissions that are needed by Syscob, or other legacy, applications.  This is the safest and simplest way to enable “legacy” applications to run on Windows 7.  It also eliminates the restrictions to user privileges which prevent a “member of” the Administrators group from having true administrative capabilitites in Windows 7.

To see the effects of making the changes to ownership and access permissions per the step-by-step instructions below see the “Impacts from Windows® Directory Security Changes” topic.

Changing Directory Owner

Open Windows Explorer, browse to the Windows® directory, right-click on it and select “Properties” from the pop-up context menu as seen below.  That will open the Windows Properties dialog whose capture follows.

In the Windows Properties dialog [below] click on the Administrators group in the upper pane so that it is selected [highlighted].  Then press the Advanced button.  That will open the Advanced Security Settings for Windows dialog (see next step).

In the Advanced Security Settings for Windows dialog [below] go to the “Owner” tab and note that the default “owner” is the TrustedInstaller service.  Then press the Edit… button.

In the new Advanced Security Settings for Windows dialog that opens [below] click on the Administrators group in the Change owner to: pane so that it is selected [highlighted].  This group will become the new “owner” of the Windows® directory.  Note that the “Replace owner on subcontainers and objects” checkbox is not ticked (legacy applications need access to the Windows® directory, but not to System32 or other subfolders or files).  Then press the OK button to save this change.

The Windows Security information dialog that follows should appear to notify you that the original Windows Properties dialog [second capture from top] will need to be closed before the ownership change takes effect.  Just press the OK to acknowledge this dialog.

The original Advanced Security Settings for Windows dialog [below] will now reappear showing that the Administrators group is now the “owner” of the Windows® directory.  Press the OK button to save this change (Cancel would prevent the change of ownership).

Back in the Windows Properties dialog [below] the Administrators group still does not show any access permissions in the lower pane.  Remember the information dialog from before?  As that informative dialog warned, until the OK button is pressed here the changes won't appear.

Pressing OK will apply the “ownership” change, but it is still necessary to grant access permissions.  So continue with the next steps.

Granting “Full Control” Access Permission

Back in Windows Explorer right-click on the Windows® directory and again select “Properties” from the pop-up context menu.  That will re-open the Windows Properties dialog that follows.  In this dialog [below] click on the Administrators group in the upper pane so that it is selected [highlighted] then press the Edit… button to enable granting access permissions to members of the Administrators group in the next step.

In the Permissions for Windows dialog [below] click on the Administrators group in the upper pane so that it is selected [highlighted].  Then click on the “Full Control” checkbox that is in the “Allow” column to give the group, and its members, “Full Control” access permissions to the Windows® directory.

The Permissions for Windows dialog should now look like the capture below.  When the Administrators group is selected [highlighted] all of the “Allow” boxes in the lower pane should be ticked (except for “Special Permissions” which is usually “greyed out” [disabled]).  Press the OK button to save the newly granted folder access permisions.

Because permissions are being changed on a “system object” the Windows Security dialog below should appear.  This gives someone making an unintentional change another chance to cancel its impact.  But, since we intend to grant “Full Control” access, press the Yes button to confirm changing access permisions.

The OS will now automatically try, and fail, to apply the newly granted permissions to subdirectories under the Windows® directory.  But that is not needed by Syscob applications (and the subdirectory ownerships were not changed) so just press the Cancel button when the Error Applying Security dialog below appears:

Because some automatic changes to a “system object” were cancelled the OS should display the Windows Security warning dialog seen in the next capture — because of possible inconsistencies “If you made the changes by mistake…” — but in this case the action was by intent.  So just press the OK button to acknowledge this dialog.

The Windows Properties dialog should now indicate that the Administrators group has “Full Control” access permissions for the Windows® directory (as captured below).  Press the OK button to save the permissions change and the process is complete.

To understand the many ramifications of simply changing “ownership” of the Windows® directory see the “Impacts from Windows® Directory Security Changes” topic.

Why Change Ownership of Windows® Directory?

See the “How Windows 7 default security settings can affect “legacy” applications” and “Identifying security issues before deployment of a “legacy” application” topics for details on why the steps above, or equivalent changes to server-based security, need to be performed for Windows 7 (or Windows Server 2008).

Windows Folder

Prior to Windows 7 (and Windows Server 2008) many sites chose to define a user “windows” folder, which was not the actual Windows® directory, for exclusive use of that user without impact to the Windows® OS.  This is standard practice for remote login environments like Terminal Server, Novell or Citrix.  For console logins it was done by defining a user (not system) environment variable named “WINDIR” and setting its value to the desired user “windows” folder.

Unfortunately, Windows 7 (and Windows Server 2008) has changed how the system shortcuts are generated so that this no longer works.  When a “%WINDIR%” evaluates to anywhere other than the real Windows® directory in Windows 7 then shortcuts like those for Notepad or Windows Explorer will lose their icons and stop functioning.

Because Syscob software is written to comply with Microsoft Guide to Programming [document number SY0314a-300-R00-1089] requirements from the Windows SDKs some application settings are kept in Windows® “PrivateProfile” stores [“INI” files] in the “windows” folder.  That is also where defined “Printers and Faxes” information, needed for printer access and spooling, is kept.  This means that, for Windows 7, the Syscob application user must have “Full Control” access to the actual Windows® directory to enable creation, access and update of this information.

Technically, Syscob applications only create or update the following three [3] files:

Any other access to contents of the Windows® directory is solely “read-only” (but “List folder contents” permission is also needed before any file can be accessed in any mode).  However, Syscob applications do not access any subfolder within the Windows® directory so there is no need to impact other than the permissions of the Windows® directory itself.

Unfortunately, so long as the Administrators security group has only the extremely restricted “special permissions” (which do not even allow the files to be listed) granted by Windows 7 defaults then it is not practical to allocate requisite permissions to the Syscob user.  This is why Syscob very strongly recommends that changing ownership of the Windows® directory, as shown at the left, be performed before installing a Syscob application on a Windows 7 PC.