13

I noticed that access rights in C:\Program Files\WindowsApps for Users have a special "condition" applied: EXISTS WIN://SYSAPPID.

ACL condition EXISTS WIN://SYSAPPID

I didn't find anything about ACL conditions or how I could create and utilize such kind of thing.

How can I create and utilize ACL conditions?

Improve this question
4
  • 4
    Support for Authz conditional ACEs was added to kernel access checks in Windows 8. They're not well supported with existing command-line tools. They're most easily handled with SDDL string security descriptors. e.g., (XA;;0x1200a9;;;BU;(Exists WIN://SYSAPPID)) conditionally grants (XA) read and execute access (0x1200a9) to users (BU) when the effective access token has an attribute named "WIN://SYSAPPID". Another example, (XA;OICI;0x1200a9;;;BU;(WIN://SYSAPPID Contains "MICROSOFT.WINDOWSSTORE_8WEKYB3D8BBWE")) uses the "Contains" operator to check for a specific value of the attribute. Commented Aug 17, 2020 at 17:41
  • 4
    In Windows 8+, support for Authz conditional ACEs was added to kernel access checks because (at least in part) they're used extensively in "%ProgramFiles%\WindowsApps" to conditionally grant access to standard users only for a given user's installed apps. This was integrated into CreateProcessW, which gets the information to create the custom access token from fields in the app execution alias, which, if enabled for an installed app, is in the user's "%LocalAppData%\Microsoft\WindowsApps" directory. Commented Aug 17, 2020 at 17:56
  • 4
    The specification for a conditional ACE is detailed in [MS-DTYP] 2.4.4.17 Conditional ACEs. Also see [MS-DTYP] 2.5.3.1.5 EvaluateAceCondition and [MS-DTYP] 2.5.1 Security Descriptor Description Language. Commented Aug 17, 2020 at 18:17
  • Marvellous information. Want to provide an answer, so I can vote for it and close this question? Commented Aug 17, 2020 at 22:27

1 Answer 1

Reset to default
-1

I had the same problem, and it wouldn't let me edit that entry to grant access to %USERS% I followed this tutorial. It has 3 workarounds for this problem.

For me, Method 2: Changing the owner to Users worked:

Perhaps the most effective fix for this particular issue is to change the Owner of the folder/file and to take full ownership of it. After doing this, you should be able to edit the permissions without encountering the ‘Access Control Entry is Corrupt‘ error.

  1. Right-click on the folder or file that you’re having issues with and choose Properties from the context menu.
  2. Once you’re inside the Properties screen, select the Security tab, click on the Advanced button associated with Permissions.
  3. Inside the Advanced Security Settings, click on the Change button associated with the Owner.
  4. Inside the Select User or Group, type Users inside the text box, then click on Check Names to verify. If the syntax is replaced correctly, click Ok to save the changes. Then click Apply at the previous window to make the change permanent.
  5. Try to modify the permissions accordingly and see if you still see the error message.
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Not the same problem. This workaround has nothing to do with WIN://SYSAPPID. The tutorial linked here teaches how to fix 'Access control entry is corrupt' error. But in this case it's not actually a corrupt entry, but a special permission/condition (Exists:WIN://SYSAPPID) for Users(Pc-Name\Users) and can't be removed.
On top of what @Coconut mentioned, I'd be concerned about the knock-on effects of changing permissions & ownership of a core Windows directory like this; I'd be especially concerned about security holes this may open. The linked tutorial doesn't mention these possibilities at all.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.