Login/Register
What's "EXISTS WIN://SYSAPPID" condition in "C:\Program Files\WindowsApps" ACL?
Asked Answered
windowsaclntfs
U

1

13

I noticed that access rights in C:\Program Files\WindowsApps for Users have a special "condition" applied: EXISTS WIN://SYSAPPID.

ACL condition EXISTS WIN://SYSAPPID

I didn't find anything about ACL conditions or how I could create and utilize such kind of thing.

How can I create and utilize ACL conditions?

Urnfield answered 17/8, 2020 at 17:11 Comment(4)
Support for Authz conditional ACEs was added to kernel access checks in Windows 8. They're not well supported with existing command-line tools. They're most easily handled with SDDL string security descriptors. e.g., (XA;;0x1200a9;;;BU;(Exists WIN://SYSAPPID)) conditionally grants (XA) read and execute access (0x1200a9) to users (BU) when the effective access token has an attribute named "WIN://SYSAPPID". Another example, (XA;OICI;0x1200a9;;;BU;(WIN://SYSAPPID Contains "MICROSOFT.WINDOWSSTORE_8WEKYB3D8BBWE")) uses the "Contains" operator to check for a specific value of the attribute.Flodden
In Windows 8+, support for Authz conditional ACEs was added to kernel access checks because (at least in part) they're used extensively in "%ProgramFiles%\WindowsApps" to conditionally grant access to standard users only for a given user's installed apps. This was integrated into CreateProcessW, which gets the information to create the custom access token from fields in the app execution alias, which, if enabled for an installed app, is in the user's "%LocalAppData%\Microsoft\WindowsApps" directory.Flodden
The specification for a conditional ACE is detailed in [MS-DTYP] 2.4.4.17 Conditional ACEs. Also see [MS-DTYP] 2.5.3.1.5 EvaluateAceCondition and [MS-DTYP] 2.5.1 Security Descriptor Description Language.Flodden
Marvellous information. Want to provide an answer, so I can vote for it and close this question?Urnfield
V
-1

I had the same problem, and it wouldn't let me edit that entry to grant access to %USERS% I followed this tutorial. It has 3 workarounds for this problem.

For me, Method 2: Changing the owner to Users worked:

Perhaps the most effective fix for this particular issue is to change the Owner of the folder/file and to take full ownership of it. After doing this, you should be able to edit the permissions without encountering the ‘Access Control Entry is Corrupt‘ error.

  1. Right-click on the folder or file that you’re having issues with and choose Properties from the context menu.
  2. Once you’re inside the Properties screen, select the Security tab, click on the Advanced button associated with Permissions.
  3. Inside the Advanced Security Settings, click on the Change button associated with the Owner.
  4. Inside the Select User or Group, type Users inside the text box, then click on Check Names to verify. If the syntax is replaced correctly, click Ok to save the changes. Then click Apply at the previous window to make the change permanent.
  5. Try to modify the permissions accordingly and see if you still see the error message.
Vanmeter answered 31/1, 2021 at 10:3 Comment(2)
Not the same problem. This workaround has nothing to do with WIN://SYSAPPID. The tutorial linked here teaches how to fix 'Access control entry is corrupt' error. But in this case it's not actually a corrupt entry, but a special permission/condition (Exists:WIN://SYSAPPID) for Users(Pc-Name\Users) and can't be removed.Beth
On top of what @Beth mentioned, I'd be concerned about the knock-on effects of changing permissions & ownership of a core Windows directory like this; I'd be especially concerned about security holes this may open. The linked tutorial doesn't mention these possibilities at all.Chlorous

© 2022 - 2024 — McMap. All rights reserved.