Starting Point: New Win7 SP1 installation, NOT on a domain. Now I want to lock down a few files to only admins. We'll try to lock down c:\windows\system32\at.exe. First image is my starting/default permissions. I'm logged in as local admin. I now delete Users so only Admins can run the executable. Once I delete Users, I get the error message of the 2nd image. If I try to Run as Administrator, I get the same error message. The current ownership of the file is TrustedInstallers - if I take ownership it still gives me the error message. If I look at Effective Permissions for the account, I see that the local admin account DOES have the correct read/execute rights. I'm now officially stumped. What am I missing here? Does the same thing happen on your systems? Thanks in advance for any help you can provide. <Frank>

I was just about to post this, too. I have the exact same problem. Trying to only allow SYSTEM and Administrators to access "cmd.exe". I get the dialog that Frank posted when I try to run it. The problem goes away if I add "Users" or "INTERACTIVE", but then that means that any user can access cmd.exe, which defeats the purpose. :/

Hi Frank, First, I would like to assure that the security option about c:\windows\system32\at.exe is the same as my test machine. It is not suggested to change the default permission. Meanwhile, please understand that TrustedInstaller.exe is Windows Module Installer service which is part of Windows Resource Protection. Windows Resource Protection (WRP) is a technology that restricts access to certain core system files, folders, and registry keys that are part of the Windows installation. WRP prevents files with .dll, .exe, .ocx, and .sys file extensions from being modified or replaced. Protecting these key resources is important to overall system stability, and, as such, they can only be modified by the Windows Module Installer service (TrustedInstaller.exe). If someone with administrative rights attempts to modify or replace a file that is protected by WRP, he will be presented with the message "Access Denied". If you change TrustedInstaller settings, you put your system at risk and your system may not function properly. Its not suggested to remove it. Regarding the current issue, please try to set the security setting to default to test the issue. In addition, you can also temporarily disable UAC to test the issue. Hope this helps Vincent Wang TechNet Community Support

Hi Frank, First, I would like to assure that the security option about c:\windows\system32\at.exe is the same as my test machine. It is not suggested to change the default permission. Meanwhile, please understand that TrustedInstaller.exe is Windows Module Installer service which is part of Windows Resource Protection. Windows Resource Protection (WRP) is a technology that restricts access to certain core system files, folders, and registry keys that are part of the Windows installation. WRP prevents files with .dll, .exe, .ocx, and .sys file extensions from being modified or replaced. Protecting these key resources is important to overall system stability, and, as such, they can only be modified by the Windows Module Installer service (TrustedInstaller.exe). If someone with administrative rights attempts to modify or replace a file that is protected by WRP, he will be presented with the message "Access Denied". If you change TrustedInstaller settings, you put your system at risk and your system may not function properly. Its not suggested to remove it. Regarding the current issue, please try to set the security setting to default to test the issue. In addition, you can also temporarily disable UAC to test the issue. Hope this helps Vincent Wang TechNet Community Support

So, by default, an executable (such as Frank's "at.exe" and my "cmd.exe") *has* to be able to be executed by everyone? How would you go about locking something down so only Administrators can access it? The moment I try doing that, I get the same message as in Frank's 2nd image. Thanks, Pedro