How to set TrustedInstaller as owner of cmd.exe?

Question

I currently have to change permissions for all local users on cmd.exe. So far I have taken the ownership of the file and changed the permissions in the way i need it.

My problem is, that I cant figure out, how to give the ownership back to TrustedIntstaller.

Below you can see the code I worked out so far. It changes the permissions and throws no errors, but after the script ran the owner is still set to System.

Iam using the Powershell App Deployment Toolkit and the script was executed as system-user.

Any help is appreciated. If there are other (better) ways of changing permissions in Windows-Folder please let me know as well.

        $acl_old = get-acl "$envSystem32Directory\cmd.exe"
        $owner_old = $acl_old.Owner

        Execute-Process -Path "takeown.exe" -Parameters "/f C:\windows\system32\cmd.exe"
        Execute-Process -Path "icacls.exe" -Parameters "$envSystem32Directory\cmd.exe /grant:r *S-1-2-0:(RX)"

        $new_permission = get-acl "$envSystem32Directory\cmd.exe"
        $new_owner_object = New-Object -TypeName System.Security.Principal.NTAccount -ArgumentList "$owner_old"
        $new_permission.SetOwner($new_owner_object)
        set-acl -Path $envSystem32Directory\cmd.exe -AclObject $new_permissions

Answer 1

I found a solution. Mine and boxdogs code are working. But it wasnt complete. In order to be able to restore TrustedInstaller als the owner some DLL and Privileges have to be loaded.

If anyone else is having this issue, here is a solution. After adding the DLL-Load and Privileges to my script it is working.

https://social.technet.microsoft.com/Forums/scriptcenter/en-US/87679d43-04d5-4894-b35b-f37a6f5558cb/solved-how-to-take-ownership-and-change-permissions-for-blocked-files-and-folders-in-powershell