Changing folder permissions access denied

Question

I am using Visual Basic in Visual Studio 2010
Just some pre-amble to set the scene:
When I buy a new computer I create an account to login, I have always assumed this is an administrator account.
I have a third party app which will open & do certain tasks, however it will not do what I want unless I Right click the app & then click run as Administrator.
To me this means although I am logged in as an administrator I am NOT an administrator unless I go in by the back door.

Now to the problem:
on a computer, some time ago (could be years) I created a folder, now as far as I am concerned I have no reason to set permissions on any folder I create as basically I am the only one using it, so I should be able to do what I like with it.

I have an app which I hope to publish, but during my testing I have found an issue where I cannot move a file into this folder because of some permission issue.

This is the security map shown in explorer:
Group or user names Permissions

1. Creator Owner: Special Permissions only
2. System: Full Control, All others except Special Permissions
3. Account Unknown: Special Permissions Only
4. Administrators: Full Control, All others except Special Permissions
5. Users: Read & Execute, list, read, Special Permissions

I have no idea whatsoever as to how this information was created, nor when I run my app do I know which applies

So, I decide to alter the folder permissions with the following code:

    Dim FolderPath As String = This 'Specify the folder here
    Dim UserAccount As String = SystemInformation.UserName 'Specify the user here

    Dim FolderInfo As IO.DirectoryInfo = New IO.DirectoryInfo(FolderPath)
    Dim FolderAcl As New DirectorySecurity
    FolderAcl.AddAccessRule(New FileSystemAccessRule(UserAccount, FileSystemRights.Modify, InheritanceFlags.ContainerInherit Or InheritanceFlags.ObjectInherit, PropagationFlags.None, AccessControlType.Allow))
    FolderAcl.SetAccessRuleProtection(True, False) 'uncomment to remove existing permissions

It fails on the next line with the error:
"Attempted to perform an unauthorised operation"

    FolderInfo.SetAccessControl(FolderAcl)

I am the so-called Administrator (or am I?) so why can't I changed the folder security settings.

If I cannot be the REAL Administrator which should be able to do anything, then there is no answer to this question

Obviously I need to resolve this issue as a purchaser of my app could have the same issue & my app will fail.

Any solution or comments much appreciated

Answer 1

A little history may help clarify the situation. Back in the Windows 95/98 days all users had complete control over the system and access control over files/folders did not exist. When Windows XP was introduced it implemented the Windows NT security model and included access controls. The Windows security model is based on user identity, not on applications. In general, access controls allow or deny based on the identity of the user and are not tied to particular programs. To facilitate Windows XP adoption and make life easier for users that were unused to not having full control of and access to their systems almost all user accounts created in Windows XP were Administrators. This was a convenience for Windows XP users but created a significant attack surface for bad actors. Microsoft improved security when it introduced Windows Vista by introducing User Account Control. So although a user account was a member of the Administrators group in the ordinary course the rights allowed to that user would be those of a standard user account, not an Administrator. So the attack surface was reduced. A member of the Administrators group attempting to perform actions that required elevated Administrator privileges would cause the system to issue a consent prompt.

It appears that the security descriptor of the problematic folder does not allow a standard user to have write access (including changing the security descriptor of the folder). This is unrelated to your particular application. For example, you also wouldn't be able to save a file to that folder with Notepad. I haven't looked at the details of the posted code, but it must be executed with "Run as administrator" for Windows to allow changes to the folder's security descriptor. You can accomplish this when starting the related application or including a manifest in the application that specifies "requireAdministrator"

Answer 2

Thanks to both for replies

for DuaneArnold-0443

it seems the codeguru website at this time has some problems, I could not access codeguru itself either with Brave or Chrome.

For
RLWA32, It looks like I will have to put in a Try/Catch in my app & if it fails, advise the user to elevate to folder security

Answer 3

Thanks for taking an interest.
I have run the code with no problems with other folders
This particular folder was created years ago, maybe on XP or Windows 7, it is inside a vault which obviously has a vault (cypherix) password to open before the folder can be viewed\access.
It is not an immediate problem so in the next few days I will try to manually change the security (It is not something I am conversant with), otherwise I will just create a different named folder as at present I am the only one affected.