@A1The whole point of changing the permissions is actually to restore integrity in some sense:
"changing the permissions to the file you recommend"
No new folders are created with these scripts...
"creates paths that may be a threat to the integrity of the system"
Here's what it does. Line #1 and #3 will remove entries. The purpose of that also is to clear any ACEs that have an SID string tied to them, or to clear permissions that deny the operating system read / write permissions (from another computer,) and restore "full control". That in fact will increase integrity, if the file permissions are missing. If this computer was part of a domain that utilized Active Directory, of course this would be managed for you by an external entity, or it would be set through a profile. On a personal computer this is not risky if you run it offline on WinPE and let it finish. For line #2 and #4 which add entries, OI / CI mean Inherit, and F means full control. The reason why I have it in this specific order, is so it can be used to modify an offline image (it grants control without using SID strings.) If you were to use the full script, not a small excerpt like below, it would work the same way on a USB drive, regardless of what computer it was plugged into:
1.) icacls A: /remove "NT SERVICE\TrustedInstaller" /c /l /q
2.) icacls A: /inheritance:r /grant:r "NT SERVICE\TrustedInstaller":(OI)(CI)(F) /c /l /q
3.) icacls A: /remove "NT AUTHORITY\SYSTEM" /c /l /q
4.) icacls A: /inheritance:r /grant:r "NT AUTHORITY\SYSTEM":(OI)(CI)(F) /c /l /q
Here's another example for you to read:
Microsoft Windows [Version 10.0.22000.795]
(c) Microsoft Corporation. All rights reserved.
C:\Users\<user_name>\Desktop>icacls /?
ICACLS name /save aclfile [/T] [/C] [/L] [/Q]
stores the DACLs for the files and folders that match the name
into aclfile for later use with /restore. Note that SACLs,
owner, or integrity labels are not saved.
ICACLS directory [/substitute SidOld SidNew [...]] /restore aclfile
[/C] [/L] [/Q]
applies the stored DACLs to files in directory.
ICACLS name /setowner user [/T] [/C] [/L] [/Q]
changes the owner of all matching names. This option does not
force a change of ownership; use the takeown.exe utility for
that purpose.
ICACLS name /findsid Sid [/T] [/C] [/L] [/Q]
finds all matching names that contain an ACL
explicitly mentioning Sid.
ICACLS name /verify [/T] [/C] [/L] [/Q]
finds all files whose ACL is not in canonical form or whose
lengths are inconsistent with ACE counts.
ICACLS name /reset [/T] [/C] [/L] [/Q]
replaces ACLs with default inherited ACLs for all matching files.
ICACLS name [/grant[:r] Sid:perm[...]]
[/deny Sid:perm [...]]
[/remove[:g|:d]] Sid[...]] [/T] [/C] [/L] [/Q]
[/setintegritylevel Level:policy[...]]
/grant[:r] Sid:perm grants the specified user access rights. With :r,
the permissions replace any previously granted explicit permissions.
Without :r, the permissions are added to any previously granted
explicit permissions.
/deny Sid:perm explicitly denies the specified user access rights.
An explicit deny ACE is added for the stated permissions and
the same permissions in any explicit grant are removed.
/remove[:[g|d]] Sid removes all occurrences of Sid in the ACL. With
:g, it removes all occurrences of granted rights to that Sid. With
:d, it removes all occurrences of denied rights to that Sid.
/setintegritylevel [(CI)(OI)]Level explicitly adds an integrity
ACE to all matching files. The level is to be specified as one
of:
L[ow]
M[edium]
H[igh]
Inheritance options for the integrity ACE may precede the level
and are applied only to directories.
/inheritance:e|d|r
e - enables inheritance
d - disables inheritance and copy the ACEs
r - remove all inherited ACEs
Note:
Sids may be in either numerical or friendly name form. If a numerical
form is given, affix a * to the start of the SID.
/T indicates that this operation is performed on all matching
files/directories below the directories specified in the name.
/C indicates that this operation will continue on all file errors.
Error messages will still be displayed.
/L indicates that this operation is performed on a symbolic link
itself versus its target.
/Q indicates that icacls should suppress success messages.
ICACLS preserves the canonical ordering of ACE entries:
Explicit denials
Explicit grants
Inherited denials
Inherited grants
perm is a permission mask and can be specified in one of two forms:
a sequence of simple rights:
N - no access
F - full access
M - modify access
RX - read and execute access
R - read-only access
W - write-only access
D - delete access
a comma-separated list in parentheses of specific rights:
DE - delete
RC - read control
WDAC - write DAC
WO - write owner
S - synchronize
AS - access system security
MA - maximum allowed
GR - generic read
GW - generic write
GE - generic execute
GA - generic all
RD - read data/list directory
WD - write data/add file
AD - append data/add subdirectory
REA - read extended attributes
WEA - write extended attributes
X - execute/traverse
DC - delete child
RA - read attributes
WA - write attributes
inheritance rights may precede either form and are applied
only to directories:
(OI) - object inherit
(CI) - container inherit
(IO) - inherit only
(NP) - don't propagate inherit
(I) - permission inherited from parent container
Examples:
icacls c:\windows\* /save AclFile /T
- Will save the ACLs for all files under c:\windows
and its subdirectories to AclFile.
icacls c:\windows\ /restore AclFile
- Will restore the Acls for every file within
AclFile that exists in c:\windows and its subdirectories.
icacls file /grant Administrator:(D,WDAC)
- Will grant the user Administrator Delete and Write DAC
permissions to file.
icacls file /grant *S-1-1-0:(D,WDAC)
- Will grant the user defined by sid S-1-1-0 Delete and
Write DAC permissions to file.
C:\Users\<user_name>\Desktop>
If file permissions are blocked for "SYSTEM" or "Trusted Installer," SFC is not able to open file handles, so of course it can't replace a corrupted file or even open the file to check for corruption to begin with (verify checksums.) It is a good idea though to use DISM / SFC for what it is used for, which of course has nothing to do with this, but that could indirectly solve other issues:
"No, I did not find, but if you have any doubts, run SFC if it is okay and Windows works without errors is a waste of time to further analyze."
