Win10 apps do not have permission to access their own files
-
I tried to fix this myself, many times, and have come up blank. Here's hoping you guys know anything.
Plenty of apps in the Windows Store work just fine. I tested the first two I saw after being reminded of this, Roblox and Discord PTB, to make sure this wasn't a problem with every app, and they launched without any difficulties.
However, some apps, even when freshly installed after never being installed before, have this to say when they start up:
https://i.imgur.com/nv7PFRa.png
The full file path here ends in\DesktopApp\SamsungFlowDesktop.exe
. Spotify's is\SpotifyMigrator.exe
.
It doesn't seem to be a problem with already installed apps vs new apps. Discord PTB worked fine.
It doesn't seem to be consistent across types of apps. SoundCloud works fine, Spotify doesn't.
The folder permissions for both WindowsApps and the app's folder do not seem to be amiss.TrustedInstaller
andALL APPLICATION PACKAGES
both have full read/write permissions. The file that it can't access has the same permissions as the rest of the files.
It's just me that's having these problems. The releases work for everyone else.I just simply have no idea what could possibly be going wrong. Does anybody have any sort of experience with this?
-
My standard method for dealing with Windows 10 now is going to the directory in question, give ownership to my username and give myself full read/write permission for that folder, subfolders and files.
Windows 10 is really screwed up when it comes to file/directory permissions. Really, really screwed up. And it is random. Do a clean install 10 times and you'll get slightly different results each time.
-
It may not be file permissions, but actually file encryption (presumably for drm reasons) causing these issues. I've run into that before, and IIRC it gives similar "cannot access" messages even when you "should" be able to access.
How that could fail in such an impressive manner?
-
@el_heffe I've got full control too.
-
I'd blame antivirus being stupid. Are you using third party or default?
-
@tsaukpaetra said in Win10 apps do not have permission to access their own files:
I'd blame antivirus being stupid. Are you using third party or default?
And what @sloosecannon said. Process Monitor is great for seeing what is actually going on without having to go full
windbg
. That should tell you if something like AV is interfering or if it's a bad error message.
-
@tsaukpaetra Default, and I've disabled the real-time tracking.
-
@cursorkeys Well, I tried that, and I don't really have any idea what I'm looking for.
Four lines jumped out at me though.
https://i.imgur.com/xBKJA65.png
Interesting. Those all access the UWP folder - why?
-
@pie_flavor said in Win10 apps do not have permission to access their own files:
@cursorkeys Well, I tried that, and I don't really have any idea what I'm looking for.
Four lines jumped out at me though.
https://i.imgur.com/xBKJA65.png
Interesting. Those all access the UWP folder - why?That looks normal for something that's enumerating files. Those BUFFER OVERFLOW messages aren't interesting, it just means the buffer steam.exe supplied wasn't big enough for all the data that could have been returned for that query so the response was truncated.
As to why Steam's doing that, I'm not sure. A quick Google suggests it might have some support for UWP games so possibly housekeeping to do with that.
Try setting up a filter for 'RESULT/ IS NOT/ SUCCESS' and see if there is anything interesting then.
-
So here's the only thing that that executable tried to access:
https://i.imgur.com/ejrbN1t.png
And here's the stuff that tried to access that executable:
https://i.imgur.com/KU6AkNZ.png
-
@pie_flavor said in Win10 apps do not have permission to access their own files:
So here's the only thing that that executable tried to access:
https://i.imgur.com/ejrbN1t.png
And here's the stuff that tried to access that executable:
https://i.imgur.com/KU6AkNZ.pngLack of prefetch file is not a problem, so nothing usual there.
That svchost hosted process looks, superficially, like it was successful doing whatever it was up to with SamsungFlowDesktop.exe.
But it seems to have been told that the PROCESS_TRUST_LEVEL ACE is present is the Access Control List. This ACE doesn't seem to be documented but I found this:
That seems to suggest that it does something with restricting permissions, so it's a possibility that that is a clue. There may still be something else if you comb through a fuller Process Monitor log though.
For my money I'd take a backup of the system and then take ownership of that file tree at c:\program files\windowsapps\ and see if that helps, I think it will remove that ACE.
-
@cursorkeys I've tried that. Doesn't work (and takes damn near forever).
-
@pie_flavor said in Win10 apps do not have permission to access their own files:
@cursorkeys I've tried that. Doesn't work (and takes damn near forever).
@pie_flavor said in Win10 apps do not have permission to access their own files:
@cursorkeys I've tried that. Doesn't work (and takes damn near forever).
Hmm, It's clearly still there so unless there's something else lurking in the log I think trying to work out how to remove that ACE might be the best option.
I've fiddled with ACLs via C# but that's not very helpful here. There's a Powershell snippit on S/A that claims to remove everything:
-
@cursorkeys Wait, remove them all? Pretty sure application packages and the installer should keep their access, no? AIUI if I remove the ACL entries from that folder, no Windows 10 apps will work at all, unless I'm missing something.
-
@pie_flavor said in Win10 apps do not have permission to access their own files:
AIUI if I remove the ACL entries from that folder, no Windows 10 apps will work at all, unless I'm missing something.
And you won't have this weird issue where some work and some don't, and you don't know why
-
@pie_flavor said in Win10 apps do not have permission to access their own files:
Wait, remove them all? Pretty sure application packages and the installer should keep their access, no? AIUI if I remove the ACL entries from that folder, no Windows 10 apps will work at all, unless I'm missing something.
Yep, hopefully it will nuke the lot. You'll need to put some back, on my machine it's:
Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\WINDOWS\system32> cd "c:\program files" PS C:\program files> Get-Acl WindowsApps | fl Path : Microsoft.PowerShell.Core\FileSystem::C:\program files\WindowsApps Owner : NT SERVICE\TrustedInstaller Group : NT SERVICE\TrustedInstaller Access : NT AUTHORITY\RESTRICTED Allow ReadAndExecute, Synchronize NT AUTHORITY\SYSTEM Allow FullControl NT AUTHORITY\SYSTEM Allow 268435456 NT AUTHORITY\LOCAL SERVICE Allow ReadAndExecute, Synchronize NT AUTHORITY\NETWORK SERVICE Allow ReadAndExecute, Synchronize BUILTIN\Administrators Allow ReadAndExecute, Synchronize BUILTIN\Users Allow ReadAndExecute, Synchronize NT SERVICE\TrustedInstaller Allow 268435456 NT SERVICE\TrustedInstaller Allow FullControl S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204 Allow -1610612736 S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204 Allow ReadAndExecute, Synchronize Audit : Sddl : O:S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464G:S-1-5-80-956008885-3418522649-1831038044-185 3292631-2271478464D:PAI(A;OICI;0x1200a9;;;RC)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICI;0x1200a9;;;LS)(A;OICI;0x120 0a9;;;NS)(A;CI;0x1200a9;;;BA)(XA;;0x1200a9;;;BU;(Exists WIN://SYSAPPID))(A;OICIIO;GA;;;S-1-5-80-956008885-3418 522649-1831038044-1853292631-2271478464)(A;;FA;;;S-1-5-80-956008885-3418522649-1831038044-1853292631-227147846 4)(A;OICIIO;GXGR;;;S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-25 01854204)(A;;0x1200a9;;;S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-9834056 19-2501854204)
PS C:\program files> icacls WindowsApps WindowsApps NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(OI)(CI)(IO)(F) S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204:(RX) S-1-15-3-1024-3635283841-2530182609-996808640-1887759898-3848208603-3313616867-983405619-2501854204:(OI)(CI)(IO)(GR,GE) NT AUTHORITY\SYSTEM:(F) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(CI)(RX) NT AUTHORITY\LOCAL SERVICE:(OI)(CI)(RX) NT AUTHORITY\NETWORK SERVICE:(OI)(CI)(RX) NT AUTHORITY\RESTRICTED:(OI)(CI)(RX) BUILTIN\Users:(Rc,S,RD,REA,X,RA) Successfully processed 1 files; Failed processing 0 files PS C:\program files>
-
Is this a UWP app? And is it trying to write to the installation folder? If so, that's verboten. The installation folder is read-only (without serious shenanigans) and pretty locked down as to access. All mutable data should go in the AppData folders.
In fact, trying to read a UWP app's install folder from another app is an access violation unless they're explicitly linked together in the manifest.
-
@benjamin-hall said in Win10 apps do not have permission to access their own files:
Is this a UWP app? And is it trying to write to the installation folder? If so, that's verboten. The installation folder is read-only (without serious shenanigans) and pretty locked down as to access. All mutable data should go in the AppData folders.
In fact, trying to read a UWP app's install folder from another app is an access violation unless they're explicitly linked together in the manifest.
And with that in mind, I can't believe no one has pointed out the real issue:
-
@benjamin-hall said in Win10 apps do not have permission to access their own files:
Is this a UWP app? And is it trying to write to the installation folder? If so, that's verboten. The installation folder is read-only (without serious shenanigans) and pretty locked down as to access. All mutable data should go in the AppData folders.
In fact, trying to read a UWP app's install folder from another app is an access violation unless they're explicitly linked together in the manifest.
There's no evidence of denied writes in the log @pie_flavor shared above.
-
@cursorkeys said in Win10 apps do not have permission to access their own files:
@benjamin-hall said in Win10 apps do not have permission to access their own files:
Is this a UWP app? And is it trying to write to the installation folder? If so, that's verboten. The installation folder is read-only (without serious shenanigans) and pretty locked down as to access. All mutable data should go in the AppData folders.
In fact, trying to read a UWP app's install folder from another app is an access violation unless they're explicitly linked together in the manifest.
There's no evidence of denied writes in the log @pie_flavor shared above.
I'm not sure that it even gets that far. I ran into this issue myself with a UWP app and it logged absolutely nothing. It seems to happen at a higher level (the API itself?), not the filesystem.
But it could be an error if the app is trying to reach outside its sandbox and doing so improperly--you basically can't use fixed filesystem paths in UWP. You have to use the APIs properly, otherwise all sorts of arcane problems occur.
-
@dcon said in Win10 apps do not have permission to access their own files:
And with that in mind, I can't believe no one has pointed out the real issue:
That's because you don't make jokes in a Help thread until the issue is reasonably solved. Also the joke's way too obvious.
-
@benjamin-hall said in Win10 apps do not have permission to access their own files:
@cursorkeys said in Win10 apps do not have permission to access their own files:
@benjamin-hall said in Win10 apps do not have permission to access their own files:
Is this a UWP app? And is it trying to write to the installation folder? If so, that's verboten. The installation folder is read-only (without serious shenanigans) and pretty locked down as to access. All mutable data should go in the AppData folders.
In fact, trying to read a UWP app's install folder from another app is an access violation unless they're explicitly linked together in the manifest.
There's no evidence of denied writes in the log @pie_flavor shared above.
I'm not sure that it even gets that far. I ran into this issue myself with a UWP app and it logged absolutely nothing. It seems to happen at a higher level (the API itself?), not the filesystem.
But it could be an error if the app is trying to reach outside its sandbox and doing so improperly--you basically can't use fixed filesystem paths in UWP. You have to use the APIs properly, otherwise all sorts of arcane problems occur.
There's a bit of information available and it seems to just use the same VirtualStore VFS as Program Files already did:
So it's all powered by a kernel-mode filter driver. Process Monitor doesn't use ETW, it uses a kernel driver so it should be able to see what's going on. Saying 'should' in IT is always a bad idea though, I'm not sure now
-
@cursorkeys Yeah. In this case I'd guess that they built the app in a screwy way and have the sandbox all screwed up so they're trying to reach out of it in an unapproved way.
-
@pie_flavor From my gut feelings, especially after reading other people's posts here, it seems like this probably only affects migrated apps, and not ones designed for the store initially, and seems to be on the app developers for not making sure things are compatible.
@el_heffe said in Win10 apps do not have permission to access their own files:
My standard method for dealing with Windows 10 now is going to the directory in question, give ownership to my username and give myself full read/write permission for that folder, subfolders and files.
Windows 10 is really screwed up when it comes to file/directory permissions. Really, really screwed up. And it is random. Do a clean install 10 times and you'll get slightly different results each time.My standard method for dealing with Windows 10 is to install it, only make a local admin account, and then add an account with a Live ID. Consistently, across multiple machines, I get the same (perfectly working) behavior. I have specific app problems, like specific Steam games not knowing how to elevate themselves (or requiring elevation at all), but after years now of dealing with it, I haven't had any directory ownership issues.
-
@magus said in Win10 apps do not have permission to access their own files:
@pie_flavor From my gut feelings, especially after reading other people's posts here, it seems like this probably only affects migrated apps, and not ones designed for the store initially, and seems to be on the app developers for not making sure things are compatible.
Yeah but even the worst software company would try running the app once, wouldn't they? Or is it only certain computers that strictly enforce the sandboxing, so there's a chance this could work on their test machines?
-
@blakeyrat said in Win10 apps do not have permission to access their own files:
Yeah but even the worst software company would try running the app once, wouldn't they? Or is it only certain computers that strictly enforce the sandboxing, so there's a chance this could work on their test machines?
: It finally compiles!
: Ship it now! We're past our announced release date, can't wait for testing.
-
@blakeyrat said in Win10 apps do not have permission to access their own files:
Or is it only certain computers that strictly enforce the sandboxing, so there's a chance this could work on their test machines?
It wouldn't terribly surprise me if this is the case. Microsoft's goal is to eventually get this stuff into docker/some-other-kind-of containers and eventually have less problems with people not following instructions properly. Getting things to work inside a container can be harder though, so I'm not entirely certain if this has been fully thought through.
-
FWIW, a common suggestion I've seen for when you have problems with an application from the Store is to try making a new user and having that user install it. It's a way to check to see if there's some sort of user profile problem.
My solution is to not use Store apps.
-
@parody The problem with that is, the store is fine. The whole "Put win32 and webb apps in the store!" attitude has kind of made a mess of things, though.
-
@magus said in Win10 apps do not have permission to access their own files:
My standard method for dealing with Windows 10 is to never install it in the first place
FTFY
-
@magus said in Win10 apps do not have permission to access their own files:
The whole "Put win32 and webb apps in the store!" attitude has kind of made a mess of things, though.
Is it a supported feature of the store?
-
@timebandit said in Win10 apps do not have permission to access their own files:
@magus said in Win10 apps do not have permission to access their own files:
The whole "Put win32 and webb apps in the store!" attitude has kind of made a mess of things, though.
Is it a supported feature of the store?
I don't know about webapps, but I know we put our win32 app in the store. Technology previously know/released as Project Centennial
-
@magus That'd make sense, but I'm not running anything nonstandard here. Either everybody else should be experiencing these same problems, or I shouldn't.
-
@timebandit The bridge for it works if you follow a very large number of very specific requirements. It's possible to have a win32 app that works flawlessly in the store. But someone trying to meet all the steps because they did everything wrong will probably miss some things.
Morons said they'd never use the store unless it had win32 apps, and then put bad apps in there. Which makes everyone think the entire store is bad.
-
@pie_flavor It depends on just how weird the things they do are.
-
@magus Samsung is the one I keep testing it with because it's the one I care about, but the first one I got this problem with is Spotify. You know, that thing about 159,000,000 people use. There is no way in hell this app doesn't work for anyone.
-
@pie_flavor Lots of people use it, but not all of them use the one from the store. The one that is going to be replaced by a PWA most likely within the next year. I use the store one, but I also wouldn't expect it to behave the same for everyone, because it's a win32 weird chrome browser app inside a store package.
-
@magus The format could have something to do it with, Iunno. I've looked a bit and one common feature seems to be that it's a different executable that's running.
-
Some of the posts regarding permissions/ownership/ACL/etc. scare the living ---- out of me. There are a ton of applications (which is a lot considering how little actual bit weigh) that have malicious code that is usually harmless, until someone takes away the protection!
@magus said in Win10 apps do not have permission to access their own files:
My standard method for dealing with Windows 10 is to install it, only make a local admin account, and then add an account with a Live ID. Consistently, across multiple machines, I get the same (perfectly working) behavior. I have specific app problems, like specific Steam games not knowing how to elevate themselves (or requiring elevation at all), but after years now of dealing with it, I haven't had any directory ownership issues.
Yup, that is the way to do it.
-
The confusion continues. Windows has now locked me out of the WindowsApps folder after the April Update, meaning it's probably overridden the permission settings and set them back to default, yet these apps still have permission errors.
-
@pie_flavor said in Win10 apps do not have permission to access their own files:
The confusion continues. Windows has now locked me out of the WindowsApps folder after the April Update, meaning it's probably overridden the permission settings and set them back to default, yet these apps still have permission errors.
I mean, they haven't been updated to correct for this issue, so why would you expect anything to have changed? It's not like Microsoft breaks features or anything...
-
@tsaukpaetra The issue is nothing new, and literally millions of users use these apps. I want to know why it's specifically happening on my computer.
Also, I've got it narrowed down; it definitely only happens on apps that run secondary .exe files.
-
@pie_flavor said in Win10 apps do not have permission to access their own files:
@tsaukpaetra The issue is nothing new, and literally millions of users use these apps. I want to know why it's specifically happening on my computer.
I've actually reached that point with Perforce support. Something mysterious happened to the server that introduced a non-deterministic glitch, and we've basically hit a wall:
Also, I've got it narrowed down; it definitely only happens on apps that run secondary .exe files.
Interesting. This indicates that somehow the secondary apps aren't being launched in the same security context as the original. Weird...
-
@pie_flavor Are you one of the rare users who runs as a limited user, allowing UAC to prompt you for an admin password when something needs administrator rights?
-
@jaloopa I am not. I like to live dangerously.
-
Update: Microsoft tech support has been unable to diagnose or fix this issue either, and the last thing we tried was an in-place reinstall of Windows (after setting Everyone as the owner and having full control of the entire C drive). Fucking nothing works. I admire the persistence of this bug.
-
@pie_flavor Time for the good old nuke-and-pave? It's the fastest way to deal with Windows errors I find.
-
@pie_flavor said in Win10 apps do not have permission to access their own files:
I admire the persistence of this bug
Windows is such a marvel of software engineering that even Microsoft can't fix it
-
@Atazhaia said in Win10 apps do not have permission to access their own files:
@pie_flavor Time for the good old nuke-and-pave? It's the fastest way to deal with Windows errors I find.
He tried the irradiate-and-pave method, I suppose the only option is a bigger blast now.
-
@Tsaukpaetra said in Win10 apps do not have permission to access their own files:
the only option is a bigger blast now