none
Attempt to Take Ownership of a File Throws an Exception RRS feed

  • Question

  • The Task:  Take Ownership of a File
    The name of the file:  
        C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    The computer is not joined to a domain
    Application running as a Windows Service under Local System account
    Application running as Administrator
    Application has the SE_TAKE_OWNERSHIP_NAME privilege
    Code to take ownership of a file:

    Response from Windows 10 operating system:
    2-Unable to takeownership of file (not directory) (C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe) because (Some or all identity references could not be translated.)

    How should I modify my code in order that it accomplishes the "take ownership" task?

     

    MARK D ROCKMAN

    Monday, December 11, 2017 9:33 PM

Answers

  • Please post your code using the Code Block element in the editor and not a screenshot of your VS window. 

    The error indicates that you're trying to assign an owner to the file that is not recognized. Once you post the code we can take a closer look.


    Michael Taylor http://www.michaeltaylorp3.net

    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Tuesday, December 12, 2017 3:12 PM
    Moderator
  •         public static bool TakeOwnership(string filename, string domainName, string userName, TransparentEventLog myLog)
            {
                if (Elevated.IsElevated())
                    myLog.WriteEntryX("In TakeOwnership process IS running elevated.");
                else
                    myLog.WriteEntryX("In TakeOwnership process is NOT running elevated.");
                if (domainName.Equals(""))
                    domainName = System.Environment.UserDomainName;
                if (userName.Equals(""))
                    userName = System.Environment.UserName;
                System.Security.AccessControl.FileSecurity accessControlObjectReference = null;
                try
                {
                    accessControlObjectReference = System.IO.File.GetAccessControl(filename);  // does NOT accept 8.3 filenames especially those preceeded with \\? for some ungodly reason
                }
                catch (Exception noown)
                {
                    String s = String.Format("1-Unable to takeownership of file (not directory) (" + filename + ") because (" + noown.Message + ").");
                    myLog.WriteEntryX(s);
                    myLog.WriteEntryX(noown.StackTrace);
                    return false;
                }
                try
                {
                    accessControlObjectReference.SetOwner(new System.Security.Principal.NTAccount(domainName, userName));
                    System.IO.File.SetAccessControl(filename, accessControlObjectReference);
                    return true;   // it seems the system has set a new owner -- maybe
                }
                catch (Exception ee)
                {
                    String s = String.Format("2-Unable to takeownership of file (not directory) (" + filename + ") because (" + ee.Message + ").");
                    myLog.WriteEntryX(s);
                    myLog.WriteEntryX(ee.StackTrace);
                    return false;
                }
            }
            


    MARK D ROCKMAN

    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Tuesday, December 12, 2017 8:31 PM
  • Hello F7H2fw,

    According to your description, the computer is not joined to a domain, you should change UserDomainName  to MachineName as below link.

    https://forums.iis.net/t/1195734.aspx

    Or you also could try to use Environment.UserName directly. The following is a simple example.

       string path1 = @"T1.txt";
    
                string User = Environment.UserName;
    
                FileSecurity fileSecurity = File.GetAccessControl(path1);
    
                IdentityReference identity =new NTAccount(Environment.UserName);
    
                fileSecurity.AddAccessRule(new FileSystemAccessRule(User,FileSystemRights.FullControl,AccessControlType.Deny));
    
                File.SetAccessControl(path1, fileSecurity);
    

    Best regards,

    Neil Hu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Wednesday, December 13, 2017 10:28 AM
    Moderator
  • This forum is not the best place to search for your question. Or is should be that you are happy with it and want to show it. 

    If you want to change this, than visit a hackers forum. Of course no help in doing that is given in forums which keep them to the law 

    Be aware even if you want to do that on your own computer which is not used by any other persons does not mean it can be a subject for this forum as these forums are on the open Internet structure. 


    Success
    Cor



    • Edited by Cor Ligthert Wednesday, December 13, 2017 12:25 PM
    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Wednesday, December 13, 2017 12:24 PM
  • This is not a hacking attempt.  I want to disable web browsers on a dozen computers that are used and abused by people who record radio programs for the blind.  These people are volunteers and have no business surfing the web.  The web contains perils for good order and proper functioning of these computers.  Microsoft does not provide a simple configuration parameter to accomplish this.  Thank you for your interest.

    MARK D ROCKMAN

    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Wednesday, December 13, 2017 2:40 PM
  • This is not a hacking attempt.  I want to disable web browsers on a dozen computers that are used and abused by people who record radio programs for the blind.  These people are volunteers and have no business surfing the web.  The web contains perils for good order and proper functioning of these computers.  Microsoft does not provide a simple configuration parameter to accomplish this.  Thank you for your interest.

    MARK D ROCKMAN

    This seems to me like a management problem, not a development issue.  I assume that you are an Administrator on all of the relevant systems.  To achieve your objective create a custom group  for volunteers.  Make the accounts that volunteers use to log onto these systems members of that group.  Then on file properties Security tab for the programs that are not permitted to volunteers you can add an access denied ACE for read & execute for that group.

    Another reason that I suggest this is a management issue is because even if you restrict access to browsers installed on your systems a volunteer can easily plug a flash drive into a usb port and run a portable version of a browser from the flash drive.

    • Edited by RLWA32 Wednesday, December 13, 2017 3:35 PM added comment
    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Wednesday, December 13, 2017 3:24 PM
  • As for the take ownership problem, Windows has issues trying to take ownership (even as an admin) if the administrators group doesn't have permissions. Given your error I still believe the principal is wrong but I've also seen that you can work around issues with the ACLs by creating a new FileSecurity entry and then setting the owner on that and associating with the file rather than using GetAccessControl. SetAccessControl will only apply the changes that are made so you wouldn't modify anything other than the owner.

    But given your actual problem I'd say this isn't the correct solution anyway. Use GPOs to prevent users from browsing the internet. You can do this by listing the programs the users can (or cannot) run. This, to me, is the better approach.


    Michael Taylor http://www.michaeltaylorp3.net

    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Wednesday, December 13, 2017 3:48 PM
    Moderator
  • In my experience Windows Update deletes the directory in which Microsoft Edge is installed before Windows Update re-creates the directory and puts an updated copy of Microsoft Edge in there.  This wipes out my effort to prevent user access to Microsoft Edge.  The access control is under the control of Windows Update.  I'm trying to ensure every five minutes that access to Microsoft Edge remains impossible.  From a design point of view there should be a SIMPLE way to disable web access and still permit operating system updates to occur.  I haven't seen by Microsoft any work in that direction.  One answer I got was "Why would you want to do that?"  That is, why would anybody want to prevent a user from surfing the web?  I have good reasons.

    MARK D ROCKMAN

    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Wednesday, December 13, 2017 4:53 PM
  • GPOs are not impacted by this. At my company we have a GPO for just this purpose. It is also how kiosks are generally configured. There is no reason to worry about ACLs when the OS can simply fail the request to start a process given its name. Try it and see if it solves your problem.

    Michael Taylor http://www.michaeltaylorp3.net

    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Wednesday, December 13, 2017 5:00 PM
    Moderator

All replies

  • Please post your code using the Code Block element in the editor and not a screenshot of your VS window. 

    The error indicates that you're trying to assign an owner to the file that is not recognized. Once you post the code we can take a closer look.


    Michael Taylor http://www.michaeltaylorp3.net

    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Tuesday, December 12, 2017 3:12 PM
    Moderator
  •         public static bool TakeOwnership(string filename, string domainName, string userName, TransparentEventLog myLog)
            {
                if (Elevated.IsElevated())
                    myLog.WriteEntryX("In TakeOwnership process IS running elevated.");
                else
                    myLog.WriteEntryX("In TakeOwnership process is NOT running elevated.");
                if (domainName.Equals(""))
                    domainName = System.Environment.UserDomainName;
                if (userName.Equals(""))
                    userName = System.Environment.UserName;
                System.Security.AccessControl.FileSecurity accessControlObjectReference = null;
                try
                {
                    accessControlObjectReference = System.IO.File.GetAccessControl(filename);  // does NOT accept 8.3 filenames especially those preceeded with \\? for some ungodly reason
                }
                catch (Exception noown)
                {
                    String s = String.Format("1-Unable to takeownership of file (not directory) (" + filename + ") because (" + noown.Message + ").");
                    myLog.WriteEntryX(s);
                    myLog.WriteEntryX(noown.StackTrace);
                    return false;
                }
                try
                {
                    accessControlObjectReference.SetOwner(new System.Security.Principal.NTAccount(domainName, userName));
                    System.IO.File.SetAccessControl(filename, accessControlObjectReference);
                    return true;   // it seems the system has set a new owner -- maybe
                }
                catch (Exception ee)
                {
                    String s = String.Format("2-Unable to takeownership of file (not directory) (" + filename + ") because (" + ee.Message + ").");
                    myLog.WriteEntryX(s);
                    myLog.WriteEntryX(ee.StackTrace);
                    return false;
                }
            }
            


    MARK D ROCKMAN

    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Tuesday, December 12, 2017 8:31 PM
  • Hello F7H2fw,

    According to your description, the computer is not joined to a domain, you should change UserDomainName  to MachineName as below link.

    https://forums.iis.net/t/1195734.aspx

    Or you also could try to use Environment.UserName directly. The following is a simple example.

       string path1 = @"T1.txt";
    
                string User = Environment.UserName;
    
                FileSecurity fileSecurity = File.GetAccessControl(path1);
    
                IdentityReference identity =new NTAccount(Environment.UserName);
    
                fileSecurity.AddAccessRule(new FileSystemAccessRule(User,FileSystemRights.FullControl,AccessControlType.Deny));
    
                File.SetAccessControl(path1, fileSecurity);
    

    Best regards,

    Neil Hu


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Wednesday, December 13, 2017 10:28 AM
    Moderator
  • This forum is not the best place to search for your question. Or is should be that you are happy with it and want to show it. 

    If you want to change this, than visit a hackers forum. Of course no help in doing that is given in forums which keep them to the law 

    Be aware even if you want to do that on your own computer which is not used by any other persons does not mean it can be a subject for this forum as these forums are on the open Internet structure. 


    Success
    Cor



    • Edited by Cor Ligthert Wednesday, December 13, 2017 12:25 PM
    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Wednesday, December 13, 2017 12:24 PM
  • This is not a hacking attempt.  I want to disable web browsers on a dozen computers that are used and abused by people who record radio programs for the blind.  These people are volunteers and have no business surfing the web.  The web contains perils for good order and proper functioning of these computers.  Microsoft does not provide a simple configuration parameter to accomplish this.  Thank you for your interest.

    MARK D ROCKMAN

    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Wednesday, December 13, 2017 2:40 PM
  • This is not a hacking attempt.  I want to disable web browsers on a dozen computers that are used and abused by people who record radio programs for the blind.  These people are volunteers and have no business surfing the web.  The web contains perils for good order and proper functioning of these computers.  Microsoft does not provide a simple configuration parameter to accomplish this.  Thank you for your interest.

    MARK D ROCKMAN

    This seems to me like a management problem, not a development issue.  I assume that you are an Administrator on all of the relevant systems.  To achieve your objective create a custom group  for volunteers.  Make the accounts that volunteers use to log onto these systems members of that group.  Then on file properties Security tab for the programs that are not permitted to volunteers you can add an access denied ACE for read & execute for that group.

    Another reason that I suggest this is a management issue is because even if you restrict access to browsers installed on your systems a volunteer can easily plug a flash drive into a usb port and run a portable version of a browser from the flash drive.

    • Edited by RLWA32 Wednesday, December 13, 2017 3:35 PM added comment
    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Wednesday, December 13, 2017 3:24 PM
  • As for the take ownership problem, Windows has issues trying to take ownership (even as an admin) if the administrators group doesn't have permissions. Given your error I still believe the principal is wrong but I've also seen that you can work around issues with the ACLs by creating a new FileSecurity entry and then setting the owner on that and associating with the file rather than using GetAccessControl. SetAccessControl will only apply the changes that are made so you wouldn't modify anything other than the owner.

    But given your actual problem I'd say this isn't the correct solution anyway. Use GPOs to prevent users from browsing the internet. You can do this by listing the programs the users can (or cannot) run. This, to me, is the better approach.


    Michael Taylor http://www.michaeltaylorp3.net

    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Wednesday, December 13, 2017 3:48 PM
    Moderator
  • In my experience Windows Update deletes the directory in which Microsoft Edge is installed before Windows Update re-creates the directory and puts an updated copy of Microsoft Edge in there.  This wipes out my effort to prevent user access to Microsoft Edge.  The access control is under the control of Windows Update.  I'm trying to ensure every five minutes that access to Microsoft Edge remains impossible.  From a design point of view there should be a SIMPLE way to disable web access and still permit operating system updates to occur.  I haven't seen by Microsoft any work in that direction.  One answer I got was "Why would you want to do that?"  That is, why would anybody want to prevent a user from surfing the web?  I have good reasons.

    MARK D ROCKMAN

    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Wednesday, December 13, 2017 4:53 PM
  • GPOs are not impacted by this. At my company we have a GPO for just this purpose. It is also how kiosks are generally configured. There is no reason to worry about ACLs when the OS can simply fail the request to start a process given its name. Try it and see if it solves your problem.

    Michael Taylor http://www.michaeltaylorp3.net

    • Marked as answer by F7H2fw Thursday, December 14, 2017 2:10 AM
    Wednesday, December 13, 2017 5:00 PM
    Moderator