none
Can't Write to Program Files folder

    Question

  • I am unable to copy files to the Program Files or Program Files (x86) folders, despite my status as Administrator on a single-user system. As an advanced user, I have many legitimate needs to place files there and cannot live with this level of protection from myself.

    How can I defeat this? Many thanks.

    Rick A.
    Pleasanton CA

    Wednesday, December 05, 2012 4:01 PM

Answers

  • Mark, that worked -- thanks a million, as I would never have found that little needle in the Windows 8 haystack. I do not in any way consider this to be progress or evolution in OS design...
    Monday, December 10, 2012 5:09 AM

All replies

  • Have you run Explorer with elevated rights? If this does not help, then start Explorer in Scheduled Tasks with SYSTEM account.

    Rgds

    Milos

    Wednesday, December 05, 2012 6:13 PM
  • The 2 "Program Files" folders have super-duper protections on them. Unfortunately in Windows8 I don't think there is a way to remove it because it is tied in to UAC and you can't turn off UAC any more.

    The workaround is that while you cannot directly save to the "Program Files" folders (for example, from notepad) you can copy files into it. So to change a ini file or something like that you have to:

    1. load the file
    2. edit it
    3. save it to desktop or "My Documents"
    4. move it from its location to the Program Files area
    5. Answer the UAC prompt that yes, you really do know what you are doing and yes, you really do actually want to do it

    This is why I created a "c:\MyPrograms" folder and install everything into it

    Wednesday, December 05, 2012 7:25 PM
  • I am not familiar with an "elevated rights" status. How do I do that?
    Friday, December 07, 2012 2:01 AM
  • Many thanks, Mark.

    I do not need to save to the Program Files folders; I just need to copy files there. The UAC prompt is only annoying, but once I get past it, I am faced with Access Denied errors.

    I wish I had thought of creating my own Programs folder...who knew?? I absolutely positively must be able to have write access to the Program Files folders. If I cannot resolve this, I will most certainly be retreating to Windows 7. Any thoughts and advice would be appreciated.

    Friday, December 07, 2012 2:04 AM
  • Please check the following two areas.

    1. Go to Computer Management, expand Users in the left pane, double click the current user, ensure it is only a member of Administrators group. Remove other groups such as users.
    2. Go to C drive, right click Program Files, on Security tab click Advanced, check if Administrators has full control.


    Niki Han
    TechNet Community Support

    Friday, December 07, 2012 7:23 AM
    Moderator
  • Niki, I have confirmed that I am a member of only the Admin group. As for that Advanced tab off of Security, curiously, I am listed there twice. Here is a screen image -- can you shed any light...?

    • Proposed as answer by D_Windex Sunday, August 18, 2013 5:49 PM
    • Unproposed as answer by D_Windex Sunday, August 18, 2013 5:49 PM
    • Proposed as answer by D_Windex Sunday, August 18, 2013 10:23 PM
    Friday, December 07, 2012 7:34 AM
  • My permissions look exactly like that. The key is that "Administrators" have full control.

    If it is a one-time thing, you can log in as the actual administrator account, I believe it can read/write to the folder without any UAC restrictions. Go to ComputerManagement (right-click in lower left corner) and select the local user account Administrator and enable it. Then you should be able to log in as it if you need to

    Friday, December 07, 2012 3:45 PM
  • Can I get just a bit more detail, please? I am in Computer Management but there is nothing in the lower-left corner of that dialog, nor do I see any command for Enable.
    Friday, December 07, 2012 4:10 PM
  • Sorry. Once you are in Computer Management, go to "Local Users and Groups" and find the Administrator user ID. It is disabled by default so in the properties you can uncheck "disable" which will allow you to log in as Administrator as one of the id's you can log in as. Once you are logged in as Administrator you have full normal access to the Program Files without the dumb prompts.
    Saturday, December 08, 2012 8:49 PM
  • Mark, that worked -- thanks a million, as I would never have found that little needle in the Windows 8 haystack. I do not in any way consider this to be progress or evolution in OS design...
    Monday, December 10, 2012 5:09 AM
  • Worked.

    But, this is such a stupid thing that MS did.  Hope they fix it.

    Bp

    Sunday, December 16, 2012 11:53 PM
  • Rick,

    I know this is an old thread, but can't believe no one actually solved your problem the right way.

    First: you should not use an administrator user for day to day tasks. it puts your system at risk which is why the default admin account is disabled. simple elevate your user permissions only where necessary. ( such as allowing write access to program files, vice adding to admin group)

    second: windows permissions work in a combined manner. and more importantly, deny permissions will always trump allow permissions. Your 'user' membership is trumping your 'admin' membership.

    in your screenshot you noticed your self that you are listed multiple times, (with multiple permission sets). one listing says you only have read & execute, that permission set also means you are denied write access. Even though you have another permission set that marks you as an administrator, the lower permission set is trumping it. It is a security feature and a good one. simply removed your other permission sets, and leave only one, either your specific user which is granted full control, OR just leave the administrators account which has full control (since you are a member of that group).

    I know it seems like a pain, but it is really to make your system more secure.

    Sincerely,

    Nick


    Net Admin EWTGPAC

    • Proposed as answer by D_Windex Sunday, August 18, 2013 5:57 PM
    Sunday, August 18, 2013 5:57 PM
  • I appreciate your chiming in on this, Nick. I tried to follow your instructions, but I do not know how to remove the permission sets. The Remove command is not available for the user membership (or any of the others, for that matter). I tried logging in as Admin to see if that made a difference; it did not.

    Can you tell me how I would remove a permission set?

    Monday, August 19, 2013 5:23 AM
  • Nick - good catch! though I am not sure it is accurate for Win8. My account is a member of "Administrators" and "HomeUsers" and is not a member of "Users," yet I have the same issue and am also unable to make any changes to permissions of the Program Files folders. Unless "Users" at the file permission level refers to the category of "any user on the computer" rather than the specific local group "Users."

    Update: "Authenticated Users" is a member of "Users" which should mean that it is the category rather than the specifics. Poorly done, if I am a member of a group, either explicitly or implicitly then it should say so.

    Rick - if you click the "change permissions" button, normally you should get the ability to make changes. However in this case you can't so you still need to log in as "administrator" before you make the change.

    Note that I wouldn't remove the "allow users (Rick-Desktop\Users) read/execute" line, instead, add the "modify" permission to that groups permissions. The reason is that any other user account that is not a member of Administrators will start failing in strange bizarre ways since they will have no access at all to the program file folder

    Mark



    • Edited by Mark522010 Monday, August 19, 2013 2:48 PM
    Monday, August 19, 2013 2:39 PM
  • I can make none of these changes. I am unable to remove Rick-Desktop/Users, nor am I able to add "Modify" to its profile. Those commands or choices are grayed out in every scenario that I have observed.
    Monday, August 19, 2013 3:35 PM
  • RickAltman - I don't think there is a good solution to this. Microsoft has invested considerable energy into preventing you from doing what you want to do - They believe for security purposes nobody should write/edit in the program files folder.

    If you want to edit text/ini files, right-click on the notepad executable and select "run as administrator" that should give you the ability to directly load/save to the area. For other uses, I suspect you would have to delete the permissions directly in the program files folder - and make sure you have a good backup because in all probability it will destroy functionality somewhere.

    I think the ultimate answer is - you can't. Which is why I made a new folder called "c:\Programs" and installed all of my apps in there instead of "program files." It is less secure but at least I can do what I want to do.

    Good Luck!

    Mark

    Friday, August 23, 2013 2:36 PM
  • While I understand MS's position, they are unrealistic, and seems to be going the way of iOS by hiding the ability to do simple things.

    For example, I have plugins I use for Adobe After Effects, and the simply need to be copied into the correct subfolders in the "program files" folder. Not allowing me to do so is absolutely Mac-ish and unacceptable.

    The workaround, which is stupid too, is to set permissions correctly (which I have), and then copy the files to my desktop and THEN to the location inside the "program files" folder.

    Ludicrous.

    Monday, August 26, 2013 2:57 PM
  • While I understand MS's position, they are unrealistic, and seems to be going the way of iOS by hiding the ability to do simple things.

    For example, I have plugins I use for Adobe After Effects, and the simply need to be copied into the correct subfolders in the "program files" folder. Not allowing me to do so is absolutely Mac-ish and unacceptable.

    The workaround, which is stupid too, is to set permissions correctly (which I have), and then copy the files to my desktop and THEN to the location inside the "program files" folder.

    Ludicrous.

    Thanks for this much easier fix.....It is stupid that this has to be done...But it worked perfectly

    Thanks

    Wednesday, January 01, 2014 10:07 PM
  • While I understand MS's position, they are unrealistic, and seems to be going the way of iOS by hiding the ability to do simple things.

    I can understand the need to set up an operating system for the masses (who don't understand computing concepts very well) so that it's more "idiot proof".  The problem is that people who don't fully understand what they're doing tinker around and destroy their ability to run Windows.  Or malware does it for them.

    And I don't think anyone ever said that the file system security setup - originally developed by Digital Equipment Corporation - is simple or easy to deal with.  I got training in it at a 1980 DEC conference that has proven oh so valuable in dealing with permissions issues over the decades.  It's funny the little things that prove useful in life.

    With suitable knowledge and reconfiguration (and even the application of 3rd party programs) the system CAN be made to be much more powerful FOR the (knowledgeable) user and less protected FROM the (knowledgeable) user.  This suits power-users.

    Some things said in this thread that are not accurate or are incompletely stated:

    • ...you can't turn off UAC any more...

      Well, you CAN - through a registry modification - though because of Microsoft's decision to arbitrarily limit functionality this completely shuts out the possibility to run Metro/Modern apps.  For those who only need desktop functionality this isn't a bad thing.
       
    • ...you should not use an administrator user for day to day tasks. it puts your system at risk..

      This is overgeneralized.  In terms of advice for everyday non-technical users, this may be reasonable, but there are cases where computer-knowledgeable people really do need to be able to do that to get all the productivity they can.  There are ways to insulate oneself from malware that are FAR better than inviting it into your system (IE runs ActiveX from the Internet Zone by default) then trying to block it at the last possible second.  Most people consider UAC prompts nothing more than irritating and just click through them as quickly as possible.  If avoiding malware is something you'd like to do, even if you'd prefer to continue to run with UAC enabled, I suggest taking the following three measures:  Get the hosts file from mvps.org, reconfigure Internet Explorer so as to not allow ActiveX to run from the Internet zone, and replace the out-of-box antivirus protection Microsoft provides with something better (e.g., Avast!).

     

    -Noel


    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Wednesday, January 01, 2014 10:33 PM
  • And I'd like to add you can write to a program files folder if you take
    ownership of the folder and then grant access to all users -- even with
    UAC is on it will act like you want this way. 
     
    I have an app that must write to a program files folder...
     
     

    Bob Comer - Microsoft MVP Virtual Machine
    • Proposed as answer by _JTF Tuesday, February 11, 2014 9:47 PM
    Wednesday, January 01, 2014 10:42 PM
  • Folks, let me turn this discussion around a bit.  I am sure you can fool your own machine into whatever state you need it to, but what do i do with my customers' machine(s) when i install my software on it?  My program needs to record users' preferences.  THey get written to an XML file.  The XML file is created in the same directory where the exe is --- and by default, it would be the Program Files folder -- at which point, my code blows up.  So, my bigger question is: what/where is the simplest way to save user's preferences via a file if the Program Files\MyAppName directory is protected?

    thank you.

    Thursday, January 02, 2014 5:29 PM
  • %APPDATA%
     
    is probably the preferred place to put it.
     
    Also the documents folder is a possibility.
     
     

    Bob Comer - Microsoft MVP Virtual Machine
    Thursday, January 02, 2014 5:41 PM
  • Software installers are generally expected to set the permissions on all the folders, registry keys, etc. that they will need their application to be able to access.  This is why protections get escalated to Administrator level (and thus a UAC prompt is issued) when those installers run.

    There are ways - including as Bob mentions above, using the ProgramData folder - for installing software without need for an escalation.  If you use exclusively the folders you're allowed (and encouraged) to write into to store program data, the installer manifest won't need to specify the need for escalation.

    This list shows the "known folders" in Windows.  For user-specific data, consider using the CSIDL_APPDATA location.

    http://msdn.microsoft.com/en-us/library/windows/desktop/bb762494(v=vs.85).aspx

     

    -Noel


    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options



    • Edited by Noel Carboni Thursday, January 02, 2014 10:21 PM
    Thursday, January 02, 2014 10:19 PM
  • Maybe someone should poke the Debugging Tools for Windows team about changing the location for srcsrv.ini, if Windows 8 is going to be such a punk about Program Files directory.  They're still storing srcsrv.ini in the program files directory (Windows Kits\8.1\Debuggers\x64\srcsrv and x86\srcsrv, in the current version), and that's a file that you're *required* to modify in order to use source indexing on pdb's.
    Thursday, January 23, 2014 1:28 AM
  • There's no real problem about writing to a file anywhere on your system if you have been granted permissions to do so.  I don't know the Debugging Tools for Windows, but it may make sense to keep a .ini file in a single central location - for example if the tools are such that there can't be different preferences per user, that sort of thing.

    Microsoft has taken it upon themselves to deem writing to some parts of it "undesirable", in an effort to help settle down problems people and malware cause - thus UAC was born, such as it is.  That doesn't keep a different part of Microsoft from not following that guideline.

       

    -Noel


    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Thursday, January 23, 2014 2:48 AM
  • Hi Bob

    I too have an app that needs to write to a program files folder, in my instance I need to copy a DLL from a 3rd party vendor, that is integral to my apps functionality. I currently have the DLL sitting elsewhere on the computer awaiting a solution for my Windows 8 users. I have zero input where the DLL must to be located. Installation worked fine for all versions up to Windows 8.

    A problem is that the users are scattered anywhere in the world, with many as self proclaimed computer illiterates. I'll never get to meet them or have hands on with their computer, so I need a programmed solution, with no manual tinkering around their computers.

    With your experience, do you know a programmed solution (VB or VBA) that will...
    1. take ownership of the required program files folder and
    2. copy my DLL to the folder

    With my current attempt, my code fires but the file does not copy (FileSystemObject.CopyFile) to the folder.

    Many thanks
    Russ (MSCD)


     

    Thursday, February 20, 2014 3:19 AM
  • Worked.

    But, this is such a stupid thing that MS did.  Hope they fix it.

    Bp


    No it is not that stupid at all, this prevents root access to unwanted nerds, try to gain root access to the penguin without su. No difference.
    • Edited by colakid Thursday, February 20, 2014 3:56 AM
    Thursday, February 20, 2014 3:55 AM
  • UAC is a poor implementation of a questionable idea.  Call me opinionated, but I consider this a simple truth.

    Inviting malware into your system then trying to block it with permissions at the last instant from changing the files it wants is not a reasonable approach.

    Why not?

    Because users typically just mechanically "click through" to grant permission to whatever pops up.  They don't want to be bothered, because the computer should protect itself and they want to keep doing whatever it is they're doing, not talk something over with the OS.  Boom, after that the malware is in.  What did UAC do?  Annoy, but not protect.

    Far, FAR better than using UAC is blocking parasite web sites with the MVPS hosts file, not allowing ActiveX to run from just any old web site on the wild internet, and back these things with a good anti-malware solution as a safety net.  But perhaps paramount to all this is to just practice responsible, intelligent computing practices.  If you're doing things right you DON'T need UAC and you'll never see a notification from the anti-malware software having to block something bad.  If I weren't living this dream myself I wouldn't say it.  I've installed each of XP x64, Vista x64, Windows 7 x64, and now Windows 8.1 x64 EXACTLY ONCE.  Never had an infection, never had a UAC prompt - because I turn that useless annoyance off.

     

    -Noel


    Detailed how-to in my eBooks:  

    Configure The Windows 7 "To Work" Options
    Configure The Windows 8 "To Work" Options

    Thursday, February 20, 2014 4:06 AM
  • Hi Russ,
     
    I'm really not the best to ask this kind of question as I'm not a full time Windows developer. The only applications that I work with are all custom in-house stuff and I really haven't had a problem having the installer put any custom DLL's in the
    \program files path.  Modifying it after the fact I think could be a problem.  The installer I use is rather old as well. (VB6 for most of my stuff)
     
    You should really ask your question where there's a lot more developer input like an MSDN forum, maybe:
     
     
     
     

    Bob Comer Microsoft MVP -- Hyper-V
    Thursday, February 20, 2014 2:34 PM
  • >UAC is a poor implementation of a questionable idea.  Call me opinionated, but I consider this a simple truth.
     
    Not real helpful to the guy asking the question, just like me, he has to deal with user's machines that have UAC enabled, only more so, so we deal with it.  I personally don't mind it like you do and haven't disabled since when I ran Vista for a couple of
    months...
     
     

    Bob Comer Microsoft MVP -- Hyper-V
    Thursday, February 20, 2014 2:38 PM
  • What works for me is to run Windows Explorer as Administrator (right-click and select "run as administrator")...

    Then everything you do as far as working with any files is "normal" then...

    Carry on...

    Saturday, March 29, 2014 6:43 PM
  • What works for ANYONE is to set the permissions of the files/folders you want to be able to access so as to ALLOW you the access you need.

    Running Explorer "As Administrator" is just a workaround to the ridiculous UAC "feature". Do that once, use Properties to set up your file/folder permissions (i.e. grant full control to your username), and you will not have to do it again.

    -Noel
    Sunday, March 30, 2014 7:07 PM