Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Incorrect default user profile permissions in Windows 10 Version 1607


View products that this article applies to.

Symptoms

In Windows 10 versions earlier than Version 1607 (RS1), the permissions for the %SystemRoot%\Users\Default folder are always set as follows:

CI67249 Screenshot 1

These permissions were changed in Windows 10 Version 1607. The local Users group has the following additional advanced permissions:

  • Create files/write data
  • Create folders/append data

CI67249 Screenshot 3

CI67249: screenshot 2

The new permissions exist on computers that have the following operating system installation and upgrade histories:

  • Windows 7 Service Pack 1 (SP1) was originally installed on the computer, which was then upgraded to Windows 10 Version 1607 (RS1).
  • Newly installed Windows 10 Version 1607.
  • Windows 10 Version 1607 was originally installed on the computer, which was then upgraded to Windows 10 RS2 build 15025.

A newly-installed instance of Windows 10 Version 1703 does not have these extra permissions.

↑ Back to the top


Cause

This behavior is a known issue in Windows 10 Version 1607.

↑ Back to the top


Resolution

To fix this issue, install security update CVE-2017-0295 | Windows Default Folder Tampering Vulnerability.

This update partially fixes this issue by correcting the permissions on the Startup folder (C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup).

The CVE bulletin describes this fix:

The security update addresses the vulnerability by correcting permissions on folders inside the DEFAULT folder structure.

However, after the update is installed, the other folders inside C:\Windows\Default retain the incorrect permissions.

If necessary, use one of the following two (2) workarounds to manually correct the other permissions. 

Remove the permissions for the BUILTIN\Users group

Removing the permissions for the BUILTIN\Users group prevents users who have minimal permissions from gaining access to objects in this folder. To remove the current permissions for BUILTIN\Users on the Default folder, open a Command Prompt window and run the following command:

icacls C:\Users\Default /Q /C /T /remove:g BUILTIN\Users

After you run this command, children of C:\Users\Default inherit the appropriate permissions.

Replace the permissions for the BUILTIN\Users group

This approach removes the permissions for the BUILTIN\Users group, and then sets new read-only permissions.The command first sets the permissions for BUILTIN\Users to read-only. To remove the permissions, open a Command Prompt window and run the following commands:

icacls C:\Users\Default /Q /C /T /remove:g BUILTIN\Users
icacls C:\Users\Default /Q /C /T /grant:r BUILTIN\Users:r

After you run these commands, children of C:\Users\Default inherit the appropriate permissions. This approach sets the permissions to those used in newer operating systems, and users can read the folder contents.

↑ Back to the top


Keywords: incorrect default user profile permissions, kb, kbsurveynew

↑ Back to the top

Article Info
Article ID : 4045251
Revision : 26
Created on : 7/24/2019
Published on : 7/24/2019
Exists online : False
Views : 332