TrustedInstaller – with great power comes great responsibility

What is Trustedinstaller

TrustedInstaller is a Windows system account with special high-level permissions allowing it to modify certain system files, folders, and registry settings. It also prevents any account including administrator accounts from modifying these files and folders.

Maintaining secure ownership and permissions on system files also aligns with configuration standards such as the CIS Benchmarks, which provide prescriptive guidance for hardening Windows environments.

What is the purpose of Trustedinstaller

Trustedinstaller.exe is a Windows Module Installer service, a part of Windows Resource Protection (WRP), which restricts access to core system files and folders preventing them from being modified or replaced. These files usually run as administrator, having one of the following extensions: .dll, .exe, .ocx, and .sys. and are crucial for Windows to run correctly.

These files play a key role in managing Windows updates, and files such as the WindowsApps directory. Therefore altering these files in any way, either accidentally or maliciously, puts a system at risk of functioning incorrectly. These risks can range from a system having small issues, to complete inability to work altogether. 

For this reason, these files are put under the ownership of Trustedinstaller, which has a higher level of control even than administrator accounts. If an attempt is made to modify or replace a file, the user will be unable to do so and an “Access Denied” warning is shown. 

Problems with TrustedInstaller

It is common for IT professionals or users in general to require access to modify files related to the Windows update process. However if these files are under the ownership of Trustedinstaller they will not be able to make the changes without changing the configuration of the WRP first. 

How to disable TrustedInstaller through User account Control (UAC) 

To disable User Account Control (UAC) which uses the Trusted Installer account use the following procedure provided by Tasadduq Burney:

1. Navigate to the target file/folder.
2. Right-click on the file/folder, then click on Properties.
3. Click the Security tab. 
4. Check if the desired user is listed in the group or user names list. 

• If the username is listed, select that username. 
• If the username is not listed, do the following:
  

1. 1. Click Edit.
   2. Click Add.
   3. Type the name of your current user in the Enter the object names to select field.
   4. Click OK to add this group.
   5. Select the username from the list.
      

5. Select the Allow full control check box. 
6. Select the Advanced button. 
7. Click Owner.
8. Press Edit. 
9. Select the current username from the list. 
10. Check the Replace owner on subcontainers and objects box.
11. Click Ok to save changes.
    Ownership of all objects should be transferred.

12. Click Ok to save changes and exit the properties window.

OR

Follow this procedure on taking ownership of Trustedinstaller files here, by Shaant Minhas. 

Recommended settings

It is recommended not to disable Trustedinstaller. 

Best practices

Understanding the role and purpose of Trustedinstaller is crucial before making changes to advanced security settings or files. Although it may restrict certain actions, it is invaluable as a tool to help keep a system running smoothly and reliably. 

Similarly, server hardening is an essential tool in protecting against vulnerabilities, keeping a business running smoothly and efficiently without down time. Learn how to plan and implement a structured server hardening strategy in our white paper, Planning and Managing Server Hardening.