1

I am using the optional Windows 10 feature "Unified Write Filter" (uwfmgr.exe) to protect kiosk machines from unwanted changes. Now in order to deploy custom updates, it includes a Servicing User under which changes to the protected volumes can be performed.

To execute these custom updates, the script at C:\Windows\system32\UwfServicingMasterScript.cmd is supposed to be edited. (official Documentation)

Now I am unable to edit this file since it is owned by the "TrustedInstaller" user for which not even Administrators have permissions.

enter image description here

What am I missing here? Am I supposed to change the owner of this file?

clamp
  • 1,242
  • 8
  • 27
  • 41
  • Clamp, I'd suggest you "copy" the file `UwfServicingMasterScript.cmd` to the desktop and edit that copy as desired. Then you may have to forcefully delete `C:\Windows\system32\UwfServicingMasterScript.cmd` using a similar syntax as [I wrote about here](https://superuser.com/questions/1462176/two-files-will-not-delete-from-hdd/1462392#1462392) if you have trouble deleting it but adjust to not be for folders and recursively deleting all files as mentioned there. You might have to get forceful to get it to delete, and then you copy the new file from the desktop to `C:\Windows\system32`. Done! – Vomit IT - Chunky Mess Style Sep 11 '20 at 15:52

1 Answers1

0

My own understanding of the subject is incomplete, but I believe that you are supposed to use a certain procedure when doing these kind of updates, and specifically you are not supposed to take ownership of Windows files.

The process is better described in the article Overview of Microsoft UWF (Unified Write Filter), of which here is a short summary:

  • With UWF enabled, create a new text file, say C:\TestPersist

  • Add it to UWF with the command:

      uwfmgr file add-exclusion c:\testpersist

  • Enable UWF with the command : uwfmgr filter enable

  • To check UWF settings use : uwfmgr.exe get-config

References:

Note: You might find useful the new Windows 10 feature of Windows Sandbox.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • thanks for your answer. but my specific problem is about not being able to edit the UwfServicingMasterScript and not the generic useage of uwfmgr – clamp Sep 10 '20 at 11:06
  • You are not supposed to edit it, which is why Microsoft locked it so well. You're supposed to use the `add-exclusion` verb. Taking ownership is possible, but causes problems later on. – harrymc Sep 10 '20 at 11:49
  • If you follow the link I posted, Microsoft says quote `you can modify the UPDATE_SUCCESS block of UWF master servicing script` . I have to rollout driver updates for which I do not know which files or registry keys are affected. So exclusions or direct commits are not an option for me. – clamp Sep 10 '20 at 13:08
  • If you insist: The subject of safely taking ownership and giving it back once finished, I once covered in [this answer](https://superuser.com/a/1365110/8672), so read it carefully. The "icacls /restore" ownership part may possibly not work for the TrustedInstaller account, and in that case the only repair solution would be a repair install of Windows. If you intend going this way, let me know how it ended. – harrymc Sep 10 '20 at 13:20