0

My WPF app downloads and caches files to the C:\ProgramData\CompanyName\ProductName\Data\ directory.

If another user was logged in when they downloaded (created) the file, I cannot overwrite the file to update it, even though I am an Administrator.

Why do I not have write access when I am also an Admin user?
The screenshot shows the file permissions of a file I cannot overwrite.

Account Settings

I understand that I have to elevate the process to do an 'admin' task (as explained here), but seeing as the other user was an Administrator (and so am I), and the 'Owner' of the file is 'Administrator' - why don't I have write permission on a file where the Owner is in the same group? Why don't we share the same privileges?

Martijn Pieters
  • 1,048,767
  • 296
  • 4,058
  • 3,343
DefenestrationDay
  • 3,712
  • 2
  • 33
  • 61
  • 1
    That's not how administrative permissions work. You must request elevation to use administrative privilges, even if you're a member of the administrators group. See : [Elevation: Accquiring the Admin Token in Administrator vs Standard Accounts in Windows](https://superuser.com/q/1083600/388890) – J... May 07 '19 at 11:49
  • Related : [What precisely does 'Run as administrator' do?](https://stackoverflow.com/q/8986971/327083) – J... May 07 '19 at 11:50
  • Possible duplicate of [Run as Administrator vs. Administrator group](https://stackoverflow.com/questions/13711425/run-as-administrator-vs-administrator-group) – J... May 07 '19 at 11:52

1 Answers1

1

After downloading and saving the file you may set full access for all users (or any other appropriate group) by code like this:

var fileSecurity = File.GetAccessControl(path);

fileSecurity.AddAccessRule(
    new FileSystemAccessRule(
        new SecurityIdentifier(WellKnownSidType.BuiltinUsersSid, null),
        FileSystemRights.FullControl,
        AccessControlType.Allow));

File.SetAccessControl(path, fileSecurity);
Clemens
  • 123,504
  • 12
  • 155
  • 268
  • Allowing all users to modify a file is a security risk, especially with an application that uses executable files from that directory – Ferrybig May 07 '19 at 15:44
  • 1
    @Ferrybig We're talking about C:\ProgramData, not C:\Programs. OP is asking about some downloaded and cached files, which are supposed to be temporary by nature. – Clemens May 07 '19 at 15:45
  • @Clemens But why if I give permission for a new group 'NewGroup', would all members have write access, if currently all members of group 'Administrators' do not? What is the difference? – DefenestrationDay May 07 '19 at 17:46
  • @DefenestrationDay You explicitly set FileSystemRights.FullControl for whatever SecurityIdentifier you like. Take a look at the WellKnownSidType enumeration. – Clemens May 07 '19 at 18:32