无法删除文件 - Windows 10，权限问题？答案

【问题标题】：Unable to delete file - Windows 10, Permissions Issue?无法删除文件 - Windows 10，权限问题？
【发布时间】：2023-03-25 21:01:01
【问题描述】：

详情：

Windows 10 版本 1909 将 VS Code 安装在 C:\Users\AppData\Local\Programs\Microsoft VS Code\

尝试打开VS Code失败，尝试运行安装程序提示无法覆盖code.exe

安全性说它无法显示当前所有者，单击“继续”会显示一条消息“您无权查看或编辑此对象的权限设置。”

但 Powershell 显示我是唯一拥有用户和访问权限的人（而且我的帐户是本地管理员）：

尝试通过 Powershell 删除似乎会出现 RemoveFileSSystemItemIOError：

任何想法或帮助将不胜感激。

谢谢！

【问题讨论】：

可能是图片中的流氓杀毒软件？

标签： windows powershell permissions delete-file

【解决方案1】：

假设我是本地管理员组的成员，我保留此功能以解决对我遇到的文件或文件夹的访问问题。

代码：

Function PWN-Item{
[CmdletBinding()]
Param(
    [Parameter(ValueFromPipeline=$True)]
    $Path
)
Begin{
If(!$Script:PWNInit){
#P/Invoke'd C# code to enable required privileges to take ownership and make changes when NTFS permissions are lacking
$AdjustTokenPrivileges = @"
using System;
using System.Runtime.InteropServices;

 public class TokenManipulator
 {
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
  ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
  [DllImport("kernel32.dll", ExactSpelling = true)]
  internal static extern IntPtr GetCurrentProcess();
  [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
  internal static extern bool OpenProcessToken(IntPtr h, int acc, ref IntPtr
  phtok);
  [DllImport("advapi32.dll", SetLastError = true)]
  internal static extern bool LookupPrivilegeValue(string host, string name,
  ref long pluid);
  [StructLayout(LayoutKind.Sequential, Pack = 1)]
  internal struct TokPriv1Luid
  {
   public int Count;
   public long Luid;
   public int Attr;
  }
  internal const int SE_PRIVILEGE_DISABLED = 0x00000000;
  internal const int SE_PRIVILEGE_ENABLED = 0x00000002;
  internal const int TOKEN_QUERY = 0x00000008;
  internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
  public static bool AddPrivilege(string privilege)
  {
   try
   {
    bool retVal;
    TokPriv1Luid tp;
    IntPtr hproc = GetCurrentProcess();
    IntPtr htok = IntPtr.Zero;
    retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
    tp.Count = 1;
    tp.Luid = 0;
    tp.Attr = SE_PRIVILEGE_ENABLED;
    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
    return retVal;
   }
   catch (Exception ex)
   {
    throw ex;
   }
  }
  public static bool RemovePrivilege(string privilege)
  {
   try
   {
    bool retVal;
    TokPriv1Luid tp;
    IntPtr hproc = GetCurrentProcess();
    IntPtr htok = IntPtr.Zero;
    retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);
    tp.Count = 1;
    tp.Luid = 0;
    tp.Attr = SE_PRIVILEGE_DISABLED;
    retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid);
    retVal = AdjustTokenPrivileges(htok, false, ref tp, 0, IntPtr.Zero, IntPtr.Zero);
    return retVal;
   }
   catch (Exception ex)
   {
    throw ex;
   }
  }
 }
"@
add-type $AdjustTokenPrivileges
#Activate necessary admin privileges to make changes without NTFS perms
[void][TokenManipulator]::AddPrivilege("SeRestorePrivilege") #Necessary to set Owner Permissions
[void][TokenManipulator]::AddPrivilege("SeBackupPrivilege") #Necessary to bypass Traverse Checking
[void][TokenManipulator]::AddPrivilege("SeTakeOwnershipPrivilege") #Necessary to override FilePermissions
$Script:PWNInit = $True
}
#Obtain a copy of the initial ACL
#$FSOACL = Get-ACL $FSO - gives error when run against a folder with no admin perms or ownership

}
Process{
ForEach($Item in $Path){
$FSO = Get-Item $Item
#Create a new ACL object for the sole purpose of defining a new owner, and apply that update to the existing folder's ACL
$NewOwnerACL = If($FSO -is [System.IO.DirectoryInfo]){New-Object System.Security.AccessControl.DirectorySecurity}else{New-Object System.Security.AccessControl.FileSecurity}
#Establish the folder as owned by BUILTIN\Administrators, guaranteeing the following ACL changes can be applied
$Admin = New-Object System.Security.Principal.NTAccount("BUILTIN\Administrators")
$NewOwnerACL.SetOwner($Admin)
#Merge the proposed changes (new owner) into the file/folder's actual ACL
$FSO.SetAccessControl($NewOwnerACL)

#Add full control for administrators
$Rights = [System.Security.AccessControl.FileSystemRights]"FullControl" 
$InheritanceFlag = If($FSO -is [System.IO.DirectoryInfo]){[System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit"}else{[System.Security.AccessControl.InheritanceFlags]::None}
$PropagationFlag = [System.Security.AccessControl.PropagationFlags]::None 
$objType =[System.Security.AccessControl.AccessControlType]::Allow 
$objACE = New-Object System.Security.AccessControl.FileSystemAccessRule($Admin, $Rights, $InheritanceFlag, $PropagationFlag, $objType) 
#Get fresh copy of ACL
$objACL = Get-Acl $FSO.FullName
#Clear any DENY rules for the local admin group
$objACL.Access|?{$_.IdentityReference -eq $admin -and $_.AccessControlType -eq [System.Security.AccessControl.AccessControlType]::Deny}|%{$objACL.RemoveAccessRule($_)}
#Add Full Control here
$objACL.AddAccessRule($objACE)
#Set updated ACL
Set-Acl $FSO.FullName $objACL
}
}
}

好的，函数名很俗气，但除此之外，它真的很好用。它运行一些 C# 代码来设置 [TokenManipulator] 类（我在网上找到的代码，但忘记记录从哪里来。如果是你的代码，请给我一个源链接，以便我给你信用！）。这使我们能够拥有所有权。然后，一旦我们成为文件的所有者，我们确保本地管理员组具有完全访问权限，并且本地管理员组没有拒绝规则。除此之外，您应该能够对运行它的文件或文件夹做任何您想做的事情。

用法：运行以下代码将脚本加载到您的会话中。然后你可以像这样将字符串插入它：

Get-ChildItem C:\Temp |Select -Expand FullName | PWN-Item

或者你可以对一个字符串或字符串数组正常运行它：

PWN-Item 'C:\Temp','C:\Temp\MyFile.exe'

【讨论】：

感谢您的回复。在exe上运行它时，它失败了。似乎是 'ItemExistsUnauthorizedAccessError': [![pwn-item-fails][1]][1] [1]: imgur.com/a/IgMjNwt
可以先在文件所在的文件夹上运行吗？我的下一个建议是使用 psexec.exe 在系统帐户下运行 powershell，看看你是否有更好的运气。
在文件夹上运行成功但在exe上运行失败
也许尝试使用 takeown.exe 代替？ takeown /F C:\Users<UserName>\AppData\Local\Programs\Microsoft VS Code\code.exe 来自提升的命令提示符。也许是一个愚蠢的问题，但是自从您开始遇到此问题后，您是否重新启动了系统？
PS C:\WINDOWS\system32> takeown /F 'C:\Users\\AppData\Local\Programs\Microsoft VS Code\code.exe' 错误：访问被拒绝。