Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Tuesday, February 14, 2017 12:35 PM
Hello,
In reviewing a Windows 10 (1607) x64 system we have checked folder permissions on C:\Program Files and C:\Windows. using icacls should shows a group called "ALL RESTRICTED APPLICATION PACKAGES" with (RX)(OI)(CI) permissions. What is the "ALL RESTRICTED APPLICATION PACKAGES" group and why does it have these permissions? If it helps, Applocker is configured on the system to restrict certain executables, scripts, DLLs. Is this group related to Applocker?
All replies (4)
Monday, February 13, 2017 6:51 PM
Hello,
In reviewing a Windows 10 (1607) x64 system we have checked folder permissions on C:\Program Files and C:\Windows. using icacls should shows a group called "ALL RESTRICTED APPLICATION PACKAGES" with (RX)(OI)(CI) permissions. What is the "ALL RESTRICTED APPLICATION PACKAGES" group and why does it have these permissions? If it helps, Applocker is configured on the system to restrict certain executables, scripts, DLLs. Is this group related to Applocker?
Tuesday, February 14, 2017 3:30 PM | 1 vote
"ALL RESTRICTED APPLICATION PACKAGES" seems to be new in the last Windows 10 versions.
This is used for UWP apps, as they need to execute files from these directories.
So this has nothing to do with Applocker.
Why there is not more info available by Microsoft I don't understand.
Wednesday, February 15, 2017 12:16 AM | 1 vote
Hi,
It can be understood that restricted application still need read and execute permission to access Windows files. ALL RESTRICTED APPLICATION PACKAGES defines the UWP apps.
As we know, for all such Windows app or apps developed for Windows, they refer to the Windows development DLL and code.
For your question about Applocker, the answer is no. Applocker control all application to restrict Which apps and files users can run.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, July 5, 2017 6:48 AM
I believe I understand, i'll try to put it in more generic of an answer. Certain executable elements of the operating system are prevented from being invoked except by specific callers who are configured to only operate, at a time and in a method that is only approved for the limited group. So, in short the title "Restricted Application Packages" does not give any credence to there is some negative issue related to the application in and of itself. The restriction allows a sandbox to prevent the unapproved from having rights to them. Often the OS is written in the inverse, the OS is all approved by other components of the OS and limits specific pieces from accessing certain groups. This does the opposite, No part of the OS can access it without membership to the same group. Then it says that it approves the "trusted installer group"