SketchUp Pro installer is changing permissions on C:\ProgramData

The SketchUp Pro installer is changing the permissions on C:\ProgramData (not the SketchUp folder inside C:\ProgramData, the ProgramData folder itself) which is causing other software to malfunction and may create a security risk by giving users permissions they should not have.

Can I get this filed as a bug please? Does anyone already know of a workaround?

Are you installing by right clicking on the installer and choosing Run as administrator?

I’m running the installer from an elevated command window, but I doubt that makes any difference to the installer’s behaviour.

Addendum: I’ve tried running it via the right-click menu and the behaviour is the same.

which permissions are changed how?

These are the standard permissions for the ProgramData folder:

C:>icacls \ProgramData
\ProgramData NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
BUILTIN\Users:(OI)(CI)(RX)
BUILTIN\Users:(CI)(WD,AD,WEA,WA)

Successfully processed 1 files; Failed processing 0 files

And this is after installing SketchUp Pro:

C:>icacls \ProgramData
\ProgramData Everyone:(M)
Everyone:(OI)(CI)(IO)(DE,Rc,GW,GE,RD,WD,AD,REA,WEA,X,RA,WA)
NT AUTHORITY\SYSTEM:(OI)(CI)(F)
BUILTIN\Administrators:(OI)(CI)(F)
CREATOR OWNER:(OI)(CI)(IO)(F)
BUILTIN\Users:(OI)(CI)(RX)
BUILTIN\Users:(CI)(WD,AD,WEA,WA)

Successfully processed 1 files; Failed processing 0 files

So it has added Modify access for Everyone (whereas the standard access for nonprivileged users only allows you to add new files and folders) and also an inheritable ACE for Everyone with a custom permissions mask: delete, read control, generic write, generic execute, read data, write data/add file, append data/add subdirectory, read extended attributes, write extended attributes, execute, read attributes, write attributes.

(I believe that set of permissions works out as equivalent to Modify, though it is unusual to assign permissions this way.)

This is an issue that was recently brought to our attention and while we’re working on a resolution we have found a way to correct this issue. We do recommend that you contact an IT professional to modify these permissions.

How to check

On Windows open a command prompt. In the command prompt run

icacls C:\ProgramData

If the output contains Everyone we need to clean up the permissions.

Example;

How to clean up

The clean up is a 2 part procedure. Part one is to fix the ProgramData folder permissions by removing Everyone. Part two is adding Everyone to the SketchUp folder in program data to make sure SketchUp can still function.

To fix run the following commands in a command prompt ran as Admin;
icacls C:\ProgramData /remove Everyone

icacls C:\ProgramData\SketchUp /grant Everyone:(f) /T

Verify the fix

First we will check on the ProgramData folder. Open a command prompt. In the command prompt run

icacls C:\ProgramData

The output should not contain “Everyone”.

Next we will check on the SketchUp folder. In the command prompt run

icacls C:\ProgramData\SketchUp

The output should contain Everyone.

3 Likes

Thanks, good to know you are working on a resolution.

For the record, I would recommend the following command for setting the permissions on the sub-folder:

icacls c:\ProgramData\SketchUp /grant Everyone:(OI)(CI)(M)

2 Likes

hi, im attempting this fix and when i try to remove everyone’s permissions it says “the system cannot find the file specified”