Windows Installation Directory Security Requirements

The installation directory on Windows hosts must meet certain security requirements, in order to be accepted by the Windows installer.

This also applies for upgrades of .

For example, when installing into a custom location at X:\Data\MyPrograms\, all parent directories of this path (namely X:\Data and X:\Data\MyPrograms) must meet the following Discretionary Access Control List (DACL).

        Users               S-1-5-32-545:(OI)(CI)(RX)
        Users               S-1-5-32-545:(DE,WD,AD,WEA,WA)
        Authenticated Users S-1-5-11:(OI)(CI)(RX)
        Authenticated Users S-1-5-11:(DE,WD,AD,WEA,WA)

Directory inheritance must also be disabled for all parent directories.

You can use the icacls Windows command line tool to modify a directory to meet the security requirements. For example:

      icacls <Directory> /reset /t /c
      icacls <Directory> /inheritance:d /t /c
      icacls <Directory> /grant *S-1-5-32-545:(OI)(CI)(RX)
      icacls <Directory> /deny  *S-1-5-32-545:(DE,WD,AD,WEA,WA)
      icacls <Directory> /grant *S-1-5-11:(OI)(CI)(RX)
      icacls <Directory> /deny  *S-1-5-11:(DE,WD,AD,WEA,WA)

Note that these commands must be repeated for all parent directories (X:\Data and X:\Data\MyPrograms in this example).