NT authoritysystem cannot TAKEOWN any files

Welcome to Programming Tutorial official website. Today - we are going to cover how to solve / find the solution of this error NT authoritysystem cannot TAKEOWN any files on this date .

I’m trying to delete some pesky files on my computer, using the following command

C:Program Files>takeown /r /d Y /f "Bitdefender Antivirus Free"

However, this produces the following error:

INFO: The current logged on user does not have ownership privileges on
      the file (or folder): <Various files and folders>

I thought this is strange, as I’m running this as the highest authority reasonably attained on a windows 10 PC:

C:Program Files>whoami
nt authoritysystem

The only other user that has higher privileges are the driver-related users (IIRC)

How do I TAKEOWN these files?
What other (higher) authority may be blocking this?

For the purposes of this question, “run the uninstaller” is not a valid answer.

Answer

If SYSTEM (which has the SeTakeOwnershipPrivilege privilege), cannot use takeown (which enables that privilege when held) to take ownership of a file, something is going on outside the standard Windows security model.

You are right to suspect drivers. While programs running as SYSTEM have access to a lot of power, they’re still user-mode programs that can only exercise their power subject to kernel-mode access checks. Everything running in kernel mode—whether a standard operating system component or a driver—has theoretically total authority on the machine. Windows provides a few supported ways for drivers to override the usual checks on user mode. Based on the name of the folder you’re trying to take ownership of, I suspect a file system filter driver that an antivirus product uses for on-access scanning and self-protection. You can check for such a filter by running fltmc in an administrative command prompt to see the list of loaded filters. To get a little more info on each filter, you can look for an identically named SYS file in C:WindowsSystem32drivers. The file details should include a terse description and a company name; if you find a loaded filter from an antivirus vendor, it could be responsible.

You could try to use fltmc to unload a filter, but I suspect an antivirus driver will simply refuse to be detached. As suggested in the comments, it’s possible that the filter isn’t loaded in Safe Mode, so booting into that is worth a shot. If that doesn’t work either, you won’t be able to alter these files while the system is running and will instead have to do so from another operating system such as a recovery environment or Linux live disk.