Trusted Installer In Windows Vista, most of the OS files are owned by the TrustedInstaller SID, and only that SID has full control over them. This is part of the system integrity work that went into Windows Vista, and is meant specifically to prevent a process that is running as an administrator or Local System from automatically replacing the files. In order to delete an operating system file, you thus need to take ownership of the file and then add an ACE on it that lets you delete it. This provides a thin layer of protection against a process that is running as LocalSystem and has a System integrity label; a process that has lower integrity is not supposed to be able to elevate itself to change ownership. Some services, for instance, can run with medium integrity, even though they are running as Local System. Such services cannot replace system files so an exploit that takes over one of them can’t replace operating system files, making it a bit harder to install a rootkit or other malware on the system. It also becomes more difficult for system administrators who are offended by the mere presence of some system binary to remove that binary.
