Process

unknown

takeown.exe

takeown.exe changes the owner of a file or folder to the current user (or the Administrators group). Administrators use it to regain access to files they have been locked out of. Attackers use it, usually together with icacls, to seize control of files they should not be able to modify.

CategoryUtilityTagsmicrosoftcore-windows

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

Indicators

Hashes

Not observed.

Analysis

About this process

takeown.exe reassigns ownership of files and directories. Ownership is the one right an account can always change permissions on, so taking ownership is the first step to rewriting a file's access control. It is typically paired with icacls.exe: takeown to seize ownership, then icacls to grant the desired rights. It requires sufficient privilege and lives at C:\Windows\System32\takeown.exe.

Legitimately, takeown is used by administrators recovering access to files whose permissions exclude them. The target it seizes is what gives an instance meaning.

Security notes

takeown.exe is used to seize control of files (T1222.001). By taking ownership of a target, an attacker gains the ability to rewrite its permissions, which is why takeown and icacls so often appear back to back: takeown to claim the file, icacls to grant access. Applied to system binaries, security-tool files, logs, or backups, it is a setup move for tampering, destruction, or replacing a trusted file.

Because takeown is a legitimate recovery tool, the target and what follows are what matter. Ownership changes on defensive or system files, especially recursively or chained with icacls, point to an attacker clearing the way rather than an admin fixing access.

Anomaly signals5
  • Image path other than C:\Windows\System32\takeown.exehigh
  • Taking ownership of system files, security tools, logs, or backupshigh
  • Immediately followed by an icacls grant on the same targethigh
  • Parent is an Office application, a script host, or an unfamiliar processhigh
  • Recursive (/r) ownership changes over broad pathsmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof takeown.exe?
Edit this page on GitHub