Last adaption: 03.2026
- Workaround for revoked permissions
Problem
On March 19, 2026, there was a false positive incident where cmd.exe and powershell.exe were incorrectly identified as threats. The false detection was resolved shortly after with a virus database update.
On affected devices, there are some aftereffects: in a few cases, the files were deleted, and in most cases, the NTFS permissions of the files were revoked.
C:\Windows\System32\cmd.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
As a result, these processes can no longer be executed.
Troubleshooting: Step-by-step guide
As a solution, the permissions must be manually restored:
- Step 1 Open the properties of the affected processes by right-clicking
- Step 2 Select the "Security" tab and the "Advanced" option, then specify the current user as the owner of the file
- Step 3 Select "Add", click "Select Principal" and enter the current user again
Step 4: Grant the current user full access permissions
Step 5: Next, run the following commands to restore all default permissions in the now-available cmd:
icacls "C:\Windows\System32\cmd.exe" /reset /c
icacls "C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe" /reset /c
If this does not work using the commands, the following user permissions must be manually assigned to both processes:
| Principal | Access |
|---|---|
| ALL APPLICATION PACKAGES | Read, Execute Read |
| ALL RESTRICTED APPLICATION PACKAGES | Read, Execute Read |
| SYSTEM | Read, Execute Read |
| Administrators | Read, Execute Read |
| Users | Read, Execute Read |
| Trusted Installer | Full Control Modify |
- from a device with the same operating system version and architecture
or - restore the system from a backup.