Windows Vista includes several special identities that are reserved for software and system processes and are never used by human users. The Batch identity provides permissions for any batch process (such as a job launched via Task Scheduler) that needs to access a resource on the computer. The Service, Local Service, and Network Service identities are used by system services and are controlled by the operating system.
The System identity allows the operating system itself to access protected resources. Similarly, the TrustedInstaller identity (new in Windows Vista) owns most operating system files. TrustedInstaller (which is a service, not a user; its complete name is “NT SERVICEâ€\ TrustedInstaller) provides additional protection for those files, because in previous versions of Windows, the Administrators group owned and had full control over them; because most users ran as administrators, a malicious program could run in the context of a user to delete or replace parts of Windows. As a general rule, permissions for these groups are set by the operating system and should never be adjusted by users.
Tampering with the default permissions on the drive that contains Windows system files is a bad idea. As part of the setup process, Windows Vista applies specific permissions to the root of the system drive; to the Windows, System32, and Users folders; and to specific subfolders within each of these locations. Changing the default permissions will not improve security and will almost certainly cause some users or programs to have problems.