ERROR_ACCESS_DENIED (0X00000005) — Access is Denied

Quick answer: Run takeown /f Path\To\File /r /d y then icacls Path\To\File /reset /t from an elevated Command Prompt. Works 90% of the time when it's a file or folder.

Why this happens

What's actually happening here is that a security descriptor — the ACL (access control list) on the object — explicitly denies your user or group, or the owner is a system account like SYSTEM or TRUSTEDINSTALLER. Windows checks the ACL before letting you read, write, or execute. If your SID (security identifier) isn't in the list with the right permissions, or if an explicit deny entry exists, you get 0X00000005.

This error pops up most commonly when you're trying to delete a stubborn file from C:\Windows\System32 or modify a registry key under HKLM. It also shows up when a scheduled task or service tries to start and the service account doesn't have Log on as a service rights.

Step-by-step fix

1. Open an elevated Command Prompt. Press Win+X, select Terminal (Admin) or Command Prompt (Admin). You must be an administrator — standard user won't cut it.
2. Take ownership of the target. If it's a file or folder, run:

   takeown /f "C:\Full\Path\To\File" /r /d y

   The /r recurses into subfolders, /d y answers 'yes' to all prompts. This assigns ownership to the Administrators group.
3. Grant yourself full control.

   icacls "C:\Full\Path\To\File" /grant Administrators:F /t

   The /grant adds an ACE (access control entry) giving F (full control) to Administrators. /t applies recursively.
4. Reset all inherited permissions. If the above fails:

   icacls "C:\Full\Path\To\File" /reset /t

   This replaces the current ACL with the parent folder's inherited permissions. Good when previous manual changes broke things.
5. For registry keys. Open regedit.exe as admin, right-click the key, choose Permissions, then Add your user, give Full Control. Apply, then OK.
6. For services. Open services.msc, find the service, right-click Properties → Log On tab. Change account to NT AUTHORITY\SYSTEM or NT AUTHORITY\LOCALSERVICE, apply, restart the service.

Alternative fixes if the main one fails

If takeown and icacls don't work — often due to file corruption or a locked file — try these in order:

• Boot into Safe Mode (hold Shift while clicking Restart → Troubleshoot → Advanced Options → Startup Settings → Restart → press 4). Safe Mode loads minimal drivers and often bypasses file locks.
• Use PowerShell's Force flag: Remove-Item -Path "C:\Path" -Force -Recurse. The -Force flag can override some ACL restrictions temporarily.
• Check if the file is open. Run handle64.exe -a "filename" from Sysinternals (download from Microsoft). It shows which process has the handle. Kill that process first.
• Worst case — use a Linux live USB to delete the file. Boot from Ubuntu USB, mount the Windows drive, and rm the file. Linux ignores Windows ACLs entirely. This absolutely works when nothing else does.

Prevention tip

Don't mess with permissions on system folders like C:\Windows or C:\Program Files. The defaults are there for a reason — they protect you. If you need to write there, use the proper APIs (e.g., installers elevate, they don't hack permissions). Also, never manually set Everyone:Full Control on a folder. It's a security risk and breaks inheritance for any subfolder you copy later.

For personal files, stick to your user folder (C:\Users\YourName). That's where you're already the owner.