A question came up in one of the comments asking me to please define TrustedInstaller. I've talked about it before a few times, but I've never gone through and dug through the implementation in a visible way. Time to change that - and we can do so with the help of some built-in command line tools, with a little power assist from Sysinternals.
Here's the dialog you can have with these tools to illustrate how this works, so you can see it rather than just reading somebody tell you about it:
c:\Windows>REM What does the ACE actually say?
c:\Windows>icacls explorer.exe explorer.exe NT SERVICE\TrustedInstaller:(F) BUILTIN\Administrators:(RX) NT AUTHORITY\SYSTEM:(RX) BUILTIN\Users:(RX)
Successfully processed 1 files; Failed processing 0 files
c:\Windows>REM OK, let's get the SID for that...
c:\Windows>psgetsid "NT SERVICE\TrustedInstaller"
PsGetSid v1.43 - Translates SIDs to names and vice versa Copyright (C) 1999-2006 Mark Russinovich Sysinternals - www.sysinternals.com
SID for NT SERVICE\TrustedInstaller: S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
c:\Windows>REM This SID is one of the new Service SIDs in Windows Vista
c:\Windows>REM How do we verify which one? sc.exe has a new option
c:\Windows>sc showsid TrustedInstaller
NAME: TrustedInstaller SERVICE SID: S-1-5-80-956008885-3418522649-1831038044-1853292631-2271478464
c:\Windows>REM yep - it's the same one! How does this appear in the
c:\Windows>REM services MMC console?
c:\Windows>sc getdisplayname TrustedInstaller [SC] GetServiceDisplayName SUCCESS Name = Windows Modules Installer
c:\Windows>REM And there you have it - here's the principal you're looking for