I ran icacls on c:\windows and noticed a account called NT
Service\TrustedInstaller that has full access to the directory. But I cannot
find this account in the list of users on the my Vista Machine.
Research shows that this is the account used by Vista installation service
for installing applications. But Task Manager does not show any service or
process running under that account.

Can someone demistify where this account resides and which service uses
this? Can I create additional directories and only allow this account to
create/write files to it?

> I ran icacls on c:\windows and noticed a account called NT
> Service\TrustedInstaller that has full access to the directory. But I cannot
> find this account in the list of users on the my Vista Machine.
> Research shows that this is the account used by Vista installation service
> for installing applications. But Task Manager does not show any service or
> process running under that account.

TrustedInstaller _is_ the Installer service. It is actually a Service SID
representing that service. The fact that it is the only thing that has write
permission to system binaries means that it is the only thing that can update
them (without jumping through hoops).

Yes, you can make that account the only thing that has permissions. It is
treated as any other account for access checking purposes.