> I ran icacls on c:\windows and noticed a account called NT
> Service\TrustedInstaller that has full access to the directory. But I cannot
> find this account in the list of users on the my Vista Machine.
> Research shows that this is the account used by Vista installation service
> for installing applications. But Task Manager does not show any service or
> process running under that account.
TrustedInstaller _is_ the Installer service. It is actually a Service SID
representing that service. The fact that it is the only thing that has write
permission to system binaries means that it is the only thing that can update
them (without jumping through hoops).
Yes, you can make that account the only thing that has permissions. It is
treated as any other account for access checking purposes.