diff --git a/src/security/audit.test.ts b/src/security/audit.test.ts
index 4bbfd21e3..539d8b7e3 100644
--- a/src/security/audit.test.ts
+++ b/src/security/audit.test.ts
@@ -800,8 +800,9 @@ describe("security audit", () => {
     await fs.writeFile(includePath, "{ logging: { redactSensitive: 'off' } }\n", "utf-8");
     if (isWindows) {
       // Grant "Everyone" write access to trigger the perms_writable check on Windows
+      // Use the well-known SID *S-1-1-0 for "Everyone" (works on all locales: English, Spanish, etc.)
       const { execSync } = await import("node:child_process");
-      execSync(`icacls "${includePath}" /grant Everyone:W`, { stdio: "ignore" });
+      execSync(`icacls "${includePath}" /grant *S-1-1-0:W`, { stdio: "ignore" });
     } else {
       await fs.chmod(includePath, 0o644);
     }
@@ -815,18 +816,18 @@ describe("security audit", () => {
       const user = "DESKTOP-TEST\\Tester";
       const execIcacls = isWindows
         ? async (_cmd: string, args: string[]) => {
-            const target = args[0];
-            if (target === includePath) {
-              return {
-                stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n BUILTIN\\Users:(W)\n ${user}:(F)\n`,
-                stderr: "",
-              };
-            }
+          const target = args[0];
+          if (target === includePath) {
             return {
-              stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n ${user}:(F)\n`,
+              stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n BUILTIN\\Users:(W)\n ${user}:(F)\n`,
               stderr: "",
             };
           }
+          return {
+            stdout: `${target} NT AUTHORITY\\SYSTEM:(F)\n ${user}:(F)\n`,
+            stderr: "",
+          };
+        }
         : undefined;
       const res = await runSecurityAudit({
         config: cfg,