Aaron Stebner's WebLog

Thoughts about setup and deployment issues, WiX, XNA, the .NET Framework and Visual Studio

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Rate This

A while back, I wrote a blog post about a .NET Framework 2.0 beta 2 installation problem that was caused by incorrect access control list (ACL) permissions on some registry hives.  In that post, I described how to use a tool in the Windows Resource Kit named SubInACL to reset file and registry ACLs to help solve this problem.

Ever since I wrote that post, I have run into installation errors for several other products that have been solved by using the SubInACL tool.  Therefore, I wanted to write a standalone set of instructions for how and when to use the SubInACL tool because the previous blog post is specific to the .NET Framework 2.0 setup and does not always appear in search results when people run into this kind of a problem and search the Internet for assistance.

How to download and run SubInACL

Here are some steps that can be used to download and run the SubInACL tool to repair file and registry permissions that are often needed to successfully install programs on Windows, particularly for MSI-based (Windows Installer) setups:

  1. Download the SubInACL tool and install it.  By default it will install to c:\Program Files\Windows Resource Kits\Tools
  2. If you are running Windows Vista, click on the Start menu, choose All Programs, then Accessories, then right-click on the item named Command Prompt and choose Run as administrator
  3. If you are running an OS other than Windows Vista, go to the Start menu, choose Run, type cmd and click OK
  4. In the cmd prompt, type notepad reset.cmd and click yes to open Notepad.exe and create a new text file named reset.cmd
  5. Copy and paste the following contents into reset.cmd (or download it from this location on my file server and rename it from reset.cmd.txt to reset.cmd):

    @echo off
    title Resetting ACLs...


    echo Determine whether we are on an 32 or 64 bit machine

    if "%PROCESSOR_ARCHITECTURE%"=="x86" if "%PROCESSOR_ARCHITEW6432%"=="" goto x86

    set ProgramFilesPath=%ProgramFiles(x86)%

    goto startResetting


    set ProgramFilesPath=%ProgramFiles%



    if exist "%ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe" goto filesExist

    echo ***ERROR*** - Could not find file %ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe. Double-check that SubInAcl is correctly installed and re-run this script.
    goto END


    pushd "%ProgramFilesPath%\Windows Resource Kits\Tools"

    echo Resetting ACLs...
    echo (this may take several minutes to complete)
    echo IMPORTANT NOTE: For this script to run correctly, you must change
    echo the values named YOURUSERNAME to be the Windows user account that
    echo you are logged in with.
    echo ==========================================================================
    subinacl.exe /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators > %temp%\subinacl_output.txt
    subinacl.exe /keyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators >> %temp%\subinacl_output.txt
    subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    subinacl.exe /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    subinacl.exe /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    subinacl.exe /keyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo System Drive...
    subinacl.exe /subdirectories %ProgramFilesPath%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo Windows Directory...
    subinacl.exe /subdirectories %windir%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo ==========================================================================
    echo FINISHED.
    echo Press any key to exit . . .
    pause >NUL




  6. Change the values named YOURUSERNAME to be the Windows user account that you are logged in with.

    Note:  The YOURUSERNAME value should match the name of your user folder at c:\Documents and Settings (or c:\users on Windows Vista and higher).  You can also find the value to use for YOURUSERNAME by launching Task Manager and looking at the user name listed in the User Name column of the Processes tab.

  7. Save and close reset.cmd. 
  8. In the cmd prompt, type reset.cmd and press enter to run the SubInACL tool.  This tool will take several minutes to run, and it requires that the user account you are using has administrator privileges on the system.  This is why it is necessary to run it from an elevated cmd prompt on Windows Vista.  Step 2 above can be used to start an elevated cmd prompt on Windows Vista.
  9. After reset.cmd completes, try to install the product that previously failed to install correctly on your system.

Note: There are a couple of scenarios where installing or running SubInAcl can fail.  For example, some non-English versions of Windows have the name of the Administrators group translated to another language, and the command lines listed above will fail in that case.  I have posted workarounds for the issues that I know of in this separate blog post.

Also note: Running the above command lines will cause SubInAcl to create a log file named %temp%\subinacl_output.txt.  If you see any errors reported in the cmd prompt after running SubInAcl, you can look in this log file for more detailed information about what file(s), folder(s) or registry value(s) are causing the errors.  To open this log file, you can click on the Start menu, choose Run, type notepad %temp%\subinacl_output.txt and click OK.

When looking at this log file, you may see some errors reported with error code 5.  That error code means Access Denied, and it is typically caused by Windows or some other program running on your system that is holding files, folders or registry values in use so that SubInAcl is unable to update the permissions for them.  Most of the time, that type of error in the SubInAcl output can be safely ignored, but you may need to try to reboot and then manually fix the permissions for these files, folders or registry keys as a workaround.

When is SubInACL useful

I have found that the SubInACL tool is most useful when a setup package fails with error code 5 or 0x5 or 0x80070005.  All of these error codes mean Access Denied, and this type of error code is often caused by missing ACLs for the Administrators group or the built-in System account.  The Windows Installer service runs with System account permissions in most cases.  If the System account does not have sufficient permissions to access the file system or parts of the registry, an MSI-based setup package will fail with an Access Denied error.

SubInACL can also help resolve Internet Explorer script errors caused by incorrect access control permissions for specific user accounts on the system.

Example of a setup failure that was fixed by SubInACL

A customer contacted me with a problem installing Visual Studio 2005.  I looked at the main Visual Studio log file located at %temp%\dd_vsinstall80.txt, and I found that Windows Installer 3.1 setup was failing.  Then, I looked at the Windows Installer 3.1 setup log file located at %windir%\KB893803v2.log.  It showed the following error:

30.844: DoRegistryUpdates:UpdSpInstallFromInfSection Failed for MSI.Reg.Install: 0x5
30.844: DoInstallation:DoRegistryUpdates failed
30.875: Access is denied.

I had the customer run the above steps to use the SubInACL tool to update the file and registry ACLs on their system, and then they were able to install Windows Installer 3.1 and Visual Studio 2005 with no further problems.

<update date="11/15/2006"> Updated subinacl command lines to include recursive ACL updating for folders and files under %windir% </update>

<update date="3/22/2007"> Updated the steps to make them easier to follow by moving the directory change into the batch file. </update>

<update date="9/25/2007"> Updated the notes to indicate that some Internet Explorer script errors can be resolved with this tool as well. </update>

<update date="5/30/2008"> Updated command lines based on customer feedback regarding their experiences on Windows Vista. </update>

<update date="6/16/2008"> Updated command lines to cause SubInAcl to create a log file in the %temp% directory in case it is needed for troubleshooting afterwards. </update>

<update date="6/17/2008"> Added a link to a blog post where I describe a couple of workarounds for problems that can occur while trying to install and/or run SubInAcl. </update>

<update date="6/20/2008"> Updated command line to include a backslash after %SystemDrive% in the 2nd to last command. </update>

<update date="6/24/2008"> Updated wording of link to the post for troubleshooting SubInAcl errors to try to make it more visible. </update>

<update date="7/29/2008"> Updated directory ACL command lines to not affect the Documents and Settings sub-folders. </update>

<update date="3/12/2009"> Fixed broken link to reset.cmd. </update>

<update date="4/7/2009"> Added clarification about how to determine the correct value to substitute for YOURUSERNAME in the sample SubInAcl script. </update>

<update date="5/18/2009"> Added clarification about where to run reset.cmd after creating it. </update>


  • Hi Jaya Naicker - I wouldn't recommend trying the steps in this blog post if you are a novice and don't have confidence in your ability to react to issues that might arise after you run the steps.

    If you still want to try to run these steps, you will need to update the script to replace all instances of the string YOURUSERNAME with your actual login user name.

  • Thanks for getting back

    What if my user name was like " YOUR USERNAME " instead of " YOURUSERNAME "?

  • Hi Jaya Naicker - I haven't tried that myself because I don't have a user name with spaces in it, but I think you can put quotes around the user name in the command line in that scenario.

  • I had noticed some of the software(Nitro Pro) that I try to install has same problem with the microsoft office, fail to open registry key. How Should I do???

  • Hi Lance - If you are getting registry permission problems, you'll need to narrow down which registry keys are causing the problems and then try to update the permissions to fix the problems.  If the SubInAcl tool in this blog post doesn't help, you can try to update the registry permissions yourself by using the steps in the link I posted in my previous comment to you (www.raymond.cc/.../full-control-permission-to-delete-or-edit-restricted-windows-registry) or you can work with a support team member to have them walk you through that process.  You can find support contact information at http://support.microsoft.com.

  • hey, Aaron,

    i am trying to install a game -front mission evolved- the game installs fine but when it goes to install/configure windows 2005 C++ redistributable i get the error 1935

    i downloaded the SubInACL tool, made a reset.cmd doc but when i type reset.cmd into command prompt, nothing happens. nothing opens, etc. it simly goes to the next line in prompt as if nothing happened. i pretty much suck at this troubleshooting stuff and was wondering if you could help me out?

  • Hi Seth - Most of the time, 1935 errors for the VC++ redistributable cannot be solved with SubInAcl.  I'd suggest taking a look at the information and links at blogs.msdn.com/.../9904471.aspx to see if any of that information helps in this scenario.

  • Hello Aaron,  My problem started with the inability to install Lightroom 3 to my Vista/32 laptop.

    I received the message:

    "Error 1935.An error occurred during the installation of

    assembly component


    HRESULT: 0x80070005"

    I entered into a chat session with Adobe support, and they instructed me to run the SubInACL program, and reboot the computer.  After looking at your complete instructions, however, I realize they did not have me change the login used id from "yourself" to my actual used id.

    After my system restarted, the desktop background had changed to Black.  On the bottom, right side of the monitor, the following information appeared:

    "Windows Vista (TM)

    Build 6002

    This copy of Windows is not genuine"

    I still attempted to re-install Lightroom 3, but it failed for the same reason.

    I ran the MS Genuine Advantage Diagnostic tool, 1.9.0027.0, and it reported that my license was, "Invalid."

    I have updated my case with Adobe, through their online portal, but thought I would run this past you before I tried another chat session.

    Any help would be much appreciated.

  • Hi BluegrassPhotog - I'm very sorry for the hassles that these permissions issues and the attempts to fix them have caused.  If you're getting that type of Windows validation problem after running SubInAcl, I'd suggest trying to boot in safe mode and see if you can roll back the changes with a system restore point or something like that.  Then, once you've rolled back and you verify that Windows validation works and your desktop appears as expected, I'd suggest trying SubInAcl again with the correct username.

    There is a blog post at www.brianpeek.com/.../weird-vista-registry-issue.aspx that might be helpful to you in this scenario as well.

  • Aaron, thank you for your reply.  I had another chat session with Adobe, today, and I am unhappy to report that their support leaves much to be desired.  The good news is that I was able to activate my license, so Vista is back to normal.  My system was actually functioning normally; my license was just invalid.  Lightroom 3 still won't install, but that is Adobe's problem, not yours or Microsoft's.  I really appreciate your getting back to me so quickly.  Good luck to you in all your endeavors.  BGP

  • I adopted a version of Aaron's original script to edit the permissions of the Registry key HKLM\Software\Microsoft\Internet Explorer so that the local Users group would have Full control of the Internet Explorer key and all subkeys to be able to play sound on a special web application that uses MP3 sound files, but it doesn't seem to change anything. I am running Windows 7 Enterprise 64-bit. My script is:

    cd /d "%programfiles(x86)%\Windows Resource Kits\Tools"

    subinacl.exe /noverbose /subkeyreg "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /grant=Users=f > %temp%\subinacl_output.txt

    subinacl.exe /noverbose /keyreg "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /grant=Users=f >> %temp%\subinacl_output.txt

    There are over 1300 subkeys under the Internet Explorer key and the output file lists four "Access Denied" warnings, which I am fine with.

    Am I expecting the permissions to change when really this is changing something else? Should I use something other than "Users"? I tried doing the same thing with Regini, but it doesn't let the inheritted permissions to trickle down to the child objects even though the child object do say thier permissions are inheritted from thier Parent. Thanks for any help.

  • Hi Mike - I'm not sure how well tested SubInAcl is for 64-bit registry permissions because that tool was created before 64-bit OS's existed.  You might need to try to use a different tool like RegIni in your scenario.  There is a forum post at social.technet.microsoft.com/.../d5da5921-6f18-4ba4-ba9e-0e8f77bfbd06 that might be helpful to you in this scenario.

  • Hi Aaron,

    Your script resolved my issue with Microsoft Office 2010 (32-bit) always wanting to re-install every time I started one of the Office applications.  Previously, any of the Office apps would show a pop-up message:

    Please wait while Windows configures Microsoft Office Professional Plus 2010...

    I didn't even need to reboot.

    Thanks so much!

  • Hi Aaron,

    I wanted to get back to you about the problem I was having with installing Lightroom 3, running into the "error 1935, HRESULT: 0x80070005," situation.

    Just to remind you, this was the situation where Adobe Chat instructed me to run SubInACL, and my Vista license became invalidated.  I re-validated Vista online through MS to resolve that problem.  I think the problem was caused by Adobe not instructing me to change the (2) parameter values "Yourself," to my user ID.  At that time, I had no idea the purpose of SubInACL, only that I was desperate to get the problem resolved.

    After spending another half-day on the phone with Adobe chat, it was very apparent that the permissions were, indeed, causing all the problems.  The Adobe tech could not even perform any simple file copies, receiving "Access Denied," errors.

    After the tech gave up and referred me to MS, I decided to follow your instructions on running SubInACL.  Before that, I ran the "System Readiness Tool for Vista," to look for other inconsistencies.  I figured it couldn't hurt!

    I am happy to report that your instructions resolved the issue, and LR3 installed properly.

    Thank you so much for your assistance, in addition to your knowledge which you provide as a free service to those of us who don't have a clue.

    Best regards, Eric

  • Hi Aaron. I have been having some issues lately with my laptop. My vista gadgets are not working.... they appear in a black little box. Also, my McAfee antivirus shows me a white screen when I open it. And,  skype wont open, it also shows me a white screen... I hope you have some good advices. My laptop is a Compac presario, which I bought 4 years ago....



Page 15 of 29 (435 items) «1314151617»
Leave a Comment
  • Please add 3 and 1 and type the answer here:
  • Post