Aaron Stebner's WebLog

Thoughts about setup and deployment issues, WiX, XNA, the .NET Framework and Visual Studio

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Rate This

A while back, I wrote a blog post about a .NET Framework 2.0 beta 2 installation problem that was caused by incorrect access control list (ACL) permissions on some registry hives.  In that post, I described how to use a tool in the Windows Resource Kit named SubInACL to reset file and registry ACLs to help solve this problem.

Ever since I wrote that post, I have run into installation errors for several other products that have been solved by using the SubInACL tool.  Therefore, I wanted to write a standalone set of instructions for how and when to use the SubInACL tool because the previous blog post is specific to the .NET Framework 2.0 setup and does not always appear in search results when people run into this kind of a problem and search the Internet for assistance.

How to download and run SubInACL

Here are some steps that can be used to download and run the SubInACL tool to repair file and registry permissions that are often needed to successfully install programs on Windows, particularly for MSI-based (Windows Installer) setups:

  1. Download the SubInACL tool and install it.  By default it will install to c:\Program Files\Windows Resource Kits\Tools
  2. If you are running Windows Vista, click on the Start menu, choose All Programs, then Accessories, then right-click on the item named Command Prompt and choose Run as administrator
  3. If you are running an OS other than Windows Vista, go to the Start menu, choose Run, type cmd and click OK
  4. In the cmd prompt, type notepad reset.cmd and click yes to open Notepad.exe and create a new text file named reset.cmd
  5. Copy and paste the following contents into reset.cmd (or download it from this location on my file server and rename it from reset.cmd.txt to reset.cmd):

    @echo off
    title Resetting ACLs...

    setlocal

    echo.
    echo Determine whether we are on an 32 or 64 bit machine
    echo.

    if "%PROCESSOR_ARCHITECTURE%"=="x86" if "%PROCESSOR_ARCHITEW6432%"=="" goto x86

    set ProgramFilesPath=%ProgramFiles(x86)%

    goto startResetting

    :x86

    set ProgramFilesPath=%ProgramFiles%

    :startResetting

    echo.

    if exist "%ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe" goto filesExist

    echo ***ERROR*** - Could not find file %ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe. Double-check that SubInAcl is correctly installed and re-run this script.
    goto END

    :filesExist

    pushd "%ProgramFilesPath%\Windows Resource Kits\Tools"

    echo.
    echo Resetting ACLs...
    echo (this may take several minutes to complete)
    echo.
    echo IMPORTANT NOTE: For this script to run correctly, you must change
    echo the values named YOURUSERNAME to be the Windows user account that
    echo you are logged in with.
    echo.
    echo ==========================================================================
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators > %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo System Drive...
    subinacl.exe /subdirectories %ProgramFilesPath%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo Windows Directory...
    subinacl.exe /subdirectories %windir%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo ==========================================================================
    echo.
    echo FINISHED.
    echo.
    echo Press any key to exit . . .
    pause >NUL

    popd

    :END

    endlocal

     
  6. Change the values named YOURUSERNAME to be the Windows user account that you are logged in with.

    Note:  The YOURUSERNAME value should match the name of your user folder at c:\Documents and Settings (or c:\users on Windows Vista and higher).  You can also find the value to use for YOURUSERNAME by launching Task Manager and looking at the user name listed in the User Name column of the Processes tab.

  7. Save and close reset.cmd. 
  8. In the cmd prompt, type reset.cmd and press enter to run the SubInACL tool.  This tool will take several minutes to run, and it requires that the user account you are using has administrator privileges on the system.  This is why it is necessary to run it from an elevated cmd prompt on Windows Vista.  Step 2 above can be used to start an elevated cmd prompt on Windows Vista.
  9. After reset.cmd completes, try to install the product that previously failed to install correctly on your system.

Note: There are a couple of scenarios where installing or running SubInAcl can fail.  For example, some non-English versions of Windows have the name of the Administrators group translated to another language, and the command lines listed above will fail in that case.  I have posted workarounds for the issues that I know of in this separate blog post.

Also note: Running the above command lines will cause SubInAcl to create a log file named %temp%\subinacl_output.txt.  If you see any errors reported in the cmd prompt after running SubInAcl, you can look in this log file for more detailed information about what file(s), folder(s) or registry value(s) are causing the errors.  To open this log file, you can click on the Start menu, choose Run, type notepad %temp%\subinacl_output.txt and click OK.

When looking at this log file, you may see some errors reported with error code 5.  That error code means Access Denied, and it is typically caused by Windows or some other program running on your system that is holding files, folders or registry values in use so that SubInAcl is unable to update the permissions for them.  Most of the time, that type of error in the SubInAcl output can be safely ignored, but you may need to try to reboot and then manually fix the permissions for these files, folders or registry keys as a workaround.

When is SubInACL useful

I have found that the SubInACL tool is most useful when a setup package fails with error code 5 or 0x5 or 0x80070005.  All of these error codes mean Access Denied, and this type of error code is often caused by missing ACLs for the Administrators group or the built-in System account.  The Windows Installer service runs with System account permissions in most cases.  If the System account does not have sufficient permissions to access the file system or parts of the registry, an MSI-based setup package will fail with an Access Denied error.

SubInACL can also help resolve Internet Explorer script errors caused by incorrect access control permissions for specific user accounts on the system.

Example of a setup failure that was fixed by SubInACL

A customer contacted me with a problem installing Visual Studio 2005.  I looked at the main Visual Studio log file located at %temp%\dd_vsinstall80.txt, and I found that Windows Installer 3.1 setup was failing.  Then, I looked at the Windows Installer 3.1 setup log file located at %windir%\KB893803v2.log.  It showed the following error:

30.844: DoRegistryUpdates:UpdSpInstallFromInfSection Failed for MSI.Reg.Install: 0x5
30.844: DoInstallation:DoRegistryUpdates failed
30.875: Access is denied.

I had the customer run the above steps to use the SubInACL tool to update the file and registry ACLs on their system, and then they were able to install Windows Installer 3.1 and Visual Studio 2005 with no further problems.

<update date="11/15/2006"> Updated subinacl command lines to include recursive ACL updating for folders and files under %windir% </update>

<update date="3/22/2007"> Updated the steps to make them easier to follow by moving the directory change into the batch file. </update>

<update date="9/25/2007"> Updated the notes to indicate that some Internet Explorer script errors can be resolved with this tool as well. </update>

<update date="5/30/2008"> Updated command lines based on customer feedback regarding their experiences on Windows Vista. </update>

<update date="6/16/2008"> Updated command lines to cause SubInAcl to create a log file in the %temp% directory in case it is needed for troubleshooting afterwards. </update>

<update date="6/17/2008"> Added a link to a blog post where I describe a couple of workarounds for problems that can occur while trying to install and/or run SubInAcl. </update>

<update date="6/20/2008"> Updated command line to include a backslash after %SystemDrive% in the 2nd to last command. </update>

<update date="6/24/2008"> Updated wording of link to the post for troubleshooting SubInAcl errors to try to make it more visible. </update>

<update date="7/29/2008"> Updated directory ACL command lines to not affect the Documents and Settings sub-folders. </update>

<update date="3/12/2009"> Fixed broken link to reset.cmd. </update>

<update date="4/7/2009"> Added clarification about how to determine the correct value to substitute for YOURUSERNAME in the sample SubInAcl script. </update>

<update date="5/18/2009"> Added clarification about where to run reset.cmd after creating it. </update>

 

  • You Sir, are a genius. I had problems installing Quicktime - was getting a 'you don't have sufficient permissions' nonsense whenever I installed it...I tried everything but nothing worked. Apple told me to re-install Windows but that's their answer to everything when they can't figure out what to do. I followed your tips, and everything installed beautifully. Well done, sir, well done!

  • Dear Aaron,

    I am somewhat computer "illiterate" but I found your posts via a search on Windows XP advice site.

    I have the same problem trying to open any program files, Windows Updates, "run", etc...same message continually appears:

    Windows cannot access the specified file, program or device. You may not have the appropriate permissions to access..."

    My system is Windows XP Home Edition.

    I followed the instructions you gave but when I attempt to "run" the downloaded file SubInACL.exe, I get the following error message:

    "Windows Installer - The feature you are trying to use is on a network resource that is unavailable. Click OK to try again, or enter an alternate path to a folder containing the installation package "subinacl.msi" in the

    box below:"

    The "box below" shows Desktop as the only location. When I browse the Windows files I do not see a folder called "Windows Resource Kits\Tools" anywhere on my system.

    I saved the downloaded file to the folder "Downloaded Installations" in any event, but when I click the file to run it, I get the same exact message as

    above.

    When I click OK, the following message appears:

    "The installation source for this product is not available. Verify that the source exists and that you can access it."

    I am frustrated beyond measure and would greatly appreciate any and all pertinent advice.

    I am the Administrator and the only person using the laptop.

    In "Safe Mode" I gave myself permissions for all program files, Windows files, etc...

    Kind regards,

    Gary English

    Abu Dhabi, UAE

  • Hi GaryE - It sounds like something went wrong with the installation of the SubInAcl tool on your system.  I'd suggest trying to do the following:

    1.  Use the steps listed at http://blogs.msdn.com/astebner/archive/2005/10/30/487096.aspx to manually remove the SubInAcl product from your system.

    2.  Re-download it and re-install it from http://www.microsoft.com/downloads/details.aspx?FamilyId=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B

    3.  Try again to use the steps listed above in this blog post.

    Also, in general, it is not sufficient to just grant your user account permissions.  Usually you have to also grant the local system account and the Administrators group access as well (which is essentially what the instructions above will achieve).

    Hopefully this will help.

  • Thanks Aaron - I deleted Windows Installer and dowloaded a newer version, the was able to install SubInAcl. I followed your instructions to the letter...but I still receive the message:

    "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to..."

    A colleague here suggested it might be caused by a "worm" which has taken control of registry files..? Scans do not show any viruses or worms but he said they can be hidden, or "removed" but still cause havoc.

    Many thanks and Happy New Year to everyone,

    Gary

  • Hi GaryE - If SubInAcl didn't help resolve the permission problem, then there are a few other things I typically suggest.  First, you can try to disable some services to see if there is something else preventing you from accessing those resources (such as an anti-virus program or anti-spyware program).  You can use the steps listed at http://blogs.msdn.com/astebner/archive/2006/11/25/disabling-services-with-msconfig-to-work-around-setup-failures.aspx to try this out.

    If that doesn't help, you can try to use a tool like Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx) to try to manually narrow down which file/folder/registry key is causing the access denied error and then try to fix the permissions directly.

    I've also heard of cases where this type of error has been caused by a virus, but typically in those cases, the virus is discovered by running a scan on the system.

    Hopefully one of the above suggestions helps.

  • Yep..I have the same problem with script errors on wife's account only when she opens Adobe Photoshop Elements (not an install problem just opening existing app).  The SubIn ACL fix looks very promising, but like Gary E, I have XP Home SP2, not Pro as the MS descriptin at the SubInACL download site says.  That is pretty clear that it will not work with XP Home.  Has anyone been successful with this tool with XP Home?  I'm pretty reluctant to try it for fear of screwing things up a lot worse.

    BobbyL

  • Hi BobbyL - The web site doesn't specify this, but SubInAcl will run fine on Windows XP Home just like on XP Professional.  I'd suggest giving the steps a try to see if they help at all on your system.  If they don't work, you may need to try the additional suggestions I posted in my most recent reply above to GaryE.

    Hopefully this helps!

  • Aaron,

    The URL you provided right in the beginning of your blog to the MS site for SubInACL tool does indeed in the System Requirements section explicity say XP Pro...no mention of XP Home.  The problems that GaryE had may be traced to the fact that he is using XP Home, as he said in his very first comment above on 12.30.07.  

    I was hoping that someone might have successfully used the SubInACL fix under XP Home.  I am willing to try it if I had some confidence that I would not further hose up my system.  You think I might be safe to proceed if I had a Ghost image to restore the system to if things went south?

    BobbyL

  • Hi BobbyL - I understand that the wording on the SubInAcl download page seems to indicate that it supports XP Pro but not XP Home, but from what I can tell and what I know about the tool, that is just an oversight in the wording on the page and not an indication that this tool won't work on XP Home.  Nearly all of the operating system code for Windows XP is identical between the Home, Pro, Tablet and Media Center versions, including this type of security permissions management code that SubInAcl interacts with.  As a result, I don't believe you run any risk of further damage to your system by trying it out.

    The issues that GaryE has run into simply mean that for some reason SubInAcl didn't help resolve the issue he was encountering.  The SubInAcl steps listed in this blog post do not work for 100% of the possible cases where an access denied error can occur.  These steps have been tailored to help in the majority of cases I've seen in the past though, so they tend to work most of the time.  GaryE's system had some other missing permissions that these command lines didn't help fix, so additional troubleshooting steps are needed to narrow down the cause further.  These issues weren't caused by trying to run SubInAcl though - they existed before the tool was even attempted on his system.

  • Aaron,

    I took the plunge and tried your fix...and it did the job!!  No problem with running XP Home. Thanks so much for sharing your knowledge and encouragement on this...you are the man!

    BobbyL

  • Hi BobbyL - I'm really glad to hear that these steps helped solve this issue on your system.  I'm sorry for the hassle it caused for you along the way, and I'm also sorry for the confusion caused by the documentation on the SubInAcl download page.  Please let me know if you run into any additional problems on your system.

  • I found this post on Google. 2 years and no SP2 because of permission errors on my XP Home OS. I followed BobbyL's bravery and tried the SubINAcl install too. I am happy to report SP2 now is installed on my XP Home Edition with now problems. - except for the install of 61 - SP2 MS updates that took awhile to complete. :-)

  • Hi again,

    Sorry for the delay in getting back to you but I was down with what is known as "Abu Dhabi Flu" which is going around this time of year.

    I did download and install Process Monitor but to be honest, I have no idea at all what I am looking at when it is running...or what I should be looking for.

    I ran the codes you listed above once again and when it completed, I had the following messages (some of my spacing my not be correct as I copied it quickly):

    C:\Program Files\Windows Resource Kits\Tools>subinacl /subdirectories C: /grant=administrators=f /grant=system=f Access is Denied

    Also another >subainacl with the following:

    /subdirectories C:\Windows\*.* /grant=administrators=f /grant=system=f Access is Denied

    Any thoughts about this?

    Kind regards,

    Gary

  • Hi GaryE - I'm sorry that you ended up getting sick.  I've been fighting something similar to that myself  :-(

    It can be difficult to narrow down exactly what to look for in Process Monitor.  What I usually do is start by adding a filter based on the process name - typically that is the name of the setup program you are trying to install, or if the setup is an MSI then it will be msiexec.exe.

    Then, I run the setup and reproduce the failure, and start looking for errors listed in the output.  From the errors, you can see the cause of the error in one of the columns in Process Monitor - they should be listed as access denied in this type of scenario.

    I've never heard of a case where running SubInAcl itself gave an access denied error though.  Are you running it when logged in as an administrator on your system?  You may need to go and manually try to do what each of those failing SubInAcl steps are doing.  You can manually change the permissions for a folder or registry key using Windows Explorer or regedit.exe.  You will want to add the Administrators group and grant that group full control and also add the SYSTEM account and give it full control.  You can do this for the root of your C drive, the c:\windows directory, and the roots of the HKEY_LOCAL_MACHINE, HKEY_CLASSES_ROOT and HKEY_CURRENT_USER registry hives and hopefully that will help.

  • I found a copy of this fix on another blog that mentioned they had used it on Vista to fix it so that the latest beta of Safari would run. I backed up my system, created a system restore point, and ran the script.

    Upon restarting, most of my services failed to start.  I could not run any properties boxes, nor run most system programs without getting a message that "The system does not have enough memory to complete this task (0x8007000e).

    Even using the Vista DVD and trying to do a system restore would not work correctly.  It was completely crazy.

    Finally I stumbled on another page where someone else had used this tool with a slightly different command.  Since I was on the verge of re-installing everything anyway I figured it was worth a try, and it fixed EVERYTHING.

    cd /d "%programfiles%\Windows Resource Kits\Tools"

    subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=USERNAME=f /grant=restricted=r /setowner=administrators

    subinacl /keyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=USERNAME=f /grant=restricted=r /setowner=administrators

    subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /setowner=administrators

    subinacl /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /setowner=administrators

    subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators

    subinacl /keyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators

    I wouldn't use this fix at all unless you are desperate!!

Page 2 of 21 (309 items) 12345»
Leave a Comment
  • Please add 7 and 1 and type the answer here:
  • Post