Aaron Stebner's WebLog

Thoughts about setup and deployment issues, WiX, XNA, the .NET Framework and Visual Studio

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Rate This

A while back, I wrote a blog post about a .NET Framework 2.0 beta 2 installation problem that was caused by incorrect access control list (ACL) permissions on some registry hives.  In that post, I described how to use a tool in the Windows Resource Kit named SubInACL to reset file and registry ACLs to help solve this problem.

Ever since I wrote that post, I have run into installation errors for several other products that have been solved by using the SubInACL tool.  Therefore, I wanted to write a standalone set of instructions for how and when to use the SubInACL tool because the previous blog post is specific to the .NET Framework 2.0 setup and does not always appear in search results when people run into this kind of a problem and search the Internet for assistance.

How to download and run SubInACL

Here are some steps that can be used to download and run the SubInACL tool to repair file and registry permissions that are often needed to successfully install programs on Windows, particularly for MSI-based (Windows Installer) setups:

  1. Download the SubInACL tool and install it.  By default it will install to c:\Program Files\Windows Resource Kits\Tools
  2. If you are running Windows Vista, click on the Start menu, choose All Programs, then Accessories, then right-click on the item named Command Prompt and choose Run as administrator
  3. If you are running an OS other than Windows Vista, go to the Start menu, choose Run, type cmd and click OK
  4. In the cmd prompt, type notepad reset.cmd and click yes to open Notepad.exe and create a new text file named reset.cmd
  5. Copy and paste the following contents into reset.cmd (or download it from this location on my file server and rename it from reset.cmd.txt to reset.cmd):

    @echo off
    title Resetting ACLs...

    setlocal

    echo.
    echo Determine whether we are on an 32 or 64 bit machine
    echo.

    if "%PROCESSOR_ARCHITECTURE%"=="x86" if "%PROCESSOR_ARCHITEW6432%"=="" goto x86

    set ProgramFilesPath=%ProgramFiles(x86)%

    goto startResetting

    :x86

    set ProgramFilesPath=%ProgramFiles%

    :startResetting

    echo.

    if exist "%ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe" goto filesExist

    echo ***ERROR*** - Could not find file %ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe. Double-check that SubInAcl is correctly installed and re-run this script.
    goto END

    :filesExist

    pushd "%ProgramFilesPath%\Windows Resource Kits\Tools"

    echo.
    echo Resetting ACLs...
    echo (this may take several minutes to complete)
    echo.
    echo IMPORTANT NOTE: For this script to run correctly, you must change
    echo the values named YOURUSERNAME to be the Windows user account that
    echo you are logged in with.
    echo.
    echo ==========================================================================
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators > %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo System Drive...
    subinacl.exe /subdirectories %ProgramFilesPath%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo Windows Directory...
    subinacl.exe /subdirectories %windir%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo ==========================================================================
    echo.
    echo FINISHED.
    echo.
    echo Press any key to exit . . .
    pause >NUL

    popd

    :END

    endlocal

     
  6. Change the values named YOURUSERNAME to be the Windows user account that you are logged in with.

    Note:  The YOURUSERNAME value should match the name of your user folder at c:\Documents and Settings (or c:\users on Windows Vista and higher).  You can also find the value to use for YOURUSERNAME by launching Task Manager and looking at the user name listed in the User Name column of the Processes tab.

  7. Save and close reset.cmd. 
  8. In the cmd prompt, type reset.cmd and press enter to run the SubInACL tool.  This tool will take several minutes to run, and it requires that the user account you are using has administrator privileges on the system.  This is why it is necessary to run it from an elevated cmd prompt on Windows Vista.  Step 2 above can be used to start an elevated cmd prompt on Windows Vista.
  9. After reset.cmd completes, try to install the product that previously failed to install correctly on your system.

Note: There are a couple of scenarios where installing or running SubInAcl can fail.  For example, some non-English versions of Windows have the name of the Administrators group translated to another language, and the command lines listed above will fail in that case.  I have posted workarounds for the issues that I know of in this separate blog post.

Also note: Running the above command lines will cause SubInAcl to create a log file named %temp%\subinacl_output.txt.  If you see any errors reported in the cmd prompt after running SubInAcl, you can look in this log file for more detailed information about what file(s), folder(s) or registry value(s) are causing the errors.  To open this log file, you can click on the Start menu, choose Run, type notepad %temp%\subinacl_output.txt and click OK.

When looking at this log file, you may see some errors reported with error code 5.  That error code means Access Denied, and it is typically caused by Windows or some other program running on your system that is holding files, folders or registry values in use so that SubInAcl is unable to update the permissions for them.  Most of the time, that type of error in the SubInAcl output can be safely ignored, but you may need to try to reboot and then manually fix the permissions for these files, folders or registry keys as a workaround.

When is SubInACL useful

I have found that the SubInACL tool is most useful when a setup package fails with error code 5 or 0x5 or 0x80070005.  All of these error codes mean Access Denied, and this type of error code is often caused by missing ACLs for the Administrators group or the built-in System account.  The Windows Installer service runs with System account permissions in most cases.  If the System account does not have sufficient permissions to access the file system or parts of the registry, an MSI-based setup package will fail with an Access Denied error.

SubInACL can also help resolve Internet Explorer script errors caused by incorrect access control permissions for specific user accounts on the system.

Example of a setup failure that was fixed by SubInACL

A customer contacted me with a problem installing Visual Studio 2005.  I looked at the main Visual Studio log file located at %temp%\dd_vsinstall80.txt, and I found that Windows Installer 3.1 setup was failing.  Then, I looked at the Windows Installer 3.1 setup log file located at %windir%\KB893803v2.log.  It showed the following error:

30.844: DoRegistryUpdates:UpdSpInstallFromInfSection Failed for MSI.Reg.Install: 0x5
30.844: DoInstallation:DoRegistryUpdates failed
30.875: Access is denied.

I had the customer run the above steps to use the SubInACL tool to update the file and registry ACLs on their system, and then they were able to install Windows Installer 3.1 and Visual Studio 2005 with no further problems.

<update date="11/15/2006"> Updated subinacl command lines to include recursive ACL updating for folders and files under %windir% </update>

<update date="3/22/2007"> Updated the steps to make them easier to follow by moving the directory change into the batch file. </update>

<update date="9/25/2007"> Updated the notes to indicate that some Internet Explorer script errors can be resolved with this tool as well. </update>

<update date="5/30/2008"> Updated command lines based on customer feedback regarding their experiences on Windows Vista. </update>

<update date="6/16/2008"> Updated command lines to cause SubInAcl to create a log file in the %temp% directory in case it is needed for troubleshooting afterwards. </update>

<update date="6/17/2008"> Added a link to a blog post where I describe a couple of workarounds for problems that can occur while trying to install and/or run SubInAcl. </update>

<update date="6/20/2008"> Updated command line to include a backslash after %SystemDrive% in the 2nd to last command. </update>

<update date="6/24/2008"> Updated wording of link to the post for troubleshooting SubInAcl errors to try to make it more visible. </update>

<update date="7/29/2008"> Updated directory ACL command lines to not affect the Documents and Settings sub-folders. </update>

<update date="3/12/2009"> Fixed broken link to reset.cmd. </update>

<update date="4/7/2009"> Added clarification about how to determine the correct value to substitute for YOURUSERNAME in the sample SubInAcl script. </update>

<update date="5/18/2009"> Added clarification about where to run reset.cmd after creating it. </update>

 

  • Hi Thomas1981 - You need to make sure to run subinacl.exe from an elevated cmd prompt on Windows Vista.  To open an elevated cmd prompt, you can click on the Start menu, choose All Programs, then Accessories, then right-click on the item named Command Prompt and choose Run as administrator.

    I'm not sure that will solve this error though - I haven't heard of this exact issue while running subinacl before.  You may want to review the readme at C:\Program Files\Windows Resource Kits\Tools\subinacl.htm to see if you can figure out possible causes of this error.  You may also want to review the other comments on this blog - there are some specific notes posted by others who have tried running subinacl on Vista and run into issues, and they have posted other suggested workarounds that may be useful to you as well.

  • I've solved the problem, i deleted the

    /grant=administrators=f

    argument and it works fine. Vista Update is working too!

    Thanks alot

  • XP Pro SP2 Media Center, Toshiba Satellite A105

    Hi Aaron,

    Since July 15th of 2007, altho WGA always reports Genuine, all Updates FAIL to install, even individual installs, reporting Error Code 0x80070005. Looked around, modified a couple of Registry Permissions with no luck and FINALLY found your blog, DLed and INS SubInACL tool and ran your script.  Report:

    Elapsed Time: 00 00:04:26

    Done: 28654, Modified 28654, Failed 0

    Last Done: C:\WINDOWS\wt\wtupdates\wtwebdriver\update_info\data.wts

    C:\Program Files\Windows Resource Kits\Tools_

    Now, I am going to Restart and pray... Back to MS Update, 9 Hi-priority updates listed, A-V, malware and Firewall stopped, Install Updates, a long pause (20 minutes), "Installation started...done!, then Installing".... the rest following suit, taking 45 minutes and Toshy restarted! and 10 optional updates selected, A-V, malware and Firewall stopped and Installed without problems.

    I am wondering, with what SubInACL repairs and your script resolves, does any of that have to be returned to its original state?  Has a "hole" been left anywhere that could cause problems?

    At any rate, I want to compliment you on your diligence, knowledge and craft as well as sharing it with those who will listen.  I have no choice, I am subscribing to your Blog... and will sit at the feet of the guru... just tell me what to think!

    Ali

  • Hi Olamoree - The steps listed in this blog post use SubInAcl to add full control permissions to the Administrators group and the local system account to the following parts of your system:

    1. The HKEY_LOCAL_MACHINE registry key and any sub-keys.

    2. The HKEY_CLASSES_ROOT registry key and any sub-keys.

    3. The HKEY_CURRENT_USER registry key and any sub-keys.

    4. The %windir% folder and any sub-folders and files.

    5. The %systemdrive% folder and any sub-folders and files.

    Most installers for applications and OS hotfixes require this type of permission to be able to install successfully.  You shouldn't need to reverse any of these things later on.

    Thanks for the compliment on my blog.  Please let me know if you run into any issues in the future.

  • Thank you !!  I am running an old machine with the world loaded on it, running under Windows XP Home SP2. After recently installing Norton 360, some problems on my wife's (administrator account) got worse. I saw the apparently classic unending Script error windows in IE7, Control Panel/User Accounts, etc. Though I was somewhat concerned about using your fix under XP Home, I saw that you addressed this issue, and said it would work.  I took more than a few minutes to run (our registries have grown huge over the years), but it worked. Control panel works, IE7 works, Flash 9 works. I didn't even have to reboot or uninstall any software.

    It's hard to express how appreciative I am.

  • Hi Aaron

    Thanks for your info, I have a problem with my registry and I think your solution regarding SubInACL may well work, however I am rather concerned that it could also make the situation worse?  I have had issues with iTunes so I decided to uninstall and reinstall iTunes, uninstalling went fine however half way through reinstalling, the following error msg came up

    "Could not open key:

    HKEY_LOCAL_MACHINE/software/Classes/Interface/(915DA835-02FA-624BDF5D85AB)/ProxyStubClsid.

     Verfiy that you have sufficient access to that key. or contact your support personnel"

    after this I was unable to install iTunes.  In desperation I restored the pc back to before I uninstalled iTunes at which point iTunes was back on the system however now it won't run, and I can't uninstall it.  I tried to roll back the restore point and iTunes is still there and still won't work... HELP!!!  It’s driving me crazy!  I have contacted, iTunes, Microsoft, Acer and the closet I they have come to helping me is to advise I restore the factory settings.

    I am confident that if I can gain access/permission to the HKEY mentioned it would resolve the problem.  I was going to try the SubInACL idea you suggested, however I am running Vista and the reviews other people have left across the net have been very mixed where Vista is involved.  Do you think this registry fix would be the solution to my iTunes problem or have I misinterpreted the use of the SubInACL tool and I am likely to cause more problems with my already problematic Vista laptop???

    For  the record, I have AVG 8.0 always running and I have no viruses, rootkits, etc!

    Any suggestions would be greatly appreciated

    Thanks

  • Hi Staura - It sounds like you have a permission problem for this registry key, which is typically something that SubInAcl will allow you to solve.  However, before running the tool, you could attempt to manually fix the permissions for just this one registry key and see if it helps resolve your iTunes installation issue.  To do that, you can launch regedit.exe, then find this registry key, right-click on it and choose Permissions.  From there, you can add the SYSTEM account and the Administrators group, and grant them Full Control permissions.

    Hopefully this helps!

  • Hi Aaron

    Thanks for the feed back, I have just tried and the key says

    "ProxyStudClsid32 cannot be opened.  An eror is preventing this key from being opened.  Details: Access is denied"

    It then allows me access to the Permissions but I can't save any chages or add any admistration groups.  I think I will try your SubInACL soloution and if it doesn't work, I will restore the factory settings and start again!  To be honest we are having so many problems with Vista anyway; recyling files is now taking a good minute regardless of size (Microsoft have been no help on this), Windows media player won't work either despite installing all kinds of codecs to resolve the issue (we are now running classic version as it is the only one that will work), I think a complete system restart really could only improve the situation.

    Thanks for you help, its really appreciated

  • Aaron:

    Thank you. Thank you. Thank you.

  • Hi,

    I've been having problems with Office 2003 updates since I upgraded to XP SP3. When I start MS Expression Web, Windows Installer would start and try to reinstall Office 2003 and then it would fail due to a registry key permission issue (which I tried to fix manually in the registry, but it didn't help). Also, I couldn't install Office updates I received from Windows Automatic Updates. I found reference to your blog on the Windows XP Microsoft Discussion board. I followed your directions above using the SublnACL tool and it worked!  I no longer get the Window Installer popping up all the time and I was able to install the Office 2003 automatic updates. Thank you for posting these instructions! I will amend my post to the discussion board where I sought help for this issue, and state that I found the answer here on your blog. Thanks again! Great job!

  • ok, blackberry works now... but now all my sound is not working and the network monitor and updates are disabled. Ummm, not like I knew what I was doing running this but I was desperate last night. How now to re-enable those other devices.

    Thanks

  • Hi Ex19 - I'm sorry for the hassles this is causing for you.  I'm not sure what to suggest to fix your sound and network monitor.  What kind of specific errors do you get for those things?  It might help to try to update drivers for your sound card to fix your sound issue.

  • Hi;

    Just discovered this great thread and am reading it with great interest. I am having a terrible time getting Adobe Flash to install with Windows XP Home. I,m just a Joe average PC user and have tried everything I could find to solve the problem but nothing has worked. My question is this. When you state that "you will need to have adminstrator privileges for this to run correctly", what exactly do you mean? Can I accomplish everything in you instruction by logging into windows "Safe Mode"? If so, how? It's a whole other issue (admin pw problem)but the only way I can log into Windows as an administrator is while in Safe Mode.

    Will I still be able to solve my flash installation problem using SubInACL while logged-in in safe mode. I hope I'm making sense.

    Thanks

    speedytina

  • Thanks for answering. Well here's the deal. Audio Service is not running, connection status unknown not enough storage is available to complete this operation, windows installer service could not be accessed, security center can not change your automatic updating settings (tried manual, failed) Like EVERYTHING in the system is pretty much flipping out.

    I ran the blackberry no media after this subinacl and everything from then on was all downhill. I have no idea what I'm doing but it seems that lots of stuff in my computer has fried. Tried to reinstall the drivers for audio, no help. Now I'm going to try running vista update to hope it will go through and figure out what is wrong and fix it. Prob. wishful thinking. I'm not sure but I have a feeling it's acutally the blackberry software, but now I can't uninstall it. I'll keep you up to date, but if you see some theme in here I'd really appreciate a hand.:)

  • Hi Speedytina - Without knowing exactly what errors you're getting while trying to get Adobe Flash to install, it is difficult to say whether or not SubInAcl will be useful for you.  SubInAcl generally helps when the error is 5 or 0x5 or "access denied" during installation.

    Administrator privileges means that you need to log on to your computer with an account that is a member of the Administrators group because SubInAcl needs a certain set of privileges in order to be able to change the file and registry permissions on the system.

    You may also want to look on the Adobe web site to see if they have any troubleshooting guides or FAQ lists for installation problems related to the Flash player.

Page 4 of 22 (324 items) «23456»
Leave a Comment
  • Please add 2 and 5 and type the answer here:
  • Post