Aaron Stebner's WebLog

Thoughts about setup and deployment issues, WiX, XNA, the .NET Framework and Visual Studio

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Rate This

A while back, I wrote a blog post about a .NET Framework 2.0 beta 2 installation problem that was caused by incorrect access control list (ACL) permissions on some registry hives.  In that post, I described how to use a tool in the Windows Resource Kit named SubInACL to reset file and registry ACLs to help solve this problem.

Ever since I wrote that post, I have run into installation errors for several other products that have been solved by using the SubInACL tool.  Therefore, I wanted to write a standalone set of instructions for how and when to use the SubInACL tool because the previous blog post is specific to the .NET Framework 2.0 setup and does not always appear in search results when people run into this kind of a problem and search the Internet for assistance.

How to download and run SubInACL

Here are some steps that can be used to download and run the SubInACL tool to repair file and registry permissions that are often needed to successfully install programs on Windows, particularly for MSI-based (Windows Installer) setups:

  1. Download the SubInACL tool and install it.  By default it will install to c:\Program Files\Windows Resource Kits\Tools
  2. If you are running Windows Vista, click on the Start menu, choose All Programs, then Accessories, then right-click on the item named Command Prompt and choose Run as administrator
  3. If you are running an OS other than Windows Vista, go to the Start menu, choose Run, type cmd and click OK
  4. In the cmd prompt, type notepad reset.cmd and click yes to open Notepad.exe and create a new text file named reset.cmd
  5. Copy and paste the following contents into reset.cmd (or download it from this location on my file server and rename it from reset.cmd.txt to reset.cmd):

    @echo off
    title Resetting ACLs...

    setlocal

    echo.
    echo Determine whether we are on an 32 or 64 bit machine
    echo.

    if "%PROCESSOR_ARCHITECTURE%"=="x86" if "%PROCESSOR_ARCHITEW6432%"=="" goto x86

    set ProgramFilesPath=%ProgramFiles(x86)%

    goto startResetting

    :x86

    set ProgramFilesPath=%ProgramFiles%

    :startResetting

    echo.

    if exist "%ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe" goto filesExist

    echo ***ERROR*** - Could not find file %ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe. Double-check that SubInAcl is correctly installed and re-run this script.
    goto END

    :filesExist

    pushd "%ProgramFilesPath%\Windows Resource Kits\Tools"

    echo.
    echo Resetting ACLs...
    echo (this may take several minutes to complete)
    echo.
    echo IMPORTANT NOTE: For this script to run correctly, you must change
    echo the values named YOURUSERNAME to be the Windows user account that
    echo you are logged in with.
    echo.
    echo ==========================================================================
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators > %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo System Drive...
    subinacl.exe /subdirectories %ProgramFilesPath%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo Windows Directory...
    subinacl.exe /subdirectories %windir%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo ==========================================================================
    echo.
    echo FINISHED.
    echo.
    echo Press any key to exit . . .
    pause >NUL

    popd

    :END

    endlocal

     
  6. Change the values named YOURUSERNAME to be the Windows user account that you are logged in with.

    Note:  The YOURUSERNAME value should match the name of your user folder at c:\Documents and Settings (or c:\users on Windows Vista and higher).  You can also find the value to use for YOURUSERNAME by launching Task Manager and looking at the user name listed in the User Name column of the Processes tab.

  7. Save and close reset.cmd. 
  8. In the cmd prompt, type reset.cmd and press enter to run the SubInACL tool.  This tool will take several minutes to run, and it requires that the user account you are using has administrator privileges on the system.  This is why it is necessary to run it from an elevated cmd prompt on Windows Vista.  Step 2 above can be used to start an elevated cmd prompt on Windows Vista.
  9. After reset.cmd completes, try to install the product that previously failed to install correctly on your system.

Note: There are a couple of scenarios where installing or running SubInAcl can fail.  For example, some non-English versions of Windows have the name of the Administrators group translated to another language, and the command lines listed above will fail in that case.  I have posted workarounds for the issues that I know of in this separate blog post.

Also note: Running the above command lines will cause SubInAcl to create a log file named %temp%\subinacl_output.txt.  If you see any errors reported in the cmd prompt after running SubInAcl, you can look in this log file for more detailed information about what file(s), folder(s) or registry value(s) are causing the errors.  To open this log file, you can click on the Start menu, choose Run, type notepad %temp%\subinacl_output.txt and click OK.

When looking at this log file, you may see some errors reported with error code 5.  That error code means Access Denied, and it is typically caused by Windows or some other program running on your system that is holding files, folders or registry values in use so that SubInAcl is unable to update the permissions for them.  Most of the time, that type of error in the SubInAcl output can be safely ignored, but you may need to try to reboot and then manually fix the permissions for these files, folders or registry keys as a workaround.

When is SubInACL useful

I have found that the SubInACL tool is most useful when a setup package fails with error code 5 or 0x5 or 0x80070005.  All of these error codes mean Access Denied, and this type of error code is often caused by missing ACLs for the Administrators group or the built-in System account.  The Windows Installer service runs with System account permissions in most cases.  If the System account does not have sufficient permissions to access the file system or parts of the registry, an MSI-based setup package will fail with an Access Denied error.

SubInACL can also help resolve Internet Explorer script errors caused by incorrect access control permissions for specific user accounts on the system.

Example of a setup failure that was fixed by SubInACL

A customer contacted me with a problem installing Visual Studio 2005.  I looked at the main Visual Studio log file located at %temp%\dd_vsinstall80.txt, and I found that Windows Installer 3.1 setup was failing.  Then, I looked at the Windows Installer 3.1 setup log file located at %windir%\KB893803v2.log.  It showed the following error:

30.844: DoRegistryUpdates:UpdSpInstallFromInfSection Failed for MSI.Reg.Install: 0x5
30.844: DoInstallation:DoRegistryUpdates failed
30.875: Access is denied.

I had the customer run the above steps to use the SubInACL tool to update the file and registry ACLs on their system, and then they were able to install Windows Installer 3.1 and Visual Studio 2005 with no further problems.

<update date="11/15/2006"> Updated subinacl command lines to include recursive ACL updating for folders and files under %windir% </update>

<update date="3/22/2007"> Updated the steps to make them easier to follow by moving the directory change into the batch file. </update>

<update date="9/25/2007"> Updated the notes to indicate that some Internet Explorer script errors can be resolved with this tool as well. </update>

<update date="5/30/2008"> Updated command lines based on customer feedback regarding their experiences on Windows Vista. </update>

<update date="6/16/2008"> Updated command lines to cause SubInAcl to create a log file in the %temp% directory in case it is needed for troubleshooting afterwards. </update>

<update date="6/17/2008"> Added a link to a blog post where I describe a couple of workarounds for problems that can occur while trying to install and/or run SubInAcl. </update>

<update date="6/20/2008"> Updated command line to include a backslash after %SystemDrive% in the 2nd to last command. </update>

<update date="6/24/2008"> Updated wording of link to the post for troubleshooting SubInAcl errors to try to make it more visible. </update>

<update date="7/29/2008"> Updated directory ACL command lines to not affect the Documents and Settings sub-folders. </update>

<update date="3/12/2009"> Fixed broken link to reset.cmd. </update>

<update date="4/7/2009"> Added clarification about how to determine the correct value to substitute for YOURUSERNAME in the sample SubInAcl script. </update>

<update date="5/18/2009"> Added clarification about where to run reset.cmd after creating it. </update>

 

  • Hi Ex19 - I'm not sure how to explain these additional errors that you're seeing.  Since you mentioned that you're running Windows Vista, you may be running into some of the complications that other folks who have posted comments on this blog post have mentioned.  Specifically, I'd suggest looking at the comment at http://blogs.msdn.com/astebner/archive/2006/09/04/solving-setup-errors-by-using-the-subinacl-tool-to-repair-file-and-registry-permissions.aspx#7394609 to see if these modified steps help at all.

  • Yes Aaron, the above comment absolutely solved my issue! It was scary, I have to say, but in the end it completely restored all those things that were not working under Vista. Thanks so much for your help.

  • Hi Ex19 - I'm glad to hear that this fixed things for you.  I've gone back and updated the list of commands to run in the main blog post and in the cmd file linked in this blog so that others will hopefully not run into this type of error in the future.

  • Dear Aaron,

    I am trying to solve issues with updating windows SP3 and a many other updates that I cannot get ever since May 14. (My case is similar to GaryE) and I am a mere and humble pc home user.

    I am getting additional error messages when i dowloand & install subinacl.exe even if i tried to ignore and kept going - Internal error 2350.

    Then I followed the thread of issues with subInAcl (739820) and now I am getting - unexpected error 1605 () - at the cmd [prompt.

    I am feeling desperate and I do not know what to do. Can anybody guide me please?

    Grb1

  • Hi Grb1 - I'm not sure I understand the exact problem you're currently facing.  Are you seeing errors while trying to install SubInAcl.msi, or while trying to run the command lines listed in this blog post to update permissions?  Can you please list the exact steps you have tried and the exact error messages that you received while doing so?

  • I've been using Vista Ultimate with all current updates for over a year

    without any installation issues, but for the past month I've been having

    problems with program updates not installing due to access being denied.

    Specifically: Error 1310. Error writing to file: c:\Config.Msi\... .rfb.

    Verify that you have access to that directory. Also encountered similar

    problems with QuickBooks and iTunes+QuickTime updates. I started having

    problems with searching in Outlook 2007 last week and tried a repair. That's

    when I narrowed down what was going on (or not). I've remedied that by

    reindexing, but now get an error about Custom UI Runtime Error in MS Access

    Outlook Add-in for Data Collection and Publishing ... An error occurred

    while calling the callback: "Ribbon_GetDCVisible." I've consulted with a

    Dell tech and another Vista-savvy tech. I've tried logging on as

    Administrator (which I am also), creating a new administrator profile, Aaron

    Stebner's SubInACL recommendation:

    http://blogs.msdn.com/astebner/archive/2006/09/04/739820.aspx . After this I

    was able to install the QuickBooks update, but not iTunes, nor can I

    accomplish a repair to MSO 2007 Pro. I've installed the latest versions of

    Windows Installer and .NET Framework. UAC is disabled. Does anyone have any

    suggestions for further action? And information on why this started

    happening?

    Thanks,

    Cathy

  • Hi Cathy C - I'm not sure how to explain all of these errors.  Do you have any idea what specific changes were made to your system immediately before these errors started happening?  If you could narrow it down to a specific Windows Update or something like that, it could be really helpful.

    Also, if you haven't already, I'd suggest trying to install Windows Vista SP1 on this system to see if that resets any of the permissions on your system and helps fix any of these errors.

  • A while back, I posted some instructions for using a tool from the Windows Resource Kit named SubInAcl

  • I think you have a type-o in the script missing a backslash after %SystemDrive%.

    Somehow my Windows XP Home Ed. got its permissions on "C:\Program Files" corrupted and this script skipped over it.  Running this command got my file system perms fixed up...

    subinacl /subdirectories c:\ /grant=administrators=f /grant=system=f

    What a relief....

  • Hi Bm55b - Thanks for letting me know about this missing back-slash.  I'm going to update the main blog post text and the downloadable script to address this.

  • I had vista x64 and was trying to get SubInACL to work.  For some reason I was defaulting the install to C:\Program Files\Windows Resource Kits.  Anytime i tried to run subinACL it would give me an error about not being recognized.  I removed the program, reinstalled and made sure to allow it to default to C:\Program Files (x86)\Windows Resource Kits

    Once complete I was then able to run SubInACL and fix my registry issue quickly.

    Not sure if this has been posted, but I saw people having issues with Vista Ultimate X64 and would like to say that it does indeed work in vista x64

    Thanks for the help!

  • I did this procedure and not I am having trouble with access permissions, some things I can do before I can't anymore, getting access permission errors (ex: saving a color management profile in the windows/system director which worked before not gives me access denied).

    I tried what one of the posts suggested but can't figure out where to type the command subinacl /subdirectories c:\ /grant=administrators=f /grant=system=f)

    Please, please can someone tell me how to fix this, or how to undo the entire operation to post did? I don't want to continue years wondering at every bug if it is caused by what this blog suggested...

    I am really not hardcore tech, please can someone help?

  • Hi Datajack - There isn't a way to undo all of the changes made by running SubInAcl.  It sounds like you still do not have enough permissions for all operations on your system, such as saving files to the system32 folder.  The command lines in the script I posted at http://astebner.sts.winisp.net/Tools/reset.cmd.txt already contain a command line to grant administrators and the system account full control to the sub-directories under the Windows directory though, so you should not need to run it again as long as you already ran all of the steps listed above in this blog post.  I'd suggest double-checking that you ran all of the commands listed above and not just the registry commands, and see if that helps.  If not, you can manually update permissions for folders by right-clicking on them in Windows Explorer and choosing Properties, then going to the Security tab and adding the permissions that you need.

    Hopefully this helps.

  • Hi,

    I was desperate as i got a access denied message when trying to update my 2 windows 2003 x64 domain controllers to sp2 from r2. So I thought the problems were related to permissions either in the registry or on the filesystem. After running your reset.cmd, I only have blank desktops, no taskbar, some services are not running, for example IIS, i am lost, what can I do??

  • Hi Toby77jo - I'm sorry for the hassles that this issue is causing for you.  I haven't heard of the SubInAcl command lines listed above causing this kind of trouble on the system, so I'm not sure how to explain why this is happening.  The commands listed above should only be adding permissions to the registry and file system on your computer - they shouldn't be removing anything that existed previously.

    I'd suggest using a system restore point to roll back to a point before you ran SubInAcl if possible, and then you can try to manually update permissions to try to fix the access denied errors you are encountering.  For files/folders, you can update permissions by right-clicking on them in Windows Explorer.  For the registry, you can update permissions by opening regedit and right-clicking on keys.

Page 5 of 23 (331 items) «34567»
Leave a Comment
  • Please add 1 and 8 and type the answer here:
  • Post