Aaron Stebner's WebLog

Thoughts about setup and deployment issues, WiX, XNA, the .NET Framework and Visual Studio

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Rate This

A while back, I wrote a blog post about a .NET Framework 2.0 beta 2 installation problem that was caused by incorrect access control list (ACL) permissions on some registry hives.  In that post, I described how to use a tool in the Windows Resource Kit named SubInACL to reset file and registry ACLs to help solve this problem.

Ever since I wrote that post, I have run into installation errors for several other products that have been solved by using the SubInACL tool.  Therefore, I wanted to write a standalone set of instructions for how and when to use the SubInACL tool because the previous blog post is specific to the .NET Framework 2.0 setup and does not always appear in search results when people run into this kind of a problem and search the Internet for assistance.

How to download and run SubInACL

Here are some steps that can be used to download and run the SubInACL tool to repair file and registry permissions that are often needed to successfully install programs on Windows, particularly for MSI-based (Windows Installer) setups:

  1. Download the SubInACL tool and install it.  By default it will install to c:\Program Files\Windows Resource Kits\Tools
  2. If you are running Windows Vista, click on the Start menu, choose All Programs, then Accessories, then right-click on the item named Command Prompt and choose Run as administrator
  3. If you are running an OS other than Windows Vista, go to the Start menu, choose Run, type cmd and click OK
  4. In the cmd prompt, type notepad reset.cmd and click yes to open Notepad.exe and create a new text file named reset.cmd
  5. Copy and paste the following contents into reset.cmd (or download it from this location on my file server and rename it from reset.cmd.txt to reset.cmd):

    @echo off
    title Resetting ACLs...

    setlocal

    echo.
    echo Determine whether we are on an 32 or 64 bit machine
    echo.

    if "%PROCESSOR_ARCHITECTURE%"=="x86" if "%PROCESSOR_ARCHITEW6432%"=="" goto x86

    set ProgramFilesPath=%ProgramFiles(x86)%

    goto startResetting

    :x86

    set ProgramFilesPath=%ProgramFiles%

    :startResetting

    echo.

    if exist "%ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe" goto filesExist

    echo ***ERROR*** - Could not find file %ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe. Double-check that SubInAcl is correctly installed and re-run this script.
    goto END

    :filesExist

    pushd "%ProgramFilesPath%\Windows Resource Kits\Tools"

    echo.
    echo Resetting ACLs...
    echo (this may take several minutes to complete)
    echo.
    echo IMPORTANT NOTE: For this script to run correctly, you must change
    echo the values named YOURUSERNAME to be the Windows user account that
    echo you are logged in with.
    echo.
    echo ==========================================================================
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators > %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo System Drive...
    subinacl.exe /subdirectories %ProgramFilesPath%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo Windows Directory...
    subinacl.exe /subdirectories %windir%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo ==========================================================================
    echo.
    echo FINISHED.
    echo.
    echo Press any key to exit . . .
    pause >NUL

    popd

    :END

    endlocal

     
  6. Change the values named YOURUSERNAME to be the Windows user account that you are logged in with.

    Note:  The YOURUSERNAME value should match the name of your user folder at c:\Documents and Settings (or c:\users on Windows Vista and higher).  You can also find the value to use for YOURUSERNAME by launching Task Manager and looking at the user name listed in the User Name column of the Processes tab.

  7. Save and close reset.cmd. 
  8. In the cmd prompt, type reset.cmd and press enter to run the SubInACL tool.  This tool will take several minutes to run, and it requires that the user account you are using has administrator privileges on the system.  This is why it is necessary to run it from an elevated cmd prompt on Windows Vista.  Step 2 above can be used to start an elevated cmd prompt on Windows Vista.
  9. After reset.cmd completes, try to install the product that previously failed to install correctly on your system.

Note: There are a couple of scenarios where installing or running SubInAcl can fail.  For example, some non-English versions of Windows have the name of the Administrators group translated to another language, and the command lines listed above will fail in that case.  I have posted workarounds for the issues that I know of in this separate blog post.

Also note: Running the above command lines will cause SubInAcl to create a log file named %temp%\subinacl_output.txt.  If you see any errors reported in the cmd prompt after running SubInAcl, you can look in this log file for more detailed information about what file(s), folder(s) or registry value(s) are causing the errors.  To open this log file, you can click on the Start menu, choose Run, type notepad %temp%\subinacl_output.txt and click OK.

When looking at this log file, you may see some errors reported with error code 5.  That error code means Access Denied, and it is typically caused by Windows or some other program running on your system that is holding files, folders or registry values in use so that SubInAcl is unable to update the permissions for them.  Most of the time, that type of error in the SubInAcl output can be safely ignored, but you may need to try to reboot and then manually fix the permissions for these files, folders or registry keys as a workaround.

When is SubInACL useful

I have found that the SubInACL tool is most useful when a setup package fails with error code 5 or 0x5 or 0x80070005.  All of these error codes mean Access Denied, and this type of error code is often caused by missing ACLs for the Administrators group or the built-in System account.  The Windows Installer service runs with System account permissions in most cases.  If the System account does not have sufficient permissions to access the file system or parts of the registry, an MSI-based setup package will fail with an Access Denied error.

SubInACL can also help resolve Internet Explorer script errors caused by incorrect access control permissions for specific user accounts on the system.

Example of a setup failure that was fixed by SubInACL

A customer contacted me with a problem installing Visual Studio 2005.  I looked at the main Visual Studio log file located at %temp%\dd_vsinstall80.txt, and I found that Windows Installer 3.1 setup was failing.  Then, I looked at the Windows Installer 3.1 setup log file located at %windir%\KB893803v2.log.  It showed the following error:

30.844: DoRegistryUpdates:UpdSpInstallFromInfSection Failed for MSI.Reg.Install: 0x5
30.844: DoInstallation:DoRegistryUpdates failed
30.875: Access is denied.

I had the customer run the above steps to use the SubInACL tool to update the file and registry ACLs on their system, and then they were able to install Windows Installer 3.1 and Visual Studio 2005 with no further problems.

<update date="11/15/2006"> Updated subinacl command lines to include recursive ACL updating for folders and files under %windir% </update>

<update date="3/22/2007"> Updated the steps to make them easier to follow by moving the directory change into the batch file. </update>

<update date="9/25/2007"> Updated the notes to indicate that some Internet Explorer script errors can be resolved with this tool as well. </update>

<update date="5/30/2008"> Updated command lines based on customer feedback regarding their experiences on Windows Vista. </update>

<update date="6/16/2008"> Updated command lines to cause SubInAcl to create a log file in the %temp% directory in case it is needed for troubleshooting afterwards. </update>

<update date="6/17/2008"> Added a link to a blog post where I describe a couple of workarounds for problems that can occur while trying to install and/or run SubInAcl. </update>

<update date="6/20/2008"> Updated command line to include a backslash after %SystemDrive% in the 2nd to last command. </update>

<update date="6/24/2008"> Updated wording of link to the post for troubleshooting SubInAcl errors to try to make it more visible. </update>

<update date="7/29/2008"> Updated directory ACL command lines to not affect the Documents and Settings sub-folders. </update>

<update date="3/12/2009"> Fixed broken link to reset.cmd. </update>

<update date="4/7/2009"> Added clarification about how to determine the correct value to substitute for YOURUSERNAME in the sample SubInAcl script. </update>

<update date="5/18/2009"> Added clarification about where to run reset.cmd after creating it. </update>

 

  • Hi,

    but windows 2003 does not have system restore by default, am i wrong?

    I will try a full system restore from an image, hope it will work. All this might not be the reset.cmd fault but also due to the failed sp2 installation...

  • Hi Toby77jo - Yes, I think you will need to do a restore from an image in this case.  It is possible that the failed SP2 install caused these issues, but I'm not sure.  I'm not sure how the SubInAcl commands would cause services that previously worked to stop working though.

  • Did you even know what are you doing???

    This command grant access to every folder for every user:

    subinacl /subdirectories %SystemDrive%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt

    How could you explain this???

  • Hi ZAB - That command line grants read and execute permissions to all users, not full control.  When I look at the computers that I have in my office, read and execute appears to be the default for the users group for all folders on the system.  If you don't want this permission applied on your system, you can modify the command line to remove the /grant=users=e switch.

  • Of course not! You grant access to folder c:\documents and settings\ too, and every subfolders like "my documents" every profile settings all stored passwords for outlook and so on... and it will be transparent to everyone. If you dont know what are you doing at least not recommend this to others.

  • Hi ZAB - You're right - I missed the Documents and Settings (or Users on Vista) sub-directories.  The systems I have been looking at are only single user systems, and are not shared by multiple users.  I've updated the command line above and in the linked script to refer to the %ProgramFiles% folder and %windir% folder instead.  Thanks for letting me know about this.

  • Hi people, I have a little problem over here when trying to use SubInACL to solve my problem. I've tried everything I've found on the web but no matters what I do I just can't find out a solution. I get this when I type reset.cmd on my command prompt:

    D:\WINDOWS>reset.cmd

    Determine whether we are on an 32 or 64 bit machine

    Resetting ACLs...

    (this may take several minutes to complete)

    ==========================================================================

    Elapsed Time: 00 00:00:00

    Done:        0, Modified        0, Failed        0, Syntax errors        1

    Last Syntax Error:WARNING : /grant=administrators=f : Error when checking argume

    nts - HKEY_CURRENT_USER

    Elapsed Time: 00 00:00:00

    Done:        0, Modified        0, Failed        0, Syntax errors        1

    Last Syntax Error:WARNING : /grant=administrators=f : Error when checking argume

    nts - HKEY_CURRENT_USER

    Elapsed Time: 00 00:00:00

    Done:        0, Modified        0, Failed        0, Syntax errors        1

    Last Syntax Error:WARNING : /grant=administrators=f : Error when checking argume

    nts - HKEY_LOCAL_MACHINE

    Elapsed Time: 00 00:00:00

    Done:        0, Modified        0, Failed        0, Syntax errors        1

    Last Syntax Error:WARNING : /grant=administrators=f : Error when checking argume

    nts - HKEY_LOCAL_MACHINE

    Elapsed Time: 00 00:00:00

    Done:        0, Modified        0, Failed        0, Syntax errors        1

    Last Syntax Error:WARNING : /grant=administrators=f : Error when checking argume

    nts - HKEY_CLASSES_ROOT

    Elapsed Time: 00 00:00:00

    Done:        0, Modified        0, Failed        0, Syntax errors        1

    Last Syntax Error:WARNING : /grant=administrators=f : Error when checking argume

    nts - HKEY_CLASSES_ROOT

    System Drive...

    Elapsed Time: 00 00:00:00

    Done:        0, Modified        0, Failed        0, Syntax errors        1

    Last Syntax Error:WARNING : /grant=administrators=f : Error when checking argume

    nts - D:\Archivos

    Windows Directory...

    Elapsed Time: 00 00:00:00

    Done:        0, Modified        0, Failed        0, Syntax errors        1

    Last Syntax Error:WARNING : /grant=administrators=f : Error when checking argume

    nts - D:\WINDOWS\

    ==========================================================================

    FINISHED.

    Press any key to exit . . .

    By the way here is some extra information you may need to help, I'm using XP SP2 as OS, and my windows installation is in the drive D:,... the language of my OS is spanish - that is the reason for which I have a bad quality of english, I am an argentinean :P-

    I've already try lots of things such as running as administrator or use a different reset.cmd.txt I've found on google. The problem    that I've by which I've to SubInACL is that when I try to install Natural Color Pro I get an error saying:

    Self-Registration Error

    The following files din not self-register or unregister:

    1. D:\WINDOWS\system32\Flash.ocx

            Error al tener acceso al Registro OLE

    So I can't isntall it because of that problem with accessing OLE registry.

    Any suggestions would be greatly appreciated.

    Thx for reading all this ;D

  • Hi CeltC - I haven't seen any errors like this before.  SubInAcl seems to think that the names of the registry keys are invalid in those command lines or something like that.  Can you run individual SubInAcl command lines outside of reset.cmd and see if they work?  Or could you try running subinacl.exe /? or subinacl.htm (which is in the same directory as subinacl.exe) and look at the syntax and try to create a command line that works on this system?

    Hopefully this helps.

  • Thanks Aaron - I've followed your instructions. I run subinacl.exe /help and /help syntax and it seems to be everything ok, however when I individually run the command lines of reset.cmd I still get that annoying "syntax error":

    D:\Archivos de programa\Windows Resource Kits\Tools>subinacl /subkeyreg HKEY_CUR

    RENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=Ezc

    urra\Usuario=f /setowner=administrators > %temp%\subinacl_output.txt

    Elapsed Time: 00 00:00:00

    Done:        0, Modified        0, Failed        0, Syntax errors        1

    Last Syntax Error:WARNING : /grant=administrators=f : Error when checking argume

    nts - HKEY_CURRENT_USER

    I tried to find out what was wrong, and I realized then that some command lines such as: (...)subinacl /keyreg HKEY_LOCAL_MACHINE\ /display   works perfectly. Even when I tried to run (...)subinacl /file D:\TESTACCESS.TXT /grant=Ezcurra\Usuario=o for verifying if it works everything just is perfect. So I took the previous command line from the oringal reset.cmd and erased every action except for the one that gives full control of the HKEY_CURRENT_USER regkeys and subregkeys to the current user and I got this:

    D:\Archivos de programa\Windows Resource Kits\Tools>subinacl /subkeyreg HKEY_CUR

    RENT_USER /grant=Ezcurra\Usuario=f > %temp%\subinacl_output.txt

    Elapsed Time: 00 00:00:19

    Done:    10391, Modified    10385, Failed        6, Syntax errors        0

    Last Done  : HKEY_CURRENT_USER\Volatile Environment

    Last Failed: HKEY_CURRENT_USER\Software\ALWIL Software\Avast\4.0\ashSimpl\Settin

    gs - RegSetKeySecurity Error : 5 Acceso denegado.

    It seems that it worked fine but I do not know if this command in fact is of some utility. At this point I think I can't do much more and I don't want to do anything risky. So instead of  doing something harmful I would like to have an opinion of someone who really knows about this.

    Thx again for your aid and I apologised for any writing error that I may have had since in fact I am still learning English.

    Celtc

  • Hi Celtc - I haven't seen this kind of error before, so I can't tell for sure what is going on and I'm not sure what to suggest to resolve it.  It sounds like the SubInAcl tool is working on your system, but that there is something wrong with the exact command lines being used.  I'd suggest trying different combinations of the command line switches listed in this blog post in order to narrow down exactly what part of the command line is causing these errors.

  • Hi CeltC - One thing I forgot to mention here - if you are using a non-English version of Windows and any of the user or group names are translated on your system, then you will need to adjust these SubInAcl command lines to use the translated names.  This is described in more detail in issue #1 in the blog post at http://blogs.msdn.com/astebner/archive/2008/06/17/8613982.aspx.

  • In the file "reset.cmd" you are supposed to replace "username' with your name.

    Assuming your name is "John Doe", would you replace with:

    John Doe

    or

    "John Doe"

    With thanks

  • Hi DaddySam - That is correct - there is a step listed above that says "Change the values named YOURUSERNAME to be the Windows user account that you are logged in with."  However, it is easy to miss that, so I'll add a comment to the copy of reset.cmd on my file server as well to hopefully help people find that in the future.

  • Windows Update for SP3 gave me the following error message:

    Service Pack 3 setup could not backup Registry Key HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\KB873339 to file C:\Windows\$NtServicePackUninstall$\reg02315. 5: Access denied

    Should I run the SubInACL tool or would there be a simpler solution to that problem ?

    This is the first time that I am encountering an installation problem

    With thanks

  • Hi DaddySam - The SubInAcl command lines listed above will update the permissions for several locations on your file system and in your registry.  For this particular error, it lists an exact location that it is having trouble accessing.  It might be possible to just go in and manually update the permissions for that specific folder location and see if that solves this error.  You can update permissions manually by doing the following:

    1.  Opening Windows Explorer

    2.  Right-click on the folder and choose Properties

    3.  Click on the Security tab

    4.  Add the necessary permissions (typically, you need to make sure that the SYSTEM account and the Administrators group both are listed there and have Full Control permissions granted to them

    Hopefully this helps.

Page 6 of 22 (328 items) «45678»
Leave a Comment
  • Please add 3 and 3 and type the answer here:
  • Post