Aaron Stebner's WebLog

Thoughts about setup and deployment issues, WiX, XNA, the .NET Framework and Visual Studio

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Rate This

A while back, I wrote a blog post about a .NET Framework 2.0 beta 2 installation problem that was caused by incorrect access control list (ACL) permissions on some registry hives.  In that post, I described how to use a tool in the Windows Resource Kit named SubInACL to reset file and registry ACLs to help solve this problem.

Ever since I wrote that post, I have run into installation errors for several other products that have been solved by using the SubInACL tool.  Therefore, I wanted to write a standalone set of instructions for how and when to use the SubInACL tool because the previous blog post is specific to the .NET Framework 2.0 setup and does not always appear in search results when people run into this kind of a problem and search the Internet for assistance.

How to download and run SubInACL

Here are some steps that can be used to download and run the SubInACL tool to repair file and registry permissions that are often needed to successfully install programs on Windows, particularly for MSI-based (Windows Installer) setups:

  1. Download the SubInACL tool and install it.  By default it will install to c:\Program Files\Windows Resource Kits\Tools
  2. If you are running Windows Vista, click on the Start menu, choose All Programs, then Accessories, then right-click on the item named Command Prompt and choose Run as administrator
  3. If you are running an OS other than Windows Vista, go to the Start menu, choose Run, type cmd and click OK
  4. In the cmd prompt, type notepad reset.cmd and click yes to open Notepad.exe and create a new text file named reset.cmd
  5. Copy and paste the following contents into reset.cmd (or download it from this location on my file server and rename it from reset.cmd.txt to reset.cmd):

    @echo off
    title Resetting ACLs...

    setlocal

    echo.
    echo Determine whether we are on an 32 or 64 bit machine
    echo.

    if "%PROCESSOR_ARCHITECTURE%"=="x86" if "%PROCESSOR_ARCHITEW6432%"=="" goto x86

    set ProgramFilesPath=%ProgramFiles(x86)%

    goto startResetting

    :x86

    set ProgramFilesPath=%ProgramFiles%

    :startResetting

    echo.

    if exist "%ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe" goto filesExist

    echo ***ERROR*** - Could not find file %ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe. Double-check that SubInAcl is correctly installed and re-run this script.
    goto END

    :filesExist

    pushd "%ProgramFilesPath%\Windows Resource Kits\Tools"

    echo.
    echo Resetting ACLs...
    echo (this may take several minutes to complete)
    echo.
    echo IMPORTANT NOTE: For this script to run correctly, you must change
    echo the values named YOURUSERNAME to be the Windows user account that
    echo you are logged in with.
    echo.
    echo ==========================================================================
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators > %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo System Drive...
    subinacl.exe /subdirectories %ProgramFilesPath%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo Windows Directory...
    subinacl.exe /subdirectories %windir%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo ==========================================================================
    echo.
    echo FINISHED.
    echo.
    echo Press any key to exit . . .
    pause >NUL

    popd

    :END

    endlocal

     
  6. Change the values named YOURUSERNAME to be the Windows user account that you are logged in with.

    Note:  The YOURUSERNAME value should match the name of your user folder at c:\Documents and Settings (or c:\users on Windows Vista and higher).  You can also find the value to use for YOURUSERNAME by launching Task Manager and looking at the user name listed in the User Name column of the Processes tab.

  7. Save and close reset.cmd. 
  8. In the cmd prompt, type reset.cmd and press enter to run the SubInACL tool.  This tool will take several minutes to run, and it requires that the user account you are using has administrator privileges on the system.  This is why it is necessary to run it from an elevated cmd prompt on Windows Vista.  Step 2 above can be used to start an elevated cmd prompt on Windows Vista.
  9. After reset.cmd completes, try to install the product that previously failed to install correctly on your system.

Note: There are a couple of scenarios where installing or running SubInAcl can fail.  For example, some non-English versions of Windows have the name of the Administrators group translated to another language, and the command lines listed above will fail in that case.  I have posted workarounds for the issues that I know of in this separate blog post.

Also note: Running the above command lines will cause SubInAcl to create a log file named %temp%\subinacl_output.txt.  If you see any errors reported in the cmd prompt after running SubInAcl, you can look in this log file for more detailed information about what file(s), folder(s) or registry value(s) are causing the errors.  To open this log file, you can click on the Start menu, choose Run, type notepad %temp%\subinacl_output.txt and click OK.

When looking at this log file, you may see some errors reported with error code 5.  That error code means Access Denied, and it is typically caused by Windows or some other program running on your system that is holding files, folders or registry values in use so that SubInAcl is unable to update the permissions for them.  Most of the time, that type of error in the SubInAcl output can be safely ignored, but you may need to try to reboot and then manually fix the permissions for these files, folders or registry keys as a workaround.

When is SubInACL useful

I have found that the SubInACL tool is most useful when a setup package fails with error code 5 or 0x5 or 0x80070005.  All of these error codes mean Access Denied, and this type of error code is often caused by missing ACLs for the Administrators group or the built-in System account.  The Windows Installer service runs with System account permissions in most cases.  If the System account does not have sufficient permissions to access the file system or parts of the registry, an MSI-based setup package will fail with an Access Denied error.

SubInACL can also help resolve Internet Explorer script errors caused by incorrect access control permissions for specific user accounts on the system.

Example of a setup failure that was fixed by SubInACL

A customer contacted me with a problem installing Visual Studio 2005.  I looked at the main Visual Studio log file located at %temp%\dd_vsinstall80.txt, and I found that Windows Installer 3.1 setup was failing.  Then, I looked at the Windows Installer 3.1 setup log file located at %windir%\KB893803v2.log.  It showed the following error:

30.844: DoRegistryUpdates:UpdSpInstallFromInfSection Failed for MSI.Reg.Install: 0x5
30.844: DoInstallation:DoRegistryUpdates failed
30.875: Access is denied.

I had the customer run the above steps to use the SubInACL tool to update the file and registry ACLs on their system, and then they were able to install Windows Installer 3.1 and Visual Studio 2005 with no further problems.

<update date="11/15/2006"> Updated subinacl command lines to include recursive ACL updating for folders and files under %windir% </update>

<update date="3/22/2007"> Updated the steps to make them easier to follow by moving the directory change into the batch file. </update>

<update date="9/25/2007"> Updated the notes to indicate that some Internet Explorer script errors can be resolved with this tool as well. </update>

<update date="5/30/2008"> Updated command lines based on customer feedback regarding their experiences on Windows Vista. </update>

<update date="6/16/2008"> Updated command lines to cause SubInAcl to create a log file in the %temp% directory in case it is needed for troubleshooting afterwards. </update>

<update date="6/17/2008"> Added a link to a blog post where I describe a couple of workarounds for problems that can occur while trying to install and/or run SubInAcl. </update>

<update date="6/20/2008"> Updated command line to include a backslash after %SystemDrive% in the 2nd to last command. </update>

<update date="6/24/2008"> Updated wording of link to the post for troubleshooting SubInAcl errors to try to make it more visible. </update>

<update date="7/29/2008"> Updated directory ACL command lines to not affect the Documents and Settings sub-folders. </update>

<update date="3/12/2009"> Fixed broken link to reset.cmd. </update>

<update date="4/7/2009"> Added clarification about how to determine the correct value to substitute for YOURUSERNAME in the sample SubInAcl script. </update>

<update date="5/18/2009"> Added clarification about where to run reset.cmd after creating it. </update>

 

  • Running the script at the top of this page on a Vista 32 machine I get several 'Failed' and a 1.8Gb subinacl_output.txt file generated. Is this normal? I have tried running in normal windows mode as well as safe mode with similar results. Should I be able to get to a point where there are no failures or should there always be a few?

    Thanks for any help.

    The summary output from running the script is:

    Determine whether we are on an 32 or 64 bit machine

    Resetting ACLs...

    (this may take several minutes to complete)

    IMPORTANT NOTE: For this script to run correctly, you must change

    the values named bob to be the Windows user account that

    you are logged in with.

    ==========================================================================

    Elapsed Time: 00 00:00:23

    Done:    19122, Modified    19122, Failed        0, Syntax errors        0

    Last Done  : HKEY_CURRENT_USER\Volatile Environment\1

    Elapsed Time: 00 00:00:00

    Done:        1, Modified        1, Failed        0, Syntax errors        0

    Last Done  : HKEY_CURRENT_USER

    Elapsed Time: 00 00:10:31

    Done:   377633, Modified   377618, Failed       15, Syntax errors        0

    Last Done  : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\a9hqrxfr\Param

    eters\PnpInterface

    Last Failed: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg : 5 A

    ccess is denied.

    Elapsed Time: 00 00:00:00

    Done:        1, Modified        1, Failed        0, Syntax errors        0

    Last Done  : HKEY_LOCAL_MACHINE

    Elapsed Time: 00 00:08:49

    Done:   128238, Modified   128226, Failed       12, Syntax errors        0

    Last Done  : HKEY_CLASSES_ROOT\{FEDC2E25-975DFD53-6981D376}

    Last Failed: HKEY_CLASSES_ROOT\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\Inpr

    ocServer32 : 2 The system cannot find the file specified.

    Elapsed Time: 00 00:00:00

    Done:        1, Modified        1, Failed        0, Syntax errors        0

    Last Done  : HKEY_CLASSES_ROOT

    System Drive...

    Elapsed Time: 00 00:12:26

    Done:        0, Modified        0, Failed        0, Syntax errors        0

    Windows Directory...

    Elapsed Time: 00 00:04:20

    Done:    92977, Modified    92972, Failed        5, Syntax errors        0

    Last Done  : C:\Windows\winsxs\x86_xrxscan.inf.resources_31bf3856ad364e35_6.0.60

    00.16386_en-us_ed393488b2a7196c\xrxscan.inf_loc

    Last Failed: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

    - CreateFile Error : 5 Access is denied.

    ==========================================================================

    FINISHED.

  • Hi FredJones - In my past experience using SubInAcl, I found that there are typically always some registry values held in use by the OS that can cause errors/warnings when trying to update the permissions.  It is usually OK to ignore that type of error/warning unless it is causing some specific error while trying to install or use a specific application on your system.

  • Thanks a lot for this routine.

    I'm running XP, and tried to install DeLorme Topo USA 7.0.  Tried about ten other things before I found your blog.  Ran the reset.cmd from here and it worked like a champ.

    http://astebner.sts.winisp.net/Tools/reset.cmd.txt

    Again. Thanks a million!!!

  • I was not able to install .net framework 3.0 nor Visual Basic express 2008, and this post solved the problem. Thanks!.

    This are some of the error messages. A little help for google :)

    WIC Installer: [2] Error code 1603 for this component means "Fatal error during installation.

    ...

    ProductInstall.GlobalRegistryChanges.Install error: 0x5

    ...

    Access is denied.

    ...

    WIC installation did not complete.

  • Is this an ignorant question? I'm installing SP1 on VISTA and it goes into a loop on stage 3 - no matter if it's SAFE mode or not. The solution is to do a restore. I've tried restore from WinRE, and the original DVD and I get 0x80070005 - access denied. Since I don't have a system - only WinRE (a basic DOS) system can SubInACL run in that environment? I just want to do a restore and somehow get by the 'access denied' problem. Thanks ... Michael

  • Hi MHalladay - I don't know for sure if SubInAcl can be run from this type of environment.  For this type of Vista SP1 install error, I'd suggest trying one of the free Vista SP1 support options listed at http://support.microsoft.com/oas/default.aspx?ln=en-us&prid=11274.

  • I started with notes to Microsoft last Tuesday - took 72 hours for the 1st 24hr (advertised) response. The 2nd response was within the 24 hours. They asked me to do a CHKDSK /R (which anyone knows takes about 12 hours - needless to say a brush off) I told them I'd aready done that it was clean) Took another 24 hours for them to ask me to do a RESTORE. Since I'd already told them in my 1st note that I'd tried that - it was another brush off. Anyway it's been about 6 days and so far nothing in the last 36 hours. I suspect they'll either tell me to re-install VISTA (Clean of course) or to do another CHKDSK. Needless to say MS is a write-off which is why I'm looking everywhere else for an answer.

    You'd think my original question to them - I'm in a loop on stage 3 installing SP1 and restore gives me a 0x80070005 - access denied - would be for them a simple look in their database for an answer and tell me what it is. Instead it's the same old run around. Luckily only one of my systems is VISTA, but it's an important system. I'm still looking for answers.

  • Dear Aaron,

    I have a Lenovo laptop which has Vista O/s in it.  It's a Pre-Installed Version.  Recently i noticed that i'm facing a strange problem,

    that i'm unable to delete/move files inside a folder in D Drive.

    I have two folders in D Drive.

    1. Program Files

    2. Others

    I'm able to create/delete/move/copy files or folders into "Others" folder.  Were as i don't have permission to

    delete/move/add new file or folders to the "Program Files" folder in D Drive.

    I found your blog discussing about similar issue(s).  I tried even installing "SubInACL tool" but that hasn't helped me.  

    Is there any specific method/way to get rid of this problem.  I'm facing this for more than 2 months.

    Thanks for any help.

    Regards,

    Rajan.SP

  • Hi Rajan SP - The SubInAcl command lines listed in this blog post only change permissions on the system drive (the drive letter that you have Windows installed to).  If you don't have Windows installed to your D drive, then those command lines will not help.

    You can try one of the following to see if they help in this scenario:

    1.  Update the command lines listed above to cause SubInAcl to modify permissions on your D drive instead of %programfiles% and %windir%

    2.  Manually change the permissions for the folder that you're having trouble with by right-clicking on the folder and choosing Properties, then Security, then clicking the Edit button and adding the users/groups that you want to have permission to this folder

  • Hi Aaron,

    Thanks for your reply.

    But i'm unable to get rid of the problem.

    I tried changing the Command line to "D:\Programfiles" but i am getting the following error

    SetKernelObjectSecurity Error for the folder.

    When i tried to run the command for other folders

    ie. "D:\Others", i am not getting this error.

    Also i tried changing the security setting by right clicking, but that doesn't helped me either.

    Please help me solve this problem.

    Regards,

    Rajan.S.P

  • Hi Rajan SP - If you are getting an error message like the SetKernelObjectSecurity error you describe, it likely means that the command line you're passing to SubInAcl isn't exactly correct.  When you install the SubInAcl tool, it also installs a readme HTML file in the same directory as the tool.  I'd suggest reviewing the contents of that readme to see the exact syntax you need to use for updating the security permissions on this folder.

    If you are unable to get SubInAcl to work and also are unable to get the security permissions to change by using Windows Explorer, then I'm not sure what else to suggest.  You may want to post a question to one of the Windows Vista newsgroups or contact your computer manufacturer for more in-depth troubleshooting assistance.

    I'm sorry I haven't been able to be more helpful in this scenario.

  • Hi Aron,

    I'm facing the same problem of update error 80070005 (I'm using vista ultimate).

    I've tried as per above instruction.

    First downloaded the Subinacl, then installed in c:\Program Files\Windows Resource Kits\Tools

    then copied the commands as reset.cmd then i run this file as adminiatrator.

    An dos window prompted and started resetting the ACL. This has started y'day evening 8pm still it's going on, nearly 45 million registries have been modified and aroung 36 registries failed.

    I want to know how long it'll take to complete the resetting and regarding failed registries what i've to do.

    Kinldly advice.

    Thanks/Balaji

  • Hi Balaji7u - The time it takes to run the SubInAcl tool depends on how many files, folders and registry values it needs to process (which is specified by the command lines you pass in when you run it).  If you are getting that many errors, it doesn't sound like it is running correctly though.  I'd suggest trying to run it from an elevated cmd prompt instead of right-clicking and trying to run it as administrator that way.  Step 2 in this blog post will allow you to launch an elevated cmd prompt.

    Also, if your issue is happening while installing OS updates on Windows Vista, there are a couple of other things I'd suggest trying before resorting to using SubInAcl:

    1.  Try to install Windows Vista SP1 if you haven't already.  It contains many fixes for the OS update installation engine on Vista, but it may not install correctly either if you're already having trouble installing OS updates.

    2.  Try the System Update Readiness Tool described at http://support.microsoft.com/kb/947821.

  • Hi Aron,

    Thank you for your reply.

    In continue to my above post, it took totally 17 hours to modify the registries. finally it shown as

    done:5536543, modified:5536500, failed: 42, syntx error: 0.

    and a pop up window appeared saying as 'subinacl stopped working'

    Pls advice what i've to do now.

    I've installed vista SP1 one month back. after that i've changed my anti virus from Norton to Mcafee. After this only the updates are not getting installed.

    Pls help to resolve this.

    Thanks / Balaji

  • Hi Balaji7u - If SubInAcl crashed, it probably did not complete the actions in the command lines that you ran.  There are a couple of things I'd suggest trying next:

    1.  Manually update the permissions for the files/registry that are currently giving you the 0x80070005 error messages.  Usually, there will be log file entries or event log entries that specify exactly what files/registry you are getting access denied from.

    2.  Try the Windows Vista SP1 support site for more in-depth troubleshooting assistance.  You can find contact information for this at http://support.microsoft.com/oas/default.aspx?ln=en-us&prid=11274.

Page 7 of 21 (310 items) «56789»
Leave a Comment
  • Please add 6 and 7 and type the answer here:
  • Post