Aaron Stebner's WebLog

Thoughts about setup and deployment issues, WiX, XNA, the .NET Framework and Visual Studio

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Rate This

A while back, I wrote a blog post about a .NET Framework 2.0 beta 2 installation problem that was caused by incorrect access control list (ACL) permissions on some registry hives.  In that post, I described how to use a tool in the Windows Resource Kit named SubInACL to reset file and registry ACLs to help solve this problem.

Ever since I wrote that post, I have run into installation errors for several other products that have been solved by using the SubInACL tool.  Therefore, I wanted to write a standalone set of instructions for how and when to use the SubInACL tool because the previous blog post is specific to the .NET Framework 2.0 setup and does not always appear in search results when people run into this kind of a problem and search the Internet for assistance.

How to download and run SubInACL

Here are some steps that can be used to download and run the SubInACL tool to repair file and registry permissions that are often needed to successfully install programs on Windows, particularly for MSI-based (Windows Installer) setups:

  1. Download the SubInACL tool and install it.  By default it will install to c:\Program Files\Windows Resource Kits\Tools
  2. If you are running Windows Vista, click on the Start menu, choose All Programs, then Accessories, then right-click on the item named Command Prompt and choose Run as administrator
  3. If you are running an OS other than Windows Vista, go to the Start menu, choose Run, type cmd and click OK
  4. In the cmd prompt, type notepad reset.cmd and click yes to open Notepad.exe and create a new text file named reset.cmd
  5. Copy and paste the following contents into reset.cmd (or download it from this location on my file server and rename it from reset.cmd.txt to reset.cmd):

    @echo off
    title Resetting ACLs...

    setlocal

    echo.
    echo Determine whether we are on an 32 or 64 bit machine
    echo.

    if "%PROCESSOR_ARCHITECTURE%"=="x86" if "%PROCESSOR_ARCHITEW6432%"=="" goto x86

    set ProgramFilesPath=%ProgramFiles(x86)%

    goto startResetting

    :x86

    set ProgramFilesPath=%ProgramFiles%

    :startResetting

    echo.

    if exist "%ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe" goto filesExist

    echo ***ERROR*** - Could not find file %ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe. Double-check that SubInAcl is correctly installed and re-run this script.
    goto END

    :filesExist

    pushd "%ProgramFilesPath%\Windows Resource Kits\Tools"

    echo.
    echo Resetting ACLs...
    echo (this may take several minutes to complete)
    echo.
    echo IMPORTANT NOTE: For this script to run correctly, you must change
    echo the values named YOURUSERNAME to be the Windows user account that
    echo you are logged in with.
    echo.
    echo ==========================================================================
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators > %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo System Drive...
    subinacl.exe /subdirectories %ProgramFilesPath%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo Windows Directory...
    subinacl.exe /subdirectories %windir%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo ==========================================================================
    echo.
    echo FINISHED.
    echo.
    echo Press any key to exit . . .
    pause >NUL

    popd

    :END

    endlocal

     
  6. Change the values named YOURUSERNAME to be the Windows user account that you are logged in with.

    Note:  The YOURUSERNAME value should match the name of your user folder at c:\Documents and Settings (or c:\users on Windows Vista and higher).  You can also find the value to use for YOURUSERNAME by launching Task Manager and looking at the user name listed in the User Name column of the Processes tab.

  7. Save and close reset.cmd. 
  8. In the cmd prompt, type reset.cmd and press enter to run the SubInACL tool.  This tool will take several minutes to run, and it requires that the user account you are using has administrator privileges on the system.  This is why it is necessary to run it from an elevated cmd prompt on Windows Vista.  Step 2 above can be used to start an elevated cmd prompt on Windows Vista.
  9. After reset.cmd completes, try to install the product that previously failed to install correctly on your system.

Note: There are a couple of scenarios where installing or running SubInAcl can fail.  For example, some non-English versions of Windows have the name of the Administrators group translated to another language, and the command lines listed above will fail in that case.  I have posted workarounds for the issues that I know of in this separate blog post.

Also note: Running the above command lines will cause SubInAcl to create a log file named %temp%\subinacl_output.txt.  If you see any errors reported in the cmd prompt after running SubInAcl, you can look in this log file for more detailed information about what file(s), folder(s) or registry value(s) are causing the errors.  To open this log file, you can click on the Start menu, choose Run, type notepad %temp%\subinacl_output.txt and click OK.

When looking at this log file, you may see some errors reported with error code 5.  That error code means Access Denied, and it is typically caused by Windows or some other program running on your system that is holding files, folders or registry values in use so that SubInAcl is unable to update the permissions for them.  Most of the time, that type of error in the SubInAcl output can be safely ignored, but you may need to try to reboot and then manually fix the permissions for these files, folders or registry keys as a workaround.

When is SubInACL useful

I have found that the SubInACL tool is most useful when a setup package fails with error code 5 or 0x5 or 0x80070005.  All of these error codes mean Access Denied, and this type of error code is often caused by missing ACLs for the Administrators group or the built-in System account.  The Windows Installer service runs with System account permissions in most cases.  If the System account does not have sufficient permissions to access the file system or parts of the registry, an MSI-based setup package will fail with an Access Denied error.

SubInACL can also help resolve Internet Explorer script errors caused by incorrect access control permissions for specific user accounts on the system.

Example of a setup failure that was fixed by SubInACL

A customer contacted me with a problem installing Visual Studio 2005.  I looked at the main Visual Studio log file located at %temp%\dd_vsinstall80.txt, and I found that Windows Installer 3.1 setup was failing.  Then, I looked at the Windows Installer 3.1 setup log file located at %windir%\KB893803v2.log.  It showed the following error:

30.844: DoRegistryUpdates:UpdSpInstallFromInfSection Failed for MSI.Reg.Install: 0x5
30.844: DoInstallation:DoRegistryUpdates failed
30.875: Access is denied.

I had the customer run the above steps to use the SubInACL tool to update the file and registry ACLs on their system, and then they were able to install Windows Installer 3.1 and Visual Studio 2005 with no further problems.

<update date="11/15/2006"> Updated subinacl command lines to include recursive ACL updating for folders and files under %windir% </update>

<update date="3/22/2007"> Updated the steps to make them easier to follow by moving the directory change into the batch file. </update>

<update date="9/25/2007"> Updated the notes to indicate that some Internet Explorer script errors can be resolved with this tool as well. </update>

<update date="5/30/2008"> Updated command lines based on customer feedback regarding their experiences on Windows Vista. </update>

<update date="6/16/2008"> Updated command lines to cause SubInAcl to create a log file in the %temp% directory in case it is needed for troubleshooting afterwards. </update>

<update date="6/17/2008"> Added a link to a blog post where I describe a couple of workarounds for problems that can occur while trying to install and/or run SubInAcl. </update>

<update date="6/20/2008"> Updated command line to include a backslash after %SystemDrive% in the 2nd to last command. </update>

<update date="6/24/2008"> Updated wording of link to the post for troubleshooting SubInAcl errors to try to make it more visible. </update>

<update date="7/29/2008"> Updated directory ACL command lines to not affect the Documents and Settings sub-folders. </update>

<update date="3/12/2009"> Fixed broken link to reset.cmd. </update>

<update date="4/7/2009"> Added clarification about how to determine the correct value to substitute for YOURUSERNAME in the sample SubInAcl script. </update>

<update date="5/18/2009"> Added clarification about where to run reset.cmd after creating it. </update>

 

  • Hi Tez - In this case, I don't think the SubInAcl tool is what you need to use to solve the issue.  There are a couple of things I can think of to try:

    1.  Try to launch Outlook with elevated permissions and trigger the configuration dialog again.  It might complete successfully if it is run from an elevated process.

    2.  If #1 doesn't help, then you may want to try to manually run a repair for Microsoft Office by using the entry in the Programs and Features control panel.

    3.  If #2 doesn't help either, then you may need to uninstall + re-install Microsoft Office to solve this problem.

    Hopefully one of these will help.

  • I was wondering if anyone can help here. on Win7 64 I was having a Windows Live Mail problem that appears to be related to this reg key:

    HKEY_LOCAL_MACHINE/SOFTWARE/Classes/.eml

    I get the following error when running WML:

    Detection of product '{9D56775A-93F3-44A3-8092-840E3826DE30}', feature 'WinMailFeat', component '{2C57E711-D78F-4008-9502-CC4DB2832354}' failed. The resource 'HKEY_LOCAL_MACHINE\Software\Classes\.eml\shellex\{8895b1c6-b41f-4c1c-a562-0d564250836f}\' does not exist.

    For some reason, I cannot make any changes to this registry key, and cannot even give myself permission to change it (even when I run regedit as admin). When I check its permissions, there's no users or groups attached.

    I downloaded the subinacl.exe command line utility and ran a suggested script to change permissions on reg keys. However, I get the following error:

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eml - AddAce error : 87 The parameter is incorrect.

    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eml: 5 : Unable to enumerate subkeys

    ... and still cannot access the reg key.

    Any help appreciated,

    P

  • Hi Paul Moloney - I think you may have already tried this, but I am going to list it just in case.  Does it help at all to use steps like the ones in the blog post at www.raymond.cc/.../full-control-permission-to-delete-or-edit-restricted-windows-registry to take ownership of this registry key?

    The knowledge base article at http://support.microsoft.com/kb/313222 might also help you reset the permissions on this key.

     

  • @FuzzyBS

    After a whole three days trying to install real player which happen to just dissappear trying to update. i finally got it running. I tried the first program which astebner has explained. It didnt work :(

    I came back to this post today and tried your program and finally it installed and ran. I just finished formatting my computer yesterday.

    Thanks a lot for your post !!!! You saved my day ...

  • Windows 7 Ultimate

    I ran SubInACL Tool and then edited the reset.cmd file just like you described.  Then I ran Reset.cmd and it seemed like everything worked.  I even rebooted my computer before I tried to run windows updates.  But I am still getting the same errir, Code 80070005.  I have not gotten a Windows Update since 11-10-2010 and I am the only user on my computer, and I am the administrator.  Any advice?  Please help!!!

  • Hi Jon K - I haven't seen folks have good luck using the steps in this blog post to solve Windows Update installation problems on Windows Vista and higher.  I've posted some links to knowledge base articles that might help in this scenario at blogs.msdn.com/.../9472695.aspx.

    If that information doesn't help, then you may need to either contact Microsoft Technical Support (using the contact instructions at http://support.microsoft.com) or try to repair/re-install Windows to solve this type of Windows Update installation issue.

  • THANK YOU SO MUCH, I had been battling this issue for over a year! This worked I am sooooooo happy and grateful! Finally I am updated!

  • Hi Aaron, thanks for this post.

    Do you know if there is a way we can include all shared folders as well? For example I have many shared drives folders whose permissions needed to be set.

    subinacl /subdirectories %fileserver%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt

    Would the above code work for all network shares? (sorry if double post, not sure if submitted?)

  • Hi Jeff - I'm not sure whether or not SubInAcl would support this type of scenario.  The SubInAcl tool installs an HTML file with a user's guide to the same folder as subinacl.exe, so I'd suggest taking a look at that to see if there is any information in there that would help in your scenario.

  • Hope I didn't miss the answer in this very long post

    I have Win7-64bit, ran Office 2010 for 2/3 months in 32bit mode ( thinking it would install 64bit due to the OS) I then (today) un-installed office & installed office 64bit, every time I open a module ( word , excel) I get the "please wait while windows configures microsoft office single image 2010" screen. Was then in contact with MS, pointing me to this post. I followed all the advice, but still no luck.

    I then read further on that Subinacl is not suppose be work on 64bit OS ?

    I do get many-may error (in red) in the CMD box while its running

    Any advise or direction ?

  • Hi Jan - SubInAcl will work on a 64-bit OS, but I think it will only fix permissions issues for 32-bit registry keys in that scenario.  I'm not sure that SubInAcl is needed to solve this type of issue with Office though.  When you see that type of configuration dialog, it means that Windows thinks that there is something broken in Office's installation process that needs to be repaired.  It might help to try to launch Office with administrator privileges (by right-clicking on it and choosing Run as Administrator), then let it repair once more.  Sometimes, the repair process cannot complete successfully without administrator privileges.

    If that doesn't help, then there are entries in the event log that will explain exactly why this repair is being triggered.  I'd suggest contacting the Microsoft support team again and having them take a look at your application event log to try to narrow down this issue further using those event log entries.  The steps I use to look at the event log for this type of issue are described at blogs.msdn.com/.../219764.aspx.

  • Hello Aaron!

    Just commenting to let you know that four and a half years after you made this post you're still helping people.

    My case was the dreaded error#1402 from Adobe Reader, which I tried to solve a couple of months back then just ignored it for a while after failing. Yesterday I was cleaning up my computer and decided i'd get rid of it once and for all. Knew the problem was on registry, tried messing with the permissions but no success, until I found your post. Many thanks.

    Cheers from Brazil,

    Leonardo.

  • FYI I tried installing Win7 64bit SP1. It consistently got to 95% and then crashed with an 80070005 error. After hunting round and reading this blog I was directed to windows.microsoft.com/troubleshootwindows7sp1. It seems that they released the SP1 on Feb 22'11 and then released a Hotfix on the same day. I followed their instructions, ran the hotfix...and SP1 then installed OK.

  • This fixed my Silverlight Issue where IE8 kept saying install silverlight for a better web experience everytime which ultimatly became redundant.  Although silverlight worked fine in firefox, I needed it to work in IE8 so that it would also work with the NetFlix in Vists's Media Ceter.  Went months without a fix until finally now. :-)

  • Hard to believe a 5-year-old blog entry is still useful today. I have used subInACL to fix corrupt Windows installations quite a lot.

Page 13 of 20 (295 items) «1112131415»
Leave a Comment
  • Please add 8 and 6 and type the answer here:
  • Post