Aaron Stebner's WebLog

Thoughts about setup and deployment issues, WiX, XNA, the .NET Framework and Visual Studio

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Solving setup errors by using the SubInACL tool to repair file and registry permissions

Rate This

A while back, I wrote a blog post about a .NET Framework 2.0 beta 2 installation problem that was caused by incorrect access control list (ACL) permissions on some registry hives.  In that post, I described how to use a tool in the Windows Resource Kit named SubInACL to reset file and registry ACLs to help solve this problem.

Ever since I wrote that post, I have run into installation errors for several other products that have been solved by using the SubInACL tool.  Therefore, I wanted to write a standalone set of instructions for how and when to use the SubInACL tool because the previous blog post is specific to the .NET Framework 2.0 setup and does not always appear in search results when people run into this kind of a problem and search the Internet for assistance.

How to download and run SubInACL

Here are some steps that can be used to download and run the SubInACL tool to repair file and registry permissions that are often needed to successfully install programs on Windows, particularly for MSI-based (Windows Installer) setups:

  1. Download the SubInACL tool and install it.  By default it will install to c:\Program Files\Windows Resource Kits\Tools
  2. If you are running Windows Vista, click on the Start menu, choose All Programs, then Accessories, then right-click on the item named Command Prompt and choose Run as administrator
  3. If you are running an OS other than Windows Vista, go to the Start menu, choose Run, type cmd and click OK
  4. In the cmd prompt, type notepad reset.cmd and click yes to open Notepad.exe and create a new text file named reset.cmd
  5. Copy and paste the following contents into reset.cmd (or download it from this location on my file server and rename it from reset.cmd.txt to reset.cmd):

    @echo off
    title Resetting ACLs...

    setlocal

    echo.
    echo Determine whether we are on an 32 or 64 bit machine
    echo.

    if "%PROCESSOR_ARCHITECTURE%"=="x86" if "%PROCESSOR_ARCHITEW6432%"=="" goto x86

    set ProgramFilesPath=%ProgramFiles(x86)%

    goto startResetting

    :x86

    set ProgramFilesPath=%ProgramFiles%

    :startResetting

    echo.

    if exist "%ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe" goto filesExist

    echo ***ERROR*** - Could not find file %ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe. Double-check that SubInAcl is correctly installed and re-run this script.
    goto END

    :filesExist

    pushd "%ProgramFilesPath%\Windows Resource Kits\Tools"

    echo.
    echo Resetting ACLs...
    echo (this may take several minutes to complete)
    echo.
    echo IMPORTANT NOTE: For this script to run correctly, you must change
    echo the values named YOURUSERNAME to be the Windows user account that
    echo you are logged in with.
    echo.
    echo ==========================================================================
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators > %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_CURRENT_USER /grant=administrators=f /grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f /grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    subinacl.exe /keyreg HKEY_CLASSES_ROOT /grant=administrators=f /grant=system=f /grant=users=r /setowner=administrators >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo System Drive...
    subinacl.exe /subdirectories %ProgramFilesPath%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo Windows Directory...
    subinacl.exe /subdirectories %windir%\ /grant=administrators=f /grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
    echo.
    echo.
    echo ==========================================================================
    echo.
    echo FINISHED.
    echo.
    echo Press any key to exit . . .
    pause >NUL

    popd

    :END

    endlocal

     
  6. Change the values named YOURUSERNAME to be the Windows user account that you are logged in with.

    Note:  The YOURUSERNAME value should match the name of your user folder at c:\Documents and Settings (or c:\users on Windows Vista and higher).  You can also find the value to use for YOURUSERNAME by launching Task Manager and looking at the user name listed in the User Name column of the Processes tab.

  7. Save and close reset.cmd. 
  8. In the cmd prompt, type reset.cmd and press enter to run the SubInACL tool.  This tool will take several minutes to run, and it requires that the user account you are using has administrator privileges on the system.  This is why it is necessary to run it from an elevated cmd prompt on Windows Vista.  Step 2 above can be used to start an elevated cmd prompt on Windows Vista.
  9. After reset.cmd completes, try to install the product that previously failed to install correctly on your system.

Note: There are a couple of scenarios where installing or running SubInAcl can fail.  For example, some non-English versions of Windows have the name of the Administrators group translated to another language, and the command lines listed above will fail in that case.  I have posted workarounds for the issues that I know of in this separate blog post.

Also note: Running the above command lines will cause SubInAcl to create a log file named %temp%\subinacl_output.txt.  If you see any errors reported in the cmd prompt after running SubInAcl, you can look in this log file for more detailed information about what file(s), folder(s) or registry value(s) are causing the errors.  To open this log file, you can click on the Start menu, choose Run, type notepad %temp%\subinacl_output.txt and click OK.

When looking at this log file, you may see some errors reported with error code 5.  That error code means Access Denied, and it is typically caused by Windows or some other program running on your system that is holding files, folders or registry values in use so that SubInAcl is unable to update the permissions for them.  Most of the time, that type of error in the SubInAcl output can be safely ignored, but you may need to try to reboot and then manually fix the permissions for these files, folders or registry keys as a workaround.

When is SubInACL useful

I have found that the SubInACL tool is most useful when a setup package fails with error code 5 or 0x5 or 0x80070005.  All of these error codes mean Access Denied, and this type of error code is often caused by missing ACLs for the Administrators group or the built-in System account.  The Windows Installer service runs with System account permissions in most cases.  If the System account does not have sufficient permissions to access the file system or parts of the registry, an MSI-based setup package will fail with an Access Denied error.

SubInACL can also help resolve Internet Explorer script errors caused by incorrect access control permissions for specific user accounts on the system.

Example of a setup failure that was fixed by SubInACL

A customer contacted me with a problem installing Visual Studio 2005.  I looked at the main Visual Studio log file located at %temp%\dd_vsinstall80.txt, and I found that Windows Installer 3.1 setup was failing.  Then, I looked at the Windows Installer 3.1 setup log file located at %windir%\KB893803v2.log.  It showed the following error:

30.844: DoRegistryUpdates:UpdSpInstallFromInfSection Failed for MSI.Reg.Install: 0x5
30.844: DoInstallation:DoRegistryUpdates failed
30.875: Access is denied.

I had the customer run the above steps to use the SubInACL tool to update the file and registry ACLs on their system, and then they were able to install Windows Installer 3.1 and Visual Studio 2005 with no further problems.

<update date="11/15/2006"> Updated subinacl command lines to include recursive ACL updating for folders and files under %windir% </update>

<update date="3/22/2007"> Updated the steps to make them easier to follow by moving the directory change into the batch file. </update>

<update date="9/25/2007"> Updated the notes to indicate that some Internet Explorer script errors can be resolved with this tool as well. </update>

<update date="5/30/2008"> Updated command lines based on customer feedback regarding their experiences on Windows Vista. </update>

<update date="6/16/2008"> Updated command lines to cause SubInAcl to create a log file in the %temp% directory in case it is needed for troubleshooting afterwards. </update>

<update date="6/17/2008"> Added a link to a blog post where I describe a couple of workarounds for problems that can occur while trying to install and/or run SubInAcl. </update>

<update date="6/20/2008"> Updated command line to include a backslash after %SystemDrive% in the 2nd to last command. </update>

<update date="6/24/2008"> Updated wording of link to the post for troubleshooting SubInAcl errors to try to make it more visible. </update>

<update date="7/29/2008"> Updated directory ACL command lines to not affect the Documents and Settings sub-folders. </update>

<update date="3/12/2009"> Fixed broken link to reset.cmd. </update>

<update date="4/7/2009"> Added clarification about how to determine the correct value to substitute for YOURUSERNAME in the sample SubInAcl script. </update>

<update date="5/18/2009"> Added clarification about where to run reset.cmd after creating it. </update>

 

  • Hi Jimena - I don't have expertise troubleshooting Vista gadget issue or McAfee anti-virus issues.  For the Vista gadget issue, I'd suggest posting a question on one of the Windows Vista forums listed at windows.microsoft.com/.../community.  For the McAfee issue, I'd suggest searching on their web site to see if they can suggest any workarounds for you to try.

  • Hallo, I had 8007005 error after I've manually removed the fake S.M.A.R.T. Check malware program from a PC with Windows 7.

    To resolve it I've simply removed the hidden and read-only attribute from then c:\Windows\SoftwareDistribution folder and subfolder and windows update worked again.

    Hope this helps

  • Hi Aaron,

    I am very impressed with the end result of the script.  It worked marvelously!  Thank you!

    My only point to improve upon this would be to rename "repair.cmd" into a *.bat (batch script) which I did and ran after modifying the field "YOURUSERNAME".  This really simplified the process for me.  The initial steps were confusing, but I finally got it and it did fix the error(s) I was having!  THANK YOU!

    -- Morris

  • Dear Mr. Aaron Stebner

    May I ask help from you?

    My system is Windows vista home basic, Service pack 2. In order to solve a windows update problem (code 80070005), I followed the procedure below, which is a post from a Microsoft forum. After running the reset batch, the original problem seemed to be solved, but it resulted in other more serious problems, such as the audio system, Windows Update, McAfee update and many other services not functioning. They frequently show the reason of “Not enough storage is available to complete this operation”. May I ask whether you think that your script can solve my problem? Or do you have any suggestion? Thank you very much anyway.

    ==========================================================

    Hi,

    I hope al the 80070005 sufferrers are still reading this thread.

    If disabling virus scan does not solve the problem then try the following.

    This worked like a charm for me on my Vista SP1 XPS Laptop.

    I got the solution from Microsoft, as was recommended in one of the postings on this site.

    They were actually really quick in responding and suggesting the soution.  The problem does have to do with corrupted permissions in the registry.

    Here are the steps to follow:

    In Scanning process, we can use Permission Reset Tool in TC.

    1. Please download the subinacl.msi file from the following link and save the installation patch onto the Desktop:

    www.microsoft.com/.../details.aspx

    2. Please go to the Desktop and double click the downloaded file.

    3. Please select the C:\Windows\System32 folder as the Destination Folder during the installation. Later we will use this tool to reset the permission settings on the current machine.

    4. Click the "Start" Button, in the "Start Search" bar, type: "notepad" (without quotes) and press Enter.

    5. Copy the following commands and then paste them into the opened Notepad window:

    @echo off

    subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f

    subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f

    subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f

    subinacl /subdirectories %SystemDrive% /grant=administrators=f

    subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f

    subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f

    subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f

    subinacl /subdirectories %SystemDrive% /grant=system=f

    @Echo =========================

    @Echo Finished.

    @Echo =========================

    @pause

    6. After pasting the above commands, please close the Notepad window. Choose "Save" when you are prompted to save the file. Type "reset.bat" as the file name and choose "Desktop" from the left panel as the save location.

    7. Refer to the Desktop and right click the reset.bat file, then choose "Run as administrator."

    8. You will see a DOS-like window processing.

    NOTE: It may take several minutes, please be patient. When it is finished, you will be prompted with the message: "Finished, press any key to continue".

    Note: About some driver update installation procedure, we also received this error code, please reroute this kind of case to Vista System Team, because, it may regard for third party programs structure.  

    ==========================================

  • Hi Sigurd58 - I don't think the script in this blog post would help in your scenario because it does essentially the same thing as the script you found in that forum post.  Your scenario sounds like it might be similar to the issue described at www.brianpeek.com/.../weird-vista-registry-issue.aspx, so I'd suggest taking a look at that post to see if the description matches what you see in your registry.  If so, then I'd suggest trying the steps there to see if they help.

  • Excellent, been struggling with an access denied driver error, tried everything upto this point and nothing work. Was just at the point of reformatting machine when I found this, worked perfectly! Win 7 SP1. Thank you.

  • I'm trying to setowner of subkeyreg, and am receiving output that reflects nothing is performed:

    +subkeyreg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum*

    /setowner=domain\user

    Done:        0, Modified        0, Failed        0, Syntax errors        0

    The user who is running subinacl has full control over HKLM\SYSTEM\ControlSet002\Enum

    Aaron, I noticed you do use setowner with subkeyreg and am curious what it is I'm doing incorrectly, or how I'm misunderstanding the tool.

    Thanks,

    Matt

  • Hi Matt - What is the full command line that you're using in your scenario, and what version of Windows are you running it on?

    There is a user's guide named subinacl.htm that is installed next to subinacl.exe when you install the tool.  If you haven't yet, I'd suggest taking a look at the user's guide to see if it helps you at all as you try to troubleshoot this issue.

  • I paused Kaspersky and now it went in like a dream

  • I tried the guide I get 40000 plus errors.

    W7 64 bit SP1.

    I run an admin account.

    Any help would be much appreciated.

    I turned my AV off didnt make a difference.

  • Hi KOz - When the number of errors is that large, it usually means that subinacl wasn't run from an elevated cmd prompt.  Even if you are logged in as a user that has administrator privileges, you need to run subinacl from an elevated cmd prompt.  There are steps that will help you do that in the blog post above.

    If that doesn't help, then I'd suggest posting a question on the Windows 7 forums at answers.microsoft.com/.../windows_7 and describe the exact problem you are encountering that led you to try to run subinacl in the first place.  Hopefully someone there will be able to provide some additional suggestions for you to try.

  • Hi there,

    Was directed to your blog after having a series of issues. Hopefully you can help and I will be eternally grateful!

    My dad got a new Lenovo laptop with Windows 8 installed. It was dire and he was used to windows 7 so after a load of issues we formatted and installed windows 7.

    At this moment in time, everything seems to work fine apart from MS office and Windows Live Mail. MS Office (regardless of programme, Word, Excel, all of them) when fired up attempts to install, attempts to grather required information, and with no error message just closes and nothing happens. The programs dont run and I dont get an error message. On the installation, everything seems fine too. All the files are on the C drive. I've tried uninstalling and reinstalling, tried office 2007 and 2010, tried your tool above, twice, still no luck.

    Windows Live Mail also gets the installation box, but runs after the box has disappeared without any noticeable issues.

    Any help would be very much appreciated.

    P.S. You need a "donate" button somewhere!

  • Hi Jamie - To try to solve the Office auto-repair issue, I'd suggest trying to right-click on the Office application you want to run and choose Run as Administrator.  I'm hoping that whatever it is trying to repair will work correctly if the application is given administrative privileges at least once.  The same technique might also help solve the auto-repair that you're seeing when you launch Windows Live Mail.

    If this doesn't help, then I'd suggest posting a question on the Office forums at support.microsoft.com/.../gp_newsgroups_master to see if someone there can provide some additional suggestions for you.

  • Hi Aaron,

    i'm trying to solve a .net4 full installation problem with the subinacl script on win 2k3 server std 32bit ita. the command give me a syntax error in the "/grant=restricted=r" part and don't process the hklm and hkcu section of the registry. who is the "restricted" user or group? can i ignore that part and delete it from the script? i try both your and PCPerspective scripts versions

    thanks in advance for any suggestion

  • Hi flipmenidsair - I think that restricted is a built-in user account, and there might be issues with that account name being translated on some non-English versions of Windows.  I think it should be safe for you to delete that from the script when you try to run it on your computer.  You might also want to review the contents of the file named subinacl.htm that is installed to the same folder as subinacl.exe.  It contains some more detailed documentation about the supported command line switches and usage examples for the tool.

Page 16 of 20 (295 items) «1415161718»
Leave a Comment
  • Please add 4 and 5 and type the answer here:
  • Post