Troubleshooting Permission Errors While Updating Software

A number of people are reporting errors when running software update tools. The tools include Windows Update, Windows Defender Updates, Installshield, Adobe Updater, and probably others as well. The errors include 80070005 (from Windows tools) and c0000005 (from others). To see if we can help people get their software updates, Steve Wechsler helped me put together some troubleshooting steps. If these steps help, and more so if they don't, we'd like to hear about it. If you find something else that helps, let us know by posting a comment.


 


All these errors indicate a permissions issue of some kind. All of them basically mean "Access Denied". However, determining exactly what the cause is can be difficult. There seem to be two main reasons why this is happening: multiple firewalls on the same computer, and a permissions issue, usually in the registry.


 


Multiple Firewalls
Several people with this problem report that it disappeared when the shut down one of the several firewalls they had on their computer. If you have installed a security suite, such as Norton Internet Security, on a Windows Vista computer, you have multiple firewalls. That, in and of itself, is not a problem as long as only one of them is running. However, if two, or more, are running at the same time, you will run into trouble. Some third-party firewalls appear to fail to properly disable the built-in Windows Firewall. If you have a third-party security suite installed, take the following steps to ensure the Windows Firewall with Advanced Security is turned off:

  1. Click the Window button (the start menu)
  2. In the search dialog, type "Windows Firewall"
  3. In a few seconds you will have a couple of results, including one that says "Windows Firewall". Click that one
  4. If the right-hand window says "Windows Firewall is on" click "Change settings"
  5. Accept the User Account Control prompt by clicking "Continue"
  6. Select the "Off (not recommended)" radio button and click OK. WARNING: do not do this unless you are sure you have a third-party firewall!
  7. Attempt to run the updater that failed again.

If this resolves the problem you can resolve it permanently by either leaving Windows Firewall off, or by disabling the third-party firewall. For the most part, they perform the same function, although the built-in firewall typically is far less intrusive and more stable. To disable the third-party firewall refer to the manufacturer's documentation.


 


Permissions Problems


If you do not have two firewalls the problem is almost certainly permissions related. If this is your case you need to resort to advanced troubleshooting tools.


 


Follow these steps carefully. They are written for Windows Vista, but the problem has also affected Windows XP. With only minor modifications (such as the ommission of the UAC elevation-related steps) they work on Windows XP as well.


 


Keep in mind that setting incorrect permissions can significantly harm your computer, to the point where it is either completely insecure, will not boot, or both. There are multiple recommendations out on the Internet that recommend that you change the permissions on large parts of the registry and the operating system. Doing so will render your computer unsupported and disable significant parts of the security sub-system. Surgical precision is key when modifying permissions.


 


  1. First, download Microsoft/System Internals Process Monitor from http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx. Save it somewhere you can remember, such as your Downloads directory or the desktop.
  2. Open the Downloads directory in Windows Explorer (the easiest way is to hold down the Window key and hit E, click your name, and click Downloads)
  3. Right-click ProcessMonitor and select "Extract all…" Walk through the wizard to extract the files
  4. In the window that opens when the extraction is complete, double-click "procmon" or "procmon.exe"
  5. In the "Open File – Security Warning" prompt, uncheck the box that says "Always ask before opening this file" and click Run
  6. Accept the User Account Control prompt by selecting Continue
  7. Accept the license agreement (no, the next time you run the tool you will only have the User Account Control prompt, not all three)
  8. Maximize the window
  9. Hold the CTRL key and hit L
  10. In the drop-down that says "Architecture" select "Result"
  11. In the text box next to "Is" type "ACCESS DENIED" (without the quotes). Here is what it should look like:

  12. Hit the Add button
  13. Hit OK
  14. Hold CTRL and hit X to clear the output window

You now have Process Monitor monitoring all operations on the computer. At this point, retry the updater that fails. If the updater fails with a permissions problem, you should get entries in the Process Monitor window. Each one indicates a potential problem that could harm your ability to install updates, although they may also be unrelated.


 


Here is an example of the types of ACCESS DENIED errors you may see. Note that your process name would not be regedit.exe.
 


To fix the problem you need to set permissions. If you are not comfortable with exactly how to do that, I can help you if you send me the keys that are causing the error. You can do that most easily by clicking CTRL+A in Process Monitor, and then clicking CTRL+C to copy it. Then click the "Comments" link on the right side of the blog to send me a message, and paste the output into it.

 

To fix the problem yourself you can also change the permissions on the registry key (typically) or file that is a problem. I have not yet seen this happen because of file permissions, but if it does, it would be interesting to know. To fix registry permissions problems, do this:

 

  1. Right click the event and select “Jump to…”
  2. Right-click the key that is listed and select “Permissions…”
  3. Click Advanced
  4. Make sure that permissions are at least Full Control for TrustedInstaller, and Read for Administrators and SYSTEM. If that is what you have, and you are using a non-Windows installer (such as Adobe Updater), close the Advanced window, select the Administrators entry, and click the Full Control checkbox
  5. Click OK to close the dialogs.
  6. Retry the update

This will work under the assumption that the proper permissions were overridden on that particular key. In general, permissions on these keys should be Read for everyone except Trusted Installer, as follows:

You may, however, see Administrators have Full Control, or SYSTEM having Full Control. Those are both typically acceptable.

 

If this helps you, and you do not mind, could you please post a comment with the key that was a problem? It would be very interesting if we could figure out if this is caused by some particular piece of software that modifies some particular value.

Troubleshooting Errors While Updating Software

A number of people are reporting errors when running software update tools. The tools include Windows Update, Windows Defender Updates, Installshield, Adobe Updater, and probably others as well. The errors include 80070005 (from Windows tools) and c0000005 (from others). To see if we can help people get their software updates, Steve Wechsler helped me put together some troubleshooting steps. If these steps help, and more so if they don't, we'd like to hear about it. If you find something else that helps, let us know by posting a comment.


 


All these errors indicate a permissions issue of some kind. All of them basically mean "Access Denied". However, determining exactly what the cause is can be difficult. There seem to be two main reasons why this is happening: multiple firewalls on the same computer, and a permissions issue, usually in the registry.


 


Multiple Firewalls
Several people with this problem report that it disappeared when the shut down one of the several firewalls they had on their computer. If you have installed a security suite, such as Norton Internet Security, on a Windows Vista computer, you have multiple firewalls. That, in and of itself, is not a problem as long as only one of them is running. However, if two, or more, are running at the same time, you will run into trouble. Some third-party firewalls appear to fail to properly disable the built-in Windows Firewall. If you have a third-party security suite installed, take the following steps to ensure the Windows Firewall with Advanced Security is turned off:

  1. Click the Window button (the start menu)
  2. In the search dialog, type "Windows Firewall"
  3. In a few seconds you will have a couple of results, including one that says "Windows Firewall". Click that one
  4. If the right-hand window says "Windows Firewall is on" click "Change settings"
  5. Accept the User Account Control prompt by clicking "Continue"
  6. Select the "Off (not recommended)" radio button and click OK. WARNING: do not do this unless you are sure you have a third-party firewall!
  7. Attempt to run the updater that failed again.

If this resolves the problem you can resolve it permanently by either leaving Windows Firewall off, or by disabling the third-party firewall. For the most part, they perform the same function, although the built-in firewall typically is far less intrusive and more stable. To disable the third-party firewall refer to the manufacturer's documentation.


 


Permissions Problems


If you do not have two firewalls the problem is almost certainly permissions related. If this is your case you need to resort to advanced troubleshooting tools.


 


Follow these steps carefully. They are written for Windows Vista, but the problem has also affected Windows XP. With only minor modifications (such as the ommission of the UAC elevation-related steps) they work on Windows XP as well.


 


Keep in mind that setting incorrect permissions can significantly harm your computer, to the point where it is either completely insecure, will not boot, or both. There are multiple recommendations out on the Internet that recommend that you change the permissions on large parts of the registry and the operating system. Doing so will render your computer unsupported and disable significant parts of the security sub-system. Surgical precision is key when modifying permissions.


 


  1. First, download Microsoft/System Internals Process Monitor from http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx. Save it somewhere you can remember, such as your Downloads directory or the desktop.
  2. Open the Downloads directory in Windows Explorer (the easiest way is to hold down the Window key and hit E, click your name, and click Downloads)
  3. Right-click ProcessMonitor and select "Extract all…" Walk through the wizard to extract the files
  4. In the window that opens when the extraction is complete, double-click "procmon" or "procmon.exe"
  5. In the "Open File – Security Warning" prompt, uncheck the box that says "Always ask before opening this file" and click Run
  6. Accept the User Account Control prompt by selecting Continue
  7. Accept the license agreement (no, the next time you run the tool you will only have the User Account Control prompt, not all three)
  8. Maximize the window
  9. Hold the CTRL key and hit L
  10. In the drop-down that says "Architecture" select "Result"
  11. In the text box next to "Is" type "ACCESS DENIED" (without the quotes). Here is what it should look like:

  12. Hit the Add button
  13. Hit OK
  14. Hold CTRL and hit X to clear the output window

You now have Process Monitor monitoring all operations on the computer. At this point, retry the updater that fails. If the updater fails with a permissions problem, you should get entries in the Process Monitor window. Each one indicates a potential problem that could harm your ability to install updates, although they may also be unrelated.


 


Here is an example of the types of ACCESS DENIED errors you may see. Note that your process name would not be regedit.exe.
 


To fix the problem you need to set permissions. If you are not comfortable with exactly how to do that, I can help you if you send me the keys that are causing the error. You can do that most easily by clicking CTRL+A in Process Monitor, and then clicking CTRL+C to copy it. Then click the "Comments" link on the right side of the blog to send me a message, and paste the output into it.

 

To fix the problem yourself you can also change the permissions on the registry key (typically) or file that is a problem. I have not yet seen this happen because of file permissions, but if it does, it would be interesting to know. To fix registry permissions problems, do this:

 

  1. Right click the event and select “Jump to…”
  2. Right-click the key that is listed and select “Permissions…”
  3. Click Advanced
  4. Make sure that permissions are at least Full Control for TrustedInstaller, and Read for Administrators and SYSTEM. If that is what you have, and you are using a non-Windows installer (such as Adobe Updater), close the Advanced window, select the Administrators entry, and click the Full Control checkbox
  5. Click OK to close the dialogs.
  6. Retry the update

This will work under the assumption that the proper permissions were overridden on that particular key. In general, permissions on these keys should be Read for everyone except Trusted Installer, as follows:

You may, however, see Administrators have Full Control, or SYSTEM having Full Control. Those are both typically acceptable.

 

If this helps you, and you do not mind, could you please post a comment with the key that was a problem? It would be very interesting if we could figure out if this is caused by some particular piece of software that modifies some particular value.

Public Education in Washington State

This is a bit off topic for me, but it is an important thing to get out there nevertheless. I love living in Washington State. It may be snowing as I write this, but in general, I really like this state, the lifestyle, the people, and our wonderful natural environment. I've lived on both coasts of the US, twice, and in the middle, and in Europe, twice, and I like this place best of all.


There is, however, a significant downside to this state, one which has gotten worse in recent years: public education. Washington State, home to many companies needing highly educated talent, like Microsoft, Amazon.com, Boeing, Real Networks, F5 Technologies, Safeco Insurance, Washington Mutual, etc, has a public education crisis. Spending per student in this state ranks 42nd in the nation, just below Alabama! (Note, some studies have it ranking from 32nd to 46th, depending on the year and the methodology used).


The upshot of this is that our schools are in a crisis. At this very moment, the school board in the district where I live are just waiting for May 13, when they can finally acknowledge their decision to close one of the elementary schools in our town. This will result in shuffling 800 students around, away from their friends. My kids will be bused past two schools, including the one about three quarters of a mile from our house where they currently go, to a school over four miles away. And I moved here because of the school and because I did not want my kids to have to go through any more changes of school than absolutely necessary. In addition, this action will result in moving the Spanish dual language program away from the school where there are actually students that need it, to a school over a mile away from any public transportation. This may not be intuitively obvious, but many of the parents of the children who need dual language education have no cars at all, or one at best, and really rely on public transportation. All in all, they are shuffling 800 children away from their neighborhood schools and dispersing them throughout a 75 square mile area, away from their neighborhoods, their friends, and the teachers they have learned to love and trust. All of this because of the combined double-whammy of the states complete failure in its responsibility to its children and all the various unfunded mandates that the federal government has imposed upon local schools.


The second-most ironic part of all? The affected area is serviced by state senators Eric Oemig, a member of the "Early Learning and K-12 Education Committee" and Rosemary McAuliffe, the chair of that same committee. If the two senators have failed/neglected to fix school funding problems in their own districts, then something is really rotten in Washington State. Well, maybe the irony there is matched by the fact that Governor Gregoire's second highest priority is education. Note the complete lack (save for the creation of a committee to study the problem) of any action on her part to improve general education funding in the past 18 months. I guess we should be happy that she at least invited "Happy Feet Fans" to trick or treat in the governor's mansion – clearly a worthy achievement in education.


So, what is the most ironic part? It is this paragraph, taken from the Washington State Constitution:
“It is the paramount duty of the state to make ample provision for the education of all children residing within its borders, without distinction or preference on account of race, color, caste or sex.”
Washington Constitution, article IX, section I


As the 2007 Citizen's Guide to Washington State K-12 Finance correctly points out: "This constitutional provision is unique to Washington. While other states have constitutional provisions related to education, no other state makes K-12 education the “paramount duty” of the state."


I'm starting to wonder whether the word "ample" has a special meaning to politicians?


In light of all this, I found this letter, which Nancy Hill, another parent in the district, just sent to USA Today, quite poignant. If you are considering a job offer from one of the companies I mentioned earlier, you may want to bargain for a supplement to cover private school tuition:


Washington State's Dirty Little Secret:  Public Schools


Considering a move to Washington State?  The state certainly looks appealing.  While Washington State is bucking national trends in regard to job creation and home values, we have one dirty little secret that many people want to keep buried.  If you are planning a move to the Seattle area, you will find that high paying job, your home probably will retain its value, but you better budget in about $25,000 per child for private education.



Consider this…  Mr. Gates found it easier to ask Congress to grant more international work visas than improve public education in his own state.  All of those employees roaming the corridors of Microsoft… good thing most of them received an education elsewhere and they should not expect Mr. Gates to hire their Washington State educated children.


Simply stated, Washington State school districts are too large and our state funding is antiquated.



Washington State ranks 46th in the nation in terms of class size. Another fun Washington State education fact: Per-pupil expenditures as a percentage of per capita income was only 21.8%, ranking the state 45th nationally. Washington has the12th highest personal income per capita in the nation.
(Source:http://www.technology-alliance.com/pubspols/studies/benchmarking06.html.)



Your child's "Chance for Success" ranking in the state of Washington is 22nd.  (SOURCE: Quality Counts 2007:From Cradle to Career Tennessee 40.0 -2 30.0 -2 42.5 -2 68.3 +2 -14 45Editorial Projects in Education Research Center,2007.)



So yes, Washington State can offer you a great job, a home that will retain its value, great air quality and recreation.  But please don't expect your child to receive a great public education in Washington State. It seems that our state government really doesn't care.


 

Help us Neelie! Please, help us!

Apple clearly has a de-facto monopoly in the portable music player market, with upward of 70% of that market. It is busily working on monopolies in the music software and downloads markets and is behaving monopolistically in the PC market as well. Some of those market shares have certainly been helped by bundling iTunes with the completely unrelated QuickTime, which has huge installed base.


Continuing on the strategy that bundling helps expand market share, Apple has now started "leveraging" (a synonym for "abuse") those monopolies to force people to use its web browser, Safari. Safari, of course, has a miniscule market share; less than 6% according to BetaNews. Starting very recently, if you installed QuickTime (with no additional options) you will be presented with this dialog:



This astonishing abuse of power threatens to destabilize the software market world-wide, thwart choice, and hamper innovation. What would happen if Apple is actually successful in giving away lots of copies of its free browser? That would bite into other browsers' market shares and ensure that the organizations that wrote them do not get to give away a lot of copies of their free browsers. Eventually we will be in an Apple hegemony! We will all be looking at small fonts, shaded colors, and thin stuff. We will all look svelte and cool, wear turtlenecks and jeans, and nobody would grow older than 26! Oh No! There would be no more geeks! Worse still, everyone will be subject to all the vulnerabilities in Safari. Terrorists can use this hegemony to take down the Internet, endangering civilization as we know it. 


Clearly it must be illegal to abuse a monopoly in this way to push unrelated software onto an unsuspecting public. If only there were a government agency who took it upon itself to protect the public from miscreants such as Steve Jobs. Without protection from some kind of commission we will be crushed under the foot of his anti-competitive and hostile practices! If only there were someone who has stood up for individual choice and free competition among American firms in the past…


Maybe if we found our savior she could force Apple to make a version of QuickTime without sound? That would certainly promote competition. 

Help us Nellie! Please, help us!

Apple clearly has a de-facto monopoly in the portable music player market, with upward of 70% of that market. It is busily working on monopolies in the music software and downloads markets and is behaving monopolistically in the PC market as well. Some of those market shares have certainly been helped by bundling iTunes with the completely unrelated QuickTime, which has huge installed base.

Continuing on the strategy that bundling helps expand market share, Apple has now started "leveraging" (a synonym for "abuse") those monopolies to force people to use its web browser, Safari. Safari, of course, has a miniscule market share; less than 6% according to BetaNews. Starting very recently, if you installed QuickTime (with no additional options) you will be presented with this dialog:

This astonishing abuse of power threatens to destabilize the software market world-wide, thwart choice, and hamper innovation. What would happen if Apple is actually successful in giving away lots of copies of its free browser? That would bite into other browsers' market shares and ensure that the organizations that wrote them do not get to give away a lot of copies of their free browsers. Eventually we will be in an Apple hegemony! We will all be looking at small fonts, shaded colors, and thin stuff. We will all look svelte and cool, wear turtlenecks and jeans, and nobody would grow older than 26! Oh No! There would be no more geeks! Worse still, everyone will be subject to all the vulnerabilities in Safari. Terrorists can use this hegemony to take down the Internet, endangering civilization as we know it. 

Clearly it must be illegal to abuse a monopoly in this way to push unrelated software onto an unsuspecting public. If only there were a government agency who took it upon itself to protect the public from miscreants such as Steve Jobs. Without protection from some kind of commission we will be crushed under the foot of his anti-competitive and hostile practices! If only there were someone who has stood up for individual choice and free competition among American firms in the past…

Maybe if we found our savior she could force Apple to make a version of QuickTime without sound? That would certainly promote competition. 

Regulatory Silliness

Susan just pointed me to a "Self-assessment questionnaire" for the Payment Card Industry Data Security Standard (PCI/DSS). While, on the whole, the intent of that standard is good, there are some areas of it that, as usual, stray into the realm of regulatory silliness.


For example, on page 6, under the requirement to "Do not use vendor-supplied defaults for system passwords and other security parameters" we find 2.1.1.a "Are SSID broadcasts disabled?" The PCI/DSS Security Standard version 1.1 actually requires disabling broadcast of the SSID in requirement 2.1. As Wikipedia says "SSID is broadcast in the open in response to a client SSID query…" When a client asks for the access point, the SSID is always broadcast. Thus, to find the SSID of any network, all you have to do is listen when a client associates to the network. The Wi-Fi Alliance actually points this out in its Enterprise Solutions for Wireless LAN Security document. That document also recommends broadcasting the SSID as a security best practice to ensure that users have the information they need to select the right network.


The really bad part about the advice to hide the SSID, however, is hinted at in the WPA Deployment Guidelines for Public Access Wi-Fi Networks, from the Wi-Fi Alliance: "A radio signal with a familiar SSID does not ensure that the user will be connected to equipment operated by a service provider that the subscriber trusts." The same document also points out that the client will connect to the closest AP for purposes of data transport. To see how that would work, assume that a network has a hidden SSID, and the client has been pre-provisioned to connect to that SSID. In this case the client may actually end up connecting to a fake network if the fake network is perceived to be closer. The client will connect to the one with the stronger signal, and will not be able to tell that one of them is rogue. If the remaining security parameters differ between the real network and the rogue one the client will not automatically connect; the user will have to accept the connection. However, the user has no simple way to tell rogue from fake either. If the networks broadcast their SSIDs the conflict would be much more easily detectable. Some clients may even automatically downgrade the security and connect to the fake, but visible, network, without user interaction. This would not work if the real network were broadcasting its security parameters. The client would detect that there were two networks with the same SSID and different parameters.


Curiously, the PCI/DSS Security Standard version 1.1 does not require use of WPA2 or even WPA for security on wireless networks. It only recommends that they be used "when WPA-capable." In other words, it permits use of the completely discredited "Wired Equivalent Privacy" (WEP) protocol, which provides no security at all, and requires use of security theater measures that actually reduce the security of your wireless network. One is left to wonder when the next TJX disaster will happen.

1722 Error from InstallShield

Last week I found a post in the Vista newsgroups from a lady who was having problems installing Kaspersky Anti-Virus. She was getting an error 1722 upon installation on one computer out of three and the installation failed. She had called both Kaspersky and here computer manufacturer (HP) and neither could help. HP told her to get a new anti-virus package, and Kaspersky had no help to give.


Searching a little I found a solution on a site called MyDigitalLife.com, but it was a bit complicated getting at it, and it came in the form of some registry files with no real information on what the problem is. Therefore, I thought I would explain the problem here and give a solution that worked at least for this lady.


1722 is an error from Install Shield, a third-party installation technology. It means that some custom action failed during installation. Usually custom actions are used to run external software, such as regsvr32.exe to register something.

The thread on MyDigitalLife indicates that this has to do with a corrupted registry entry. It basically shows that, for some reason, the path in the registry to where the device driver information files are located has been corrupted. Thus, your first step in trouble-shooting should be to validate that path:


  1. Elevate a command prompt by right-clicking the Command Prompt in Start:All Programs:Accessories and selecting Run as administrator…
  2. From the command prompt, run regedit.exe
  3. If you have a 32-bit system, navigate to
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion.
    If you have a 64-bit system, navigate to
    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion
  4. Set the "DevicePath" value to "%SystemRoot%\Inf" (without the quotes).

If this does not help there could be other things wrong, but at least this seems to have helped several people.