WindowsUpdate_80070005 WindowsUpdate_dt000

Prev: Windows Update failed on KB935509
Next: Code E000023F

From: Robert Aldwinckle on 14 Jan 2008 01:43

---

"OlsBean" <OlsBean(a)discussions.microsoft.com> wrote in message
news:1C9D80F1-2349-46D1-8C04-6EBC18ADF30D(a)microsoft.com...
>
>
> "Robert Aldwinckle" wrote:
>
>> "OlsBean" <OlsBean(a)discussions.microsoft.com> wrote in message
>> news:ECEDF31B-C22F-4272-A1BE-CBBFD56206C1(a)microsoft.com...
>> > Running Vista X64 Ultimate
>> >
>> > I've searched and searched and none of the relevant threads found have
>> > provided a solution to the error I have.
>>
>>
>> <repost date="Sept 7, 2007">
>> If the log(s) (including the Event log) aren't giving you enough clues
>> about what your symptom means you could try running ProcMon
>> to supplement them.
>>
>>
>> </repost>
>>
>>
>> BTW I am surprised that searches for this common code aren't giving
>> better results on Google Groups. E.g. this search which was to have
>> demonstrated how to avoid a possible mistake of searching for only unprefixed
>> hex codes (e.g. you never mentioned 0x80070005 in your post)
>> and not filtering for threads with answers or helpful threads, didn't show
>> what I was expecting it could:
>>
>> (0x80070005 OR 80070005) (MSFT OR MVP) group:microsoft.*
>>
>>
>> E.g. I had to add an extra expression to find what I wanted and even
>> then none of the hits mentioned ProcMon, only FileMon.
>>
>> http://groups.google.com/group/microsoft.public.windowsupdate/browse_frm/thread/385c9dec95e58f01/c75626350e87e559?lnk=st&q=(filemon+OR+procmon)+(0x80070005+OR+80070005)++(MSFT+OR+MVP)++group%3Amicrosoft.*#c75626350e87e559
>>
>> (Google Groups search for
>> (filemon OR procmon) (0x80070005 OR 80070005) (MSFT OR MVP) group:microsoft.*
>> - sorted by date to try to capture current thinking
>> )
>>
>> That post is now over a year old. High time for rediscovery.
>>
>> BTW the web interface still has it and (to my surprise)
>> it has even been voted on so it could at least be found more
>> easily by using that facility's Threads with helpful posts filter.
>> Admittedly it does help to know about FileMon as a search term... ; )
>>
>>
>> FYI the excerpt from your log is not helpful because it does not show
>> the context of the code that you are reporting.
>>
>>
>> Good luck
>>
>> Robert Aldwinckle
>> ---
>>
>>
>>
>
> Thank you, the only access denied process I could find while WU was running
> is the following;
>
> ########################
> Sequence: 18002
> Date & Time: 13/01/2008 20:04:51
> Event Class: Registry
> Operation: RegOpenKey
> Result: ACCESS DENIED
> Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based
> Servicing\Packages\Package_1_for_KB905866~31bf3856ad364e35~amd64~~6.0.13.0
> TID: 3956
> Duration: 0.0000096
> Desired Access: Read/Write
> ####################
>
> Not sure how to fix this, not sure if it gives anyone else an insight.


Very good! However, if that is a line being reported by ProcMon it is a strange
combination of columns IMO. E.g., I'm surprised that there is only a TID (Thread ID)
and not a PID (Process ID) as well or even more usefully a Process Name.
Not having at least a PID can make it difficult to know which "task" from the
Task bar and Task Manager's perspectives that record applies to.

Or is that TID really the task's PID? E.g. if you checked with Task Manager
and that number made sense as a PID you would know which process name
it was really for.

Nevertheless, it is an excellent clue which helps clarify *which* object
whatever task is involved (not shown) and whatever account that task
is being run under (not shown) is being denied access to.

So, using RegEdit how much of that registry path is apparent to you?
Make sure that you expand all [+] boxes beneath wherever you
navigate to. (E.g. press * on the numeric keypad.)
Then get into the Permissions dialog for the lowest level key on that path
that you can see. (E.g. use the Edit menu or right-click the key name or
press the Menu key.)

BTW because this is Vista you probably need to enter RegEdit via
Run As... Administrator or perhaps it is enough to open a cmd window
which has that authority and start RegEdit from there? I don't know;
I don't use Vista and haven't run into this sort of permissions difficulty.

Even more suprising there is nothing on a Google Groups search which
matches this particular detail, e.g. even not quoting the keyname gives few hits

vista component based servicing permissions group:microsoft.*

so I suspect I'm missing something. I don't want to suggest you change
permissions until we're sure that you have given us *all* the details about
the failure. So I would suggest running ProcMon again with *all* column
details requested. In fact, if you prefer you might find it easier to get the
results we want using the older registry-specific tool, RegMon.

Also, I'm cross-posting this to a Vista specific newsgroup since I don't
use Vista and XP doesn't have that Component Based Servicing key
(at least it isn't apparent to me on my OS.)

Alternatively, you can find examples of other instructions on the Support site
which I'm sure you could adapt to changing permissions on that branch
so you could change your symptom if you wanted to try that approach instead.


Good luck

Robert
---


>
> TIA
>
>

From: OlsBean on 14 Jan 2008 03:34

---

"Robert Aldwinckle" wrote:

> "OlsBean" <OlsBean(a)discussions.microsoft.com> wrote in message
> news:1C9D80F1-2349-46D1-8C04-6EBC18ADF30D(a)microsoft.com...
> >
> >
> > "Robert Aldwinckle" wrote:
> >
> >> "OlsBean" <OlsBean(a)discussions.microsoft.com> wrote in message
> >> news:ECEDF31B-C22F-4272-A1BE-CBBFD56206C1(a)microsoft.com...
> >> > Running Vista X64 Ultimate
> >> >
> >> > I've searched and searched and none of the relevant threads found have
> >> > provided a solution to the error I have.
> >>
> >>
> >> <repost date="Sept 7, 2007">
> >> If the log(s) (including the Event log) aren't giving you enough clues
> >> about what your symptom means you could try running ProcMon
> >> to supplement them.
> >>
> >>
> >> </repost>
> >>
> >>
> >> BTW I am surprised that searches for this common code aren't giving
> >> better results on Google Groups. E.g. this search which was to have
> >> demonstrated how to avoid a possible mistake of searching for only unprefixed
> >> hex codes (e.g. you never mentioned 0x80070005 in your post)
> >> and not filtering for threads with answers or helpful threads, didn't show
> >> what I was expecting it could:
> >>
> >> (0x80070005 OR 80070005) (MSFT OR MVP) group:microsoft.*
> >>
> >>
> >> E.g. I had to add an extra expression to find what I wanted and even
> >> then none of the hits mentioned ProcMon, only FileMon.
> >>
> >> http://groups.google.com/group/microsoft.public.windowsupdate/browse_frm/thread/385c9dec95e58f01/c75626350e87e559?lnk=st&q=(filemon+OR+procmon)+(0x80070005+OR+80070005)++(MSFT+OR+MVP)++group%3Amicrosoft.*#c75626350e87e559
> >>
> >> (Google Groups search for
> >> (filemon OR procmon) (0x80070005 OR 80070005) (MSFT OR MVP) group:microsoft.*
> >> - sorted by date to try to capture current thinking
> >> )
> >>
> >> That post is now over a year old. High time for rediscovery.
> >>
> >> BTW the web interface still has it and (to my surprise)
> >> it has even been voted on so it could at least be found more
> >> easily by using that facility's Threads with helpful posts filter.
> >> Admittedly it does help to know about FileMon as a search term... ; )
> >>
> >>
> >> FYI the excerpt from your log is not helpful because it does not show
> >> the context of the code that you are reporting.
> >>
> >>
> >> Good luck
> >>
> >> Robert Aldwinckle
> >> ---
> >>
> >>
> >>
> >
> > Thank you, the only access denied process I could find while WU was running
> > is the following;
> >
> > ########################
> > Sequence: 18002
> > Date & Time: 13/01/2008 20:04:51
> > Event Class: Registry
> > Operation: RegOpenKey
> > Result: ACCESS DENIED
> > Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based
> > Servicing\Packages\Package_1_for_KB905866~31bf3856ad364e35~amd64~~6.0.13.0
> > TID: 3956
> > Duration: 0.0000096
> > Desired Access: Read/Write
> > ####################
> >
> > Not sure how to fix this, not sure if it gives anyone else an insight.
>
>
> Very good! However, if that is a line being reported by ProcMon it is a strange
> combination of columns IMO. E.g., I'm surprised that there is only a TID (Thread ID)
> and not a PID (Process ID) as well or even more usefully a Process Name.
> Not having at least a PID can make it difficult to know which "task" from the
> Task bar and Task Manager's perspectives that record applies to.
>
> Or is that TID really the task's PID? E.g. if you checked with Task Manager
> and that number made sense as a PID you would know which process name
> it was really for.
>
> Nevertheless, it is an excellent clue which helps clarify *which* object
> whatever task is involved (not shown) and whatever account that task
> is being run under (not shown) is being denied access to.
>
> So, using RegEdit how much of that registry path is apparent to you?
> Make sure that you expand all [+] boxes beneath wherever you
> navigate to. (E.g. press * on the numeric keypad.)
> Then get into the Permissions dialog for the lowest level key on that path
> that you can see. (E.g. use the Edit menu or right-click the key name or
> press the Menu key.)
>
> BTW because this is Vista you probably need to enter RegEdit via
> Run As... Administrator or perhaps it is enough to open a cmd window
> which has that authority and start RegEdit from there? I don't know;
> I don't use Vista and haven't run into this sort of permissions difficulty.
>
> Even more suprising there is nothing on a Google Groups search which
> matches this particular detail, e.g. even not quoting the keyname gives few hits
>
> vista component based servicing permissions group:microsoft.*
>
> so I suspect I'm missing something. I don't want to suggest you change
> permissions until we're sure that you have given us *all* the details about
> the failure. So I would suggest running ProcMon again with *all* column
> details requested. In fact, if you prefer you might find it easier to get the
> results we want using the older registry-specific tool, RegMon.
>
> Also, I'm cross-posting this to a Vista specific newsgroup since I don't
> use Vista and XP doesn't have that Component Based Servicing key
> (at least it isn't apparent to me on my OS.)
>
> Alternatively, you can find examples of other instructions on the Support site
> which I'm sure you could adapt to changing permissions on that branch
> so you could change your symptom if you wanted to try that approach instead.
>
>
> Good luck
>
> Robert
> ---
>
>
> >
> > TIA
> >
> >
>
>
>

Thank you, that was my fault I did not include all the tabs in the
information I posted, apologies, the process name is TrustedInstaller.exe
below is complete report.

############################
############################
Sequence: 16026
Date & Time: 14/01/2008 07:58:08
Event Class: Registry
Operation: RegOpenKey
Result: ACCESS DENIED
Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based
Servicing\Packages\Package_1_for_KB905866~31bf3856ad364e35~amd64~~6.0.13.0
TID: 1616
Duration: 0.0000146
Desired Access: Read/Write
Description: Windows Modules Installer
Company: Microsoft Corporation
Name: TrustedInstaller.exe
Version: 6.00.6000.16386
Path: C:\Windows\servicing\TrustedInstaller.exe
Command Line: C:\Windows\servicing\TrustedInstaller.exe
PID: 3220
Parent PID: 576
Session ID: 0
User: NT AUTHORITY\SYSTEM
Auth ID: 00000000:000003e7
Architecture: 64-bit
Virtualized: False
Integrity: System
Started: 14/01/2008 07:51:37
Ended: (Running)
Modules:
kernel32.dll 0x76DB0000 0x131000 C:\Windows\system32\kernel32.dll
USER32.dll 0x76EF0000 0xCA000 C:\Windows\system32\USER32.dll
ntdll.dll 0x76FC0000 0x17A000 C:\Windows\system32\ntdll.dll
TrustedInstaller.exe 0xFF760000 0xB000 C:\Windows\servicing\TrustedInstaller.exe
wcp.dll 0xF2340000 0x23D000 C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6000.16386_none_63473ad082bcdac6\wcp.dll
SPP.dll 0xF4BA0000 0x31000 C:\Windows\system32\SPP.dll
wrpint.dll 0xF4BE0000 0x12000 C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6000.16386_none_63473ad082bcdac6\wrpint.dll
CbsApi.dll 0xF4C10000 0x9000 C:\Windows\servicing\CbsApi.dll
cbscore.dll 0xF4C20000 0x83000 C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6000.16386_none_63473ad082bcdac6\cbscore.dll
SrClient.dll 0xF5790000 0x10000 C:\Windows\system32\SrClient.dll
DrUpdate.dll 0xF5A70000 0x1F000 C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6000.16386_none_63473ad082bcdac6\DrUpdate.dll
dpx.dll 0xF5A90000 0x65000 C:\Windows\system32\dpx.dll
SxsStore.dll 0xF6BA0000 0xC000 C:\Windows\system32\SxsStore.dll
wdscore.dll 0xF9C00000 0x4B000 C:\Windows\system32\wdscore.dll
dbghelp.dll 0xF9CC0000 0x118000 C:\Windows\system32\dbghelp.dll
VSSAPI.DLL 0xFA810000 0x157000 C:\Windows\system32\VSSAPI.DLL
vsstrace.dll 0xFA9B0000 0x1F000 C:\Windows\system32\vsstrace.dll
XmlLite.dll 0xFB0F0000 0x30000 C:\Windows\system32\XmlLite.dll
comctl32.dll 0xFC0A0000 0x1F0000 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_1559f1c6f365a7fa\comctl32.dll
ATL.DLL 0xFC2C0000 0x19000 C:\Windows\system32\ATL.DLL
Ktmw32.dll 0xFC340000 0x8000 C:\Windows\system32\Ktmw32.dll
WINTRUST.dll 0xFC580000 0x39000 C:\Windows\system32\WINTRUST.dll
rsaenh.dll 0xFC890000 0x43000 C:\Windows\system32\rsaenh.dll
VERSION.dll 0xFCC80000 0xB000 C:\Windows\system32\VERSION.dll
CRYPT32.dll 0xFCE90000 0x137000 C:\Windows\system32\CRYPT32.dll
MPR.dll 0xFCFD0000 0x18000 C:\Windows\system32\MPR.dll
MSASN1.dll 0xFD040000 0x18000 C:\Windows\system32\MSASN1.dll
NETAPI32.dll 0xFD0F0000 0x99000 C:\Windows\system32\NETAPI32.dll
AUTHZ.dll 0xFD550000 0x26000 C:\Windows\system32\AUTHZ.dll
Secur32.dll 0xFD580000 0x1B000 C:\Windows\system32\Secur32.dll
USERENV.dll 0xFD5A0000 0x26000 C:\Windows\system32\USERENV.dll
PSAPI.DLL 0xFD720000 0x8000 C:\Windows\system32\PSAPI.DLL
SHLWAPI.dll 0xFD730000 0x71000 C:\Windows\system32\SHLWAPI.dll
IMM32.DLL 0xFD810000 0x28000 C:\Windows\system32\IMM32.DLL
USP10.dll 0xFD840000 0x9A000 C:\Windows\system32\USP10.dll
SHELL32.dll 0xFD8E0000 0xC34000 C:\Windows\system32\SHELL32.dll
ADVAPI32.dll 0xFE520000 0xFF000 C:\Windows\system32\ADVAPI32.dll
SETUPAPI.dll 0xFE620000 0x1DE000 C:\Windows\system32\SETUPAPI.dll
msvcrt.dll 0xFE860000 0xA1000 C:\Windows\system32\msvcrt.dll
LPK.DLL 0xFEA10000 0xC000 C:\Windows\system32\LPK.DLL
RPCRT4.dll 0xFEA30000 0x139000 C:\Windows\system32\RPCRT4.dll
CLBCatQ.DLL 0xFED70000 0x9C000 C:\Windows\system32\CLBCatQ.DLL
imagehlp.dll 0xFEE60000 0x17000 C:\Windows\system32\imagehlp.dll
GDI32.dll 0xFF060000 0x61000 C:\Windows\system32\GDI32.dll
OLEAUT32.dll 0xFF0D0000 0xD8000 C:\Windows\system32\OLEAUT32.dll
MSCTF.dll 0xFF1B0000 0x104000 C:\Windows\system32\MSCTF.dll
############################
############################

The registry key exists however the only perms attribute is 'System' with
special allowed.

I also had this Permission Denied in addition to the above when I ran WU
this morning and monitored.

############################
############################
Sequence: 6374
Date & Time: 14/01/2008 07:58:08
Event Class: Registry
Operation: RegOpenKey
Result: ACCESS DENIED
Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
TID: 1160
Duration: 0.0000241
Desired Access: Set Value
Description: Host Process for Windows Services
Company: Microsoft Corporation
Name: svchost.exe
Version: 6.00.6000.16386
Path: C:\Windows\system32\svchost.exe
Command Line: C:\Windows\system32\svchost.exe -k netsvcs
PID: 948
Parent PID: 576
Session ID: 0
User: NT AUTHORITY\SYSTEM
Auth ID: 00000000:000003e7
Architecture: 64-bit
Virtualized: False
Integrity: System
Started: 14/01/2008 07:13:04
Ended: (Running)
Modules:
kernel32.dll 0x76DB0000 0x131000 C:\Windows\system32\kernel32.dll
USER32.dll 0x76EF0000 0xCA000 C:\Windows\system32\USER32.dll
ntdll.dll 0x76FC0000 0x17A000 C:\Windows\system32\ntdll.dll
svchost.exe 0xFF700000 0xA000 C:\Windows\system32\svchost.exe
rastls.dll 0xF3050000 0x45000 C:\Windows\System32\rastls.dll
raschap.dll 0xF3210000 0x4A000 C:\Windows\System32\raschap.dll
WinSCard.dll 0xF3270000 0x33000 C:\Windows\system32\WinSCard.dll
rasppp.dll 0xF3BE0000 0x4E000 C:\Windows\system32\rasppp.dll
rasmans.dll 0xF3C30000 0x4A000 c:\windows\system32\rasmans.dll
RASQEC.DLL 0xF42B0000 0x16000 C:\Windows\system32\RASQEC.DLL
CbsApi.dll 0xF4C10000 0x9000 C:\Windows\servicing\CbsApi.dll
CRYPTUI.dll 0xF4E00000 0x102000 C:\Windows\system32\CRYPTUI.dll
appinfo.dll 0xF4F10000 0xF000 c:\windows\system32\appinfo.dll
MPRAPI.dll 0xF4F40000 0x23000 C:\Windows\system32\MPRAPI.dll
TAPI32.dll 0xF59D0000 0x3F000 C:\Windows\system32\TAPI32.dll
wups2.dll 0xF6400000 0xE000 C:\Windows\System32\wups2.dll
RasApi32.dll 0xF6410000 0x55000 C:\Windows\system32\RasApi32.dll
wuaueng.dll 0xF76E0000 0x213000 c:\windows\system32\wuaueng.dll
upnp.dll 0xF7D40000 0x41000 C:\Windows\system32\upnp.dll
mspatcha.dll 0xF7DA0000 0xF000 c:\windows\system32\mspatcha.dll
qmgr.dll 0xF7DE0000 0x106000 c:\windows\system32\qmgr.dll
bitsigd.dll 0xF80C0000 0xF000 C:\Windows\system32\bitsigd.dll
bitsperf.dll 0xF80D0000 0xA000 c:\windows\system32\bitsperf.dll
SHFOLDER.dll 0xF80E0000 0x7000 c:\windows\system32\SHFOLDER.dll
WINSPOOL.DRV 0xF8460000 0x57000 c:\windows\system32\WINSPOOL.DRV
ncprov.dll 0xF85E0000 0x16000 C:\Windows\system32\wbem\ncprov.dll
tschannel.dll 0xF8600000 0xA000 C:\Windows\system32\tschannel.dll
wbemess.dll 0xF8910000 0x81000 C:\Windows\system32\wbem\wbemess.dll
wmiprvsd.dll 0xF89A0000 0xAB000 C:\Windows\system32\wbem\wmiprvsd.dll
repdrvfs.dll 0xF8B00000 0x61000 C:\Windows\system32\wbem\repdrvfs.dll
pnrpnsp.dll 0xF8BC0000 0x17000 C:\Windows\system32\pnrpnsp.dll
wmiutils.dll 0xF8BE0000 0x24000 C:\Windows\system32\wbem\wmiutils.dll
FastProx.dll 0xF8C10000 0xDD000 C:\Windows\System32\Wbem\FastProx.dll
wbemcore.dll 0xF8CF0000 0x128000 C:\Windows\System32\Wbem\wbemcore.dll
wbemsvc.dll 0xF8EE0000 0x23000 C:\Windows\system32\wbem\wbemsvc.dll
esscli.dll 0xF8F10000 0x6C000 C:\Windows\System32\Wbem\esscli.dll
napinsp.dll 0xF9170000 0x13000 C:\Windows\system32\napinsp.dll
winrnr.dll 0xF91D0000 0xB000 C:\Windows\System32\winrnr.dll
rasadhlp.dll 0xF91E0000 0x7000 C:\Windows\system32\rasadhlp.dll
ESENT.dll 0xF9220000 0x26D000 c:\windows\system32\ESENT.dll
iphlpsvc.dll 0xF9610000 0x38000 c:\windows\system32\iphlpsvc.dll
sqmapi.dll 0xF9820000 0x2D000 c:\windows\system32\sqmapi.dll
wbemcomn.dll 0xF9850000 0x87000 c:\windows\system32\wbem\wbemcomn.dll
wmisvc.dll 0xF9BC0000 0x3A000 c:\windows\system32\wbem\wmisvc.dll
msxml3.dll 0xFA2C0000 0x1C4000 C:\Windows\System32\msxml3.dll
seclogon.dll 0xFA4B0000 0xB000 c:\windows\system32\seclogon.dll
ikeext.dll 0xFA6C0000 0x7C000 c:\windows\system32\ikeext.dll
SSDPAPI.dll 0xFA740000 0x10000 C:\Windows\system32\SSDPAPI.dll
VSSAPI.DLL 0xFA810000 0x157000 C:\Windows\system32\VSSAPI.DLL
vsstrace.dll 0xFA9B0000 0x1F000 C:\Windows\system32\vsstrace.dll
browser.dll 0xFA9D0000 0x1D000 c:\windows\system32\browser.dll
aelupsvc.dll 0xFAC00000 0xB000 c:\windows\system32\aelupsvc.dll
WINMM.dll 0xFAD20000 0x3A000 C:\Windows\system32\WINMM.dll
rasman.dll 0xFAFA0000 0x1A000 C:\Windows\system32\rasman.dll
XmlLite.dll 0xFB0F0000 0x30000 C:\Windows\system32\XmlLite.dll
UxTheme.dll 0xFB1A0000 0x52000 C:\Windows\system32\UxTheme.dll
credui.dll 0xFB4C0000 0x35000 C:\Windows\system32\credui.dll
QUtil.dll 0xFB520000 0x1D000 C:\Windows\system32\QUtil.dll
adsldpc.dll 0xFB540000 0x39000 C:\Windows\system32\adsldpc.dll
MSIMG32.dll 0xFB620000 0x6000 C:\Windows\system32\MSIMG32.dll
ACTIVEDS.dll 0xFB630000 0x45000 C:\Windows\system32\ACTIVEDS.dll
fwpuclnt.dll 0xFB6C0000 0xB3000 c:\windows\system32\fwpuclnt.dll
wiarpc.dll 0xFB800000 0xE000 C:\Windows\system32\wiarpc.dll
WINHTTP.dll 0xFB810000 0x6F000 C:\Windows\system32\WINHTTP.dll
schedsvc.dll 0xFB880000 0xD1000 c:\windows\system32\schedsvc.dll
RESUTILS.DLL 0xFB960000 0x17000 C:\Windows\system32\RESUTILS.DLL
taskcomp.dll 0xFB9D0000 0x67000 C:\Windows\system32\taskcomp.dll
COMCTL32.dll 0xFBA40000 0x9F000 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.6000.16386_none_40339432230aebeb\COMCTL32.dll
srvsvc.dll 0xFBAE0000 0x2E000 c:\windows\system32\srvsvc.dll
CLUSAPI.DLL 0xFBB10000 0x2E000 C:\Windows\system32\CLUSAPI.DLL
PROPSYS.dll 0xFBBA0000 0xE2000 C:\Windows\system32\PROPSYS.dll
gpsvc.dll 0xFBC90000 0xB2000 c:\windows\system32\gpsvc.dll
ES.DLL 0xFBD60000 0x5B000 C:\Windows\system32\ES.DLL
shsvcs.dll 0xFBDC0000 0x4D000 c:\windows\system32\shsvcs.dll
sens.dll 0xFBEE0000 0x12000 c:\windows\system32\sens.dll
profsvc.dll 0xFBF00000 0x2F000 c:\windows\system32\profsvc.dll
comctl32.dll 0xFC0A0000 0x1F0000 C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6000.16386_none_1559f1c6f365a7fa\comctl32.dll
SSCORE.DLL 0xFC2A0000 0x7000 C:\Windows\system32\SSCORE.DLL
ATL.DLL 0xFC2C0000 0x19000 c:\windows\system32\ATL.DLL
nlaapi.dll 0xFC2E0000 0x13000 c:\windows\system32\nlaapi.dll
ktmw32.dll 0xFC340000 0x8000 c:\windows\system32\ktmw32.dll
mmcss.dll 0xFC360000 0x1B000 c:\windows\system32\mmcss.dll
WINSTA.dll 0xFC400000 0x34000 c:\windows\system32\WINSTA.dll
Cabinet.dll 0xFC560000 0x1A000 C:\Windows\system32\Cabinet.dll
WINTRUST.dll 0xFC580000 0x39000 C:\Windows\system32\WINTRUST.dll
WTSAPI32.dll 0xFC680000 0xB000 c:\windows\system32\WTSAPI32.dll
FirewallAPI.DLL 0xFC690000 0xAB000 C:\Windows\system32\FirewallAPI.DLL
wshtcpip.dll 0xFC790000 0x7000 C:\Windows\system32\wshtcpip.dll
AVRT.dll 0xFC7A0000 0x8000 c:\windows\system32\AVRT.dll
NTMARTA.DLL 0xFC7E0000 0x2C000 C:\Windows\system32\NTMARTA.DLL
GPAPI.dll 0xFC850000 0x18000 c:\windows\system32\GPAPI.dll
rsaenh.dll 0xFC890000 0x43000 C:\Windows\system32\rsaenh.dll
schannel.dll 0xFC8E0000 0x56000 C:\Windows\system32\schannel.dll
mswsock.dll 0xFCB20000 0x50000 C:\Windows\system32\mswsock.dll
wship6.dll 0xFCBB0000 0x7000 C:\Windows\System32\wship6.dll
kerberos.dll 0xFCBC0000 0xA5000 C:\Windows\system32\kerberos.dll
credssp.dll 0xFCC70000 0x9000 C:\Windows\system32\credssp.dll
VERSION.dll 0xFCC80000 0xB000 C:\Windows\system32\VERSION.dll
BCRYPT.dll 0xFCC90000 0x4D000 C:\Windows\system32\BCRYPT.dll
ncrypt.dll 0xFCCE0000 0x3E000 C:\Windows\system32\ncrypt.dll
dhcpcsvc6.DLL 0xFCD30000 0x29000 c:\windows\system32\dhcpcsvc6.DLL
WINNSI.DLL 0xFCD60000 0xA000 c:\windows\system32\WINNSI.DLL
dhcpcsvc.DLL 0xFCD70000 0x46000 c:\windows\system32\dhcpcsvc.DLL
IPHLPAPI.DLL 0xFCDC0000 0x23000 c:\windows\system32\IPHLPAPI.DLL
wevtapi.dll 0xFCDF0000 0x64000 c:\windows\system32\wevtapi.dll
slc.dll 0xFCE60000 0x28000 c:\windows\system32\slc.dll
CRYPT32.dll 0xFCE90000 0x137000 C:\Windows\system32\CRYPT32.dll
MPR.dll 0xFCFD0000 0x18000 C:\Windows\system32\MPR.dll
NTDSAPI.dll 0xFD010000 0x26000 c:\windows\system32\NTDSAPI.dll
MSASN1.dll 0xFD040000 0x18000 C:\Windows\system32\MSASN1.dll
WMsgAPI.dll 0xFD060000 0x8000 C:\Windows\system32\WMsgAPI.dll
SAMLIB.dll 0xFD070000 0x1B000 C:\Windows\system32\SAMLIB.dll
NCObjAPI.DLL 0xFD090000 0x15000 C:\Windows\system32\NCObjAPI.DLL
DNSAPI.dll 0xFD0B0000 0x38000 c:\windows\system32\DNSAPI.dll
NETAPI32.dll 0xFD0F0000 0x99000 c:\windows\system32\NETAPI32.dll
cryptdll.dll 0xFD470000 0x14000 c:\windows\system32\cryptdll.dll
apphelp.dll 0xFD500000 0x35000 c:\windows\system32\apphelp.dll
SYSNTFY.dll 0xFD540000 0x9000 c:\windows\system32\SYSNTFY.dll
AUTHZ.dll 0xFD550000 0x26000 c:\windows\system32\AUTHZ.dll
Secur32.dll 0xFD580000 0x1B000 c:\windows\system32\Secur32.dll
USERENV.dll 0xFD5A0000 0x26000 c:\windows\system32\USERENV.dll
PSAPI.DLL 0xFD720000 0x8000 C:\Windows\system32\PSAPI.DLL
SHLWAPI.dll 0xFD730000 0x71000 C:\Windows\system32\SHLWAPI.dll
WLDAP32.dll 0xFD7B0000 0x55000 C:\Windows\system32\WLDAP32.dll
IMM32.DLL 0xFD810000 0x28000 C:\Windows\system32\IMM32.DLL
USP10.dll 0xFD840000 0x9A000 C:\Windows\system32\USP10.dll
SHELL32.dll 0xFD8E0000 0xC34000 C:\Windows\system32\SHELL32.dll
ADVAPI32.dll 0xFE520000 0xFF000 C:\Windows\system32\ADVAPI32.dll
SETUPAPI.dll 0xFE620000 0x1DE000 C:\Windows\system32\SETUPAPI.dll
iertutil.dll 0xFE800000 0x5A000 C:\Windows\system32\iertutil.dll
msvcrt.dll 0xFE860000 0xA1000 C:\Windows\system32\msvcrt.dll
LPK.DLL 0xFEA10000 0xC000 C:\Windows\system32\LPK.DLL
NSI.dll 0xFEA20000 0x7000 C:\Windows\system32\NSI.dll
RPCRT4.dll 0xFEA30000 0x139000 C:\Windows\system32\RPCRT4.dll
urlmon.dll 0xFEC00000 0x169000 C:\Windows\system32\urlmon.dll
CLBCatQ.DLL 0xFED70000 0x9C000 C:\Windows\system32\CLBCatQ.DLL
WS2_32.dll 0xFEE10000 0x44000 C:\Windows\system32\WS2_32.dll
imagehlp.dll 0xFEE60000 0x17000 C:\Windows\system32\imagehlp.dll
GDI32.dll 0xFF060000 0x61000 C:\Windows\system32\GDI32.dll
OLEAUT32.dll 0xFF0D0000 0xD8000 C:\Windows\system32\OLEAUT32.dll
MSCTF.dll 0xFF1B0000 0x104000 C:\Windows\system32\MSCTF.dll
############################
############################

I don't remember seeing this one yesterday.

Just for future reference for anyone else reading this, Filemon and Regmon
are not compatable with Vista, you will need to us Process Monitor
http://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx

TIA

From: Robert Aldwinckle on 14 Jan 2008 10:36

---

"OlsBean" <OlsBean(a)discussions.microsoft.com> wrote in message
news:C1F9C43E-189D-49D6-A0AC-8A41DC089EFC(a)microsoft.com
....
> Thank you, that was my fault I did not include all the tabs in the
> information I posted, apologies, the process name is TrustedInstaller.exe
> below is complete report.

Excellent! I think these are the essential details from that report:

> Operation: RegOpenKey
> Result: ACCESS DENIED
> Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based
> Servicing\Packages\Package_1_for_KB905866~31bf3856ad364e35~amd64~~6.0.13.0
> Desired Access: Read/Write
> Description: Windows Modules Installer
> Company: Microsoft Corporation
> Name: TrustedInstaller.exe
> Version: 6.00.6000.16386
> Path: C:\Windows\servicing\TrustedInstaller.exe
> Command Line: C:\Windows\servicing\TrustedInstaller.exe

> User: NT AUTHORITY\SYSTEM


> The registry key exists however the only perms attribute is 'System' with
> special allowed.


Which explains the symptom. I wonder how common this is among Vista
users and assuming not, how your system became disabled in this way?

The third-party security packages that PA Bear mentioned would be one way...


>
> I also had this Permission Denied in addition to the above when I ran WU
> this morning and monitored.


> Operation: RegOpenKey
> Result: ACCESS DENIED
> Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update

> Desired Access: Set Value
> Description: Host Process for Windows Services
> Company: Microsoft Corporation
> Name: svchost.exe
> Version: 6.00.6000.16386
> Path: C:\Windows\system32\svchost.exe
> Command Line: C:\Windows\system32\svchost.exe -k netsvcs

> User: NT AUTHORITY\SYSTEM


> I don't remember seeing this one yesterday.
>


Did you have verbose logging active? Perhaps the failing Set Value
would be documented there? Notice that with ProcMon (or concurrent
FileMon) that you could find the next WRITE to WindowsUpdate.log
and then correlate that trace entry with a specific log entry either by length
of write (+1) or by exact timestamp.

Also in your reply to PA Bear's suggestion to undo certain optional security
facilities you might be using you mentioned only disabling AVG.
I wonder if disabling it would be sufficient? E.g., would that be enough
to make it undo any permissions changes it might have made?
I think that such changes might be more likely by at least by uninstalling
such programs, assuming that a clean uninstall would enable that type
of undoing of all changes that they would have made. The idea is that
undoing such protections should avoid such atypical access problems
not make them worse.

BTW I didn't bother checking the list of modules loaded with each program
for any possible unusual names though I think that may be possible if any
were present. Again, someone who actually is using your OS and not having
a problem or someone more aware of Vista internals or even malware issues
in general would be in a better position to do that analysis.


> Just for future reference for anyone else reading this, Filemon and Regmon
> are not compatable with Vista, you will need to us Process Monitor
> http://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx


Do you have a reference or experience which proves that it doesn't work?


This document, which is linked from yours, doesn't say anything so explicit.

<title> RegMon for Windows v7.04 </title>
http://technet.microsoft.com/en-gb/sysinternals/bb896652.aspx

In fact, the only implication on it for Vista is the same implication which
is available for XPsp2 users, which I use and on which RegMon works fine.

<quote>
Note: FileMon and RegMon have been replaced by Process Monitor on
versions of Windows starting with Windows 2000 SP4, Windows XP SP2,
Windows Server 2003 SP1, and Windows Vista. FileMon and RegMon
remain for legacy operating system support
</quote>


>
> TIA


HTH

Robert
---

From: OlsBean on 14 Jan 2008 12:46

---

"Robert Aldwinckle" wrote:

> "OlsBean" <OlsBean(a)discussions.microsoft.com> wrote in message
> news:C1F9C43E-189D-49D6-A0AC-8A41DC089EFC(a)microsoft.com
> ....
> > Thank you, that was my fault I did not include all the tabs in the
> > information I posted, apologies, the process name is TrustedInstaller.exe
> > below is complete report.
>
> Excellent! I think these are the essential details from that report:
>
> > Operation: RegOpenKey
> > Result: ACCESS DENIED
> > Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based
> > Servicing\Packages\Package_1_for_KB905866~31bf3856ad364e35~amd64~~6.0.13.0
> > Desired Access: Read/Write
> > Description: Windows Modules Installer
> > Company: Microsoft Corporation
> > Name: TrustedInstaller.exe
> > Version: 6.00.6000.16386
> > Path: C:\Windows\servicing\TrustedInstaller.exe
> > Command Line: C:\Windows\servicing\TrustedInstaller.exe
>
> > User: NT AUTHORITY\SYSTEM
>
>
> > The registry key exists however the only perms attribute is 'System' with
> > special allowed.
>
>
> Which explains the symptom. I wonder how common this is among Vista
> users and assuming not, how your system became disabled in this way?
>
> The third-party security packages that PA Bear mentioned would be one way...
>
>
> >
> > I also had this Permission Denied in addition to the above when I ran WU
> > this morning and monitored.
>
>
> > Operation: RegOpenKey
> > Result: ACCESS DENIED
> > Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
>
> > Desired Access: Set Value
> > Description: Host Process for Windows Services
> > Company: Microsoft Corporation
> > Name: svchost.exe
> > Version: 6.00.6000.16386
> > Path: C:\Windows\system32\svchost.exe
> > Command Line: C:\Windows\system32\svchost.exe -k netsvcs
>
> > User: NT AUTHORITY\SYSTEM
>
>
> > I don't remember seeing this one yesterday.
> >
>
>
> Did you have verbose logging active? Perhaps the failing Set Value
> would be documented there? Notice that with ProcMon (or concurrent
> FileMon) that you could find the next WRITE to WindowsUpdate.log
> and then correlate that trace entry with a specific log entry either by length
> of write (+1) or by exact timestamp.

That has gone a little over my head but I will try to digest and do it later
this evening, thank you.

> Also in your reply to PA Bear's suggestion to undo certain optional security
> facilities you might be using you mentioned only disabling AVG.
> I wonder if disabling it would be sufficient? E.g., would that be enough
> to make it undo any permissions changes it might have made?
> I think that such changes might be more likely by at least by uninstalling
> such programs, assuming that a clean uninstall would enable that type
> of undoing of all changes that they would have made. The idea is that
> undoing such protections should avoid such atypical access problems
> not make them worse.

I know from recent experience where AVG had a false positive on a legitimate
..exe that disabling the 'Resident Shield' allowed access to the file in order
for it to execute.

> BTW I didn't bother checking the list of modules loaded with each program
> for any possible unusual names though I think that may be possible if any
> were present. Again, someone who actually is using your OS and not having
> a problem or someone more aware of Vista internals or even malware issues
> in general would be in a better position to do that analysis.
>
>
> > Just for future reference for anyone else reading this, Filemon and Regmon
> > are not compatable with Vista, you will need to us Process Monitor
> > http://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx
>
>
> Do you have a reference or experience which proves that it doesn't work?
>
>
> This document, which is linked from yours, doesn't say anything so explicit.
>
> <title> RegMon for Windows v7.04 </title>
> http://technet.microsoft.com/en-gb/sysinternals/bb896652.aspx
>
> In fact, the only implication on it for Vista is the same implication which
> is available for XPsp2 users, which I use and on which RegMon works fine.
>
> <quote>
> Note: FileMon and RegMon have been replaced by Process Monitor on
> versions of Windows starting with Windows 2000 SP4, Windows XP SP2,
> Windows Server 2003 SP1, and Windows Vista. FileMon and RegMon
> remain for legacy operating system support
> </quote>

When you run on Vista you get a message;

Filemon has been replaced by Systinternals Process Monitor for file system
monitoring on Windows Vista. Download the Process Monitor at...

and the application exits, similar message with Regmon.
>
>
> >
> > TIA
>
>
> HTH
>
> Robert
> ---
>
>
>

I wonder if manually modifying the permissions attributes on the offending
keys would work?

TIA

From: OlsBean on 14 Jan 2008 13:37

---

"OlsBean" wrote:

>
>
> "Robert Aldwinckle" wrote:
>
> > "OlsBean" <OlsBean(a)discussions.microsoft.com> wrote in message
> > news:C1F9C43E-189D-49D6-A0AC-8A41DC089EFC(a)microsoft.com
> > ....
> > > Thank you, that was my fault I did not include all the tabs in the
> > > information I posted, apologies, the process name is TrustedInstaller.exe
> > > below is complete report.
> >
> > Excellent! I think these are the essential details from that report:
> >
> > > Operation: RegOpenKey
> > > Result: ACCESS DENIED
> > > Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based
> > > Servicing\Packages\Package_1_for_KB905866~31bf3856ad364e35~amd64~~6.0.13.0
> > > Desired Access: Read/Write
> > > Description: Windows Modules Installer
> > > Company: Microsoft Corporation
> > > Name: TrustedInstaller.exe
> > > Version: 6.00.6000.16386
> > > Path: C:\Windows\servicing\TrustedInstaller.exe
> > > Command Line: C:\Windows\servicing\TrustedInstaller.exe
> >
> > > User: NT AUTHORITY\SYSTEM
> >
> >
> > > The registry key exists however the only perms attribute is 'System' with
> > > special allowed.
> >
> >
> > Which explains the symptom. I wonder how common this is among Vista
> > users and assuming not, how your system became disabled in this way?
> >
> > The third-party security packages that PA Bear mentioned would be one way...
> >
> >
> > >
> > > I also had this Permission Denied in addition to the above when I ran WU
> > > this morning and monitored.
> >
> >
> > > Operation: RegOpenKey
> > > Result: ACCESS DENIED
> > > Path: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
> >
> > > Desired Access: Set Value
> > > Description: Host Process for Windows Services
> > > Company: Microsoft Corporation
> > > Name: svchost.exe
> > > Version: 6.00.6000.16386
> > > Path: C:\Windows\system32\svchost.exe
> > > Command Line: C:\Windows\system32\svchost.exe -k netsvcs
> >
> > > User: NT AUTHORITY\SYSTEM
> >
> >
> > > I don't remember seeing this one yesterday.
> > >
> >
> >
> > Did you have verbose logging active? Perhaps the failing Set Value
> > would be documented there? Notice that with ProcMon (or concurrent
> > FileMon) that you could find the next WRITE to WindowsUpdate.log
> > and then correlate that trace entry with a specific log entry either by length
> > of write (+1) or by exact timestamp.
>
> That has gone a little over my head but I will try to digest and do it later
> this evening, thank you.
>
> > Also in your reply to PA Bear's suggestion to undo certain optional security
> > facilities you might be using you mentioned only disabling AVG.
> > I wonder if disabling it would be sufficient? E.g., would that be enough
> > to make it undo any permissions changes it might have made?
> > I think that such changes might be more likely by at least by uninstalling
> > such programs, assuming that a clean uninstall would enable that type
> > of undoing of all changes that they would have made. The idea is that
> > undoing such protections should avoid such atypical access problems
> > not make them worse.
>
> I know from recent experience where AVG had a false positive on a legitimate
> .exe that disabling the 'Resident Shield' allowed access to the file in order
> for it to execute.
>
> > BTW I didn't bother checking the list of modules loaded with each program
> > for any possible unusual names though I think that may be possible if any
> > were present. Again, someone who actually is using your OS and not having
> > a problem or someone more aware of Vista internals or even malware issues
> > in general would be in a better position to do that analysis.
> >
> >
> > > Just for future reference for anyone else reading this, Filemon and Regmon
> > > are not compatable with Vista, you will need to us Process Monitor
> > > http://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx
> >
> >
> > Do you have a reference or experience which proves that it doesn't work?
> >
> >
> > This document, which is linked from yours, doesn't say anything so explicit.
> >
> > <title> RegMon for Windows v7.04 </title>
> > http://technet.microsoft.com/en-gb/sysinternals/bb896652.aspx
> >
> > In fact, the only implication on it for Vista is the same implication which
> > is available for XPsp2 users, which I use and on which RegMon works fine.
> >
> > <quote>
> > Note: FileMon and RegMon have been replaced by Process Monitor on
> > versions of Windows starting with Windows 2000 SP4, Windows XP SP2,
> > Windows Server 2003 SP1, and Windows Vista. FileMon and RegMon
> > remain for legacy operating system support
> > </quote>
>
> When you run on Vista you get a message;
>
> Filemon has been replaced by Systinternals Process Monitor for file system
> monitoring on Windows Vista. Download the Process Monitor at...
>
> and the application exits, similar message with Regmon.
> >
> >
> > >
> > > TIA
> >
> >
> > HTH
> >
> > Robert
> > ---
> >
> >
> >
>
> I wonder if manually modifying the permissions attributes on the offending
> keys would work?
>
> TIA

OK I took the bull by the horns, manually editing the permissions on the
offending key seems to have worked and I now have a fully working Windows
Update back.

Thank you to everyone that contributed, helping me solve this issue.

Best Wishes.

First  |  Prev  |  Next  |  Last
Pages: 1 2 3
Prev: Windows Update failed on KB935509
Next: Code E000023F