Systems that have changed the default Access Control List permissions on the %windir%\registration directory may experience various problems after you install the Microsoft Security Bulletin MS05-051 for COM+ and MS DTC (909444)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003 SP1
  • Microsoft Windows XP Professional SP1
  • Microsoft Windows XP Professional SP2
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Server SP4

SYMPTOMS

On a computer that is running Microsoft Windows XP, Microsoft Windows 2000, or Windows Server 2003, one or more problems may occur after you install the critical update that is discussed in Microsoft Security Bulletin MS05-051. These problems include the following:
  • The Windows Installer service may not start.
  • The Windows Firewall Service may not start.
  • The Network Connections folder is empty.
  • The Windows Update Web site may incorrectly recommend that you change the Userdata persistence setting in Microsoft Internet Explorer.
  • Active Server Pages (ASP) pages that are running on Microsoft Internet Information Services (IIS) return an "HTTP 500 - Internal Server Error" error message.
  • The Microsoft COM+ EventSystem service will not start.
  • COM+ applications will not start.
  • The computers node in the Microsoft Component Services Microsoft Management Console (MMC) tree will not expand.
  • Authenticated users cannot log on, and a blank screen appears after the users apply the October Security Updates.
  • In a server cluster configuration, the cluster service may not start. The following event is logged in the cluster log file:ERR [NM] Couldn't establish connection point with Net Connection Manager, status 80070005. WARN [NM] Couldn't initialize Net Connection Manager advise sink, status 80070005 ERR [NM] Initialization failed -2147024891
  • An event that is similar to the following may be logged in the System log:Event ID: 512
    Source: CryptSvc
    Description:
    The Cryptographic Services service failed to initialize the VSS backup "System Writer" object.

    Details:
    System Writer object failed to subscribe to VSS.

    System Error:
    Catastrophic failure
  • An access denied error may occur when you try to connect to Windows Management Instrumentation (WMI) by using script, the WBEMTest.exe utility, or other utilities. The %windir%\system32\wbem\logs\wbemprox.log file contains errors that are similar to the following error at the time of the failure:
    ConnectViaDCOM, CoCreateInstanceEx resulted in hr = 0x80070005
  • You may receive the following COM+ 1.0 catalog error message when you create an empty COM+ application:
    XACT_E_RECOVERYINPROGRESS (0x8004d082)

CAUSE

This problem can occur if any COM applications or COM+ applications cannot access the COM+ catalog files. The application cannot access the COM+ catalog files because the default permissions on the COM+ catalog directory and files have been changed from the default settings. Before Microsoft Security Bulletin MS05-051, explicit permissions to the COM+ catalog were not required. The COM+ catalog files are .clb files and are located in the %windir%\registration folder. By default, the COM+ catalog directory and files have the following permissions:
AdministratorsSystemEveryoneAuthenticated usersServer operators
Windows 2000 Non-Domain ControllerFull ControlFull ControlRead
Windows 2000 Domain ControllerFull ControlFull ControlModifyRead & Execute
Windows Server 2003 Non-Domain ControllerFull ControlFull ControlRead
Windows Server 2003 Domain ControllerFull ControlFull ControlRead & Execute

RESOLUTION

Based on security changes implemented in MS05-051, Read level NTFS file system permission is required to the %windir%\registration folder. Default permissions include Read access for the Everyone group. If this configuration is changed, applications and services may exhibit unexpected behavior. Organizations that have chosen to implement more restrictive NTFS security permissions should consider granting Read level permissions through group membership for users, applications, and services that require access to COM functionality. We recommend that the default settings for the folder be used to avoid potential application compatibility. Extensive application compatibility testing is recommended for administrators who want to implement settings other than the default settings. For more information about the issues that may be experienced by modifying permissions on system folders, click the following article number to view the article in the Microsoft Knowledge Base:

885409 Security configuration guidance support

Besides NTFS permissions, Bypass Traversal permission is required. By default, this permission is granted to the Everyone group. As stated with NFTS permissions, users, applications, and services should be granted this permission through group membership. For more information about the Bypass Traversal user right, click the following article number to view the article in the Microsoft Knowledge Base:

823659 Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments

To resolve this problem, restore the default permissions to the COM+ catalog.

For a computer that is running Windows 2000 or Windows Server 2003 and is not running as a domain controller, follow these steps:
  1. In the %windir%/registration folder, make sure that the Everyone group has Read permissions.
  2. In the %windir%/registration folder, make sure that the SYSTEM account has Full Control permissions.
  3. In the %windir%/registration folder, make sure that the Administrators group has Full Control permissions.
  4. In the advanced security properties of the .clb files in the %windir%/registration folder, make sure that the Allow inheritable auditing entries from the parent to propagate to this object and all objects. Include these with entries explicitly defined here option is selected.
  5. Make sure that the Everyone group has one of the following permissions:
    • Traverse permissions ("List Folder Contents") on all parent directories, including %systemdrive%, %windir%, and %windir%\registration
    • The Bypass traverse checking user right
    To assign the Bypass traverse checking user right to the Everyone group, follow these steps:
    1. Click Start, click Run, type gpedit.msc, and then click OK.
    2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand User Rights Assignment.
    3. Right-click Bypass traverse checking, and then click Properties.
    4. Click Add User or Group.
    5. Type Everyone, and then click OK.

      Note If you receive a message that an object named "Users" cannot be found, click Object Types, click to select the Groups check box, and then click OK two times.
For a domain controller that is running Windows 2000, follow these steps:
  1. In the %windir%/registration folder, make sure that the Authenticated Users group has Read & Execute permissions.
  2. In the %windir%/registration folder, make sure that the Server Operators group has Modify permissions.
  3. In the %windir%/registration folder, make sure that the SYSTEM account has Full Control permissions.
  4. In the %windir%/registration folder, make sure that the Administrators group has Full Control permissions.
  5. In the advanced security properties of the .clb files in the %windir%/registration folder, make sure that the Allow Inheritable permissions from parent to propagate to this object option is selected.
For a domain controller that is running Windows Server 2003, follow these steps:
  1. In the %windir%/registration folder, make sure that the Everyone group has Read & Execute permissions.
  2. In the %windir%/registration folder, make sure that the SYSTEM account has Full Control permissions.
  3. In the %windir%/registration folder, make sure that the Administrators group has Full Control permissions.
  4. In the advanced security properties of the .clb files in the %windir%/registration folder, make sure that the Allow inheritable auditing entries from the parent to propagate to this object and all objects. Include these with entries explicitly defined here. option is selected.
  5. Make sure that the Everyone group has one of the following permissions:
    • Traverse permissions ("List Folder Contents") on all parent directories, including %systemdrive%, %windir%, and %windir%\registration
    • The Bypass traverse checking user right
    To assign the Bypass traverse checking user right to the Everyone group, follow these steps:
    1. Click Start, click Run, type gpedit.msc, and then click OK.
    2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then expand User Rights Assignment.
    3. Right-click Bypass traverse checking, and then click Properties.
    4. Click Add User or Group.
    5. Type Everyone, and then click OK.

      Note If you receive a message that an object named "Users" cannot be found, click Object Types, click to select the Groups check box, and then click OK two times.
Note The system may later create additional .clb files in the %windir%/registration folder. To make sure that the new .clb files have the appropriate permissions, grant the Read permissions to the whole directory instead of just granting it directly to the .clb files that currently exist. You can use the Cacls.exe file to automate these permission changes on the affected computer or to easily roll out the changes to multiple computers.

For a computer that is running Windows 2000 or Windows Server 2003 and is not running as a domain controller, use the following commands:
echo y| cacls %windir%\registration /G everyone:R system:F administrators:F
echo y| cacls %windir%\registration\*.clb /G everyone:R system:F administrators:F
For a domain controller that is running Windows 2000, use the following commands:
echo y| cacls %windir%\registration /G "Authenticated Users":R "Server Operators":R system:F administrators:F
For a domain controller that is running Windows 2003, use the following commands:
echo y| cacls %windir%\registration /G everyone:R system:F administrators:F
echo y| cacls %windir%\registration\*.clb /G everyone:R system:F administrators:F
Note Make sure that there is no space between the y character and the pipe (|) character. If there is a space between these characters, the commands will not correctly execute.

MORE INFORMATION

When this problem occurs, you may receive one or more of the following events in the event log:
  • The following EventSystem event may be logged in the event log if the Network Service account does not have the correct permissions:Event Type: Error
    Event Source: EventSystem
    Event Category: (50)
    Event ID: 4609
    Date: <Date>
    Time: <Time>
    User: N/A
    Computer: Server
    Description: The COM+ Event System detected a bad return code during its internal processing. HRESULT was 80070005 from line xx of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.
  • The following COM+ event may be logged in the event log if the Network Service account does not have the correct permissions:Event Type: Information
    Event Source: COM+
    Event Category: (117)
    Event ID: 778
    Date: <Date>
    Time: <Time>
    User: N/A
    Computer: Server
    Description: Application image dump failed.
    Server Application ID: <GUID>
    Server Application Instance ID: <GUID>
    Server Application Name: COM+ Explorer
    Error Code = 0x80004005 : Unspecified error
    COM+ Services Internals Information: File: d:\qxp_slp\com\com1x\src\shared\util\svcerr.cpp, Line: 1259 Comsvcs.dll file version: ENU 2001.12.4414.308 shp
    For more information, see Help and Support Center at http://support.microsoft.com.
  • The following COM+ event may be logged in the event log if the Network Service account does not have the correct permissions:Event Type: Error
    Event Source: COM+
    Event Category: Unknown
    Event ID: 4689
    Date: <Date>
    Time: <Time>
    User: N/A
    Computer: Server
    Description: The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. Error in d:\qxp_slp\com\com1x\src\comsvcs\package\cpackage.cpp(1184), hr = 80070005: InitEventCollector failed
    For more information, see Help and Support Center at http://support.microsoft.com.
  • When you try to browse an ASP page that is running on an IIS service and the Show friendly HTTP error messages option is not selected in Internet Explorer, you may receive the following error message:
    Server Application Error.
    The server has encountered an error while loading an application during the processing of your request. Please refer to the event log for more detail information. Please contact the server administrator for assistance. 
    HTTP 500 - Internal server error Internet Explorer
    An event similar to the following may also be logged in the event log:Event Type: Error
    Event Source: DCOM
    Event Category: None
    Event ID: 10010
    Date: <Date>
    Time: <Time>
    User: NT AUTHORITY\SYSTEM
    Computer: Server
    Description: The server <GUID> did not register with DCOM within the required timeout.
  • When you try to manually start COM+ applications in Component Services, you may receive the following error message:
    Catalog Error: An error occurred while processing the last operation. Error code 80080005 - Server execution failed. The event log may contain additional troubleshooting information.
    An event similar to the following may also be logged in the event log:Event Type: Error
    Event Source: DCOM
    Event Category: None
    Event ID: 10010
    Date: <Date>
    Time: <Time>
    User: NT AUTHORITY\SYSTEM
    Computer: Server
    Description: The server <GUID> did not register with DCOM within the required timeout.
    Event Type: Warning
    Event Source: W3SVC
    Event Category: None
    Event ID: 36
    Date: <Date>
    Time: <Time>
    User: N/A
    Computer: Server
    Description: The server failed to load application '/LM/W3SVC/1/ROOT'. The error was 'Server execution failed '.
    For additional information specific to this message please visit the Microsoft Online Support site located at: http://search.support.microsoft.com/search/?adv=1.
    For more information, see Help and Support Center at http://support.microsoft.com.
  • When you try to install an application or when you try to manually start the Windows Installer Service, you may receive the following error message:
    The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows Installer is not correctly installed. Contact your support personnel for assistance.
  • The Windows Firewall Service may not start with the following error code:
    Error Result : 0x80070005 ( -2147024891 ) ID Defined as : E_ACCESSDENIED Message Text : Access is denied.

Steps to reproduce this problem

Remove the system account and the Everyone account from the file permissions for the *.clb files. To do this, follow these steps:
  1. Click Start, click Run, type Explorer.exe c:\winnt\registration, and then click OK.
  2. In Windows Explorer, right-click Properties, and then click the Security tab.
  3. In the Registration Properties dialog box, click System under Group and User Name, and then click Advanced.
  4. In the Advanced Security Settings for Registration dialog box, click Remove, and then click OK.
  5. Repeat step 3 and step 4 to stop the Everyone account from accessing .clb files.
Modification Type:MajorLast Reviewed:9/22/2006
Keywords:kbtshoot kbprb KB909444 kbAudDeveloper kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.