Error message when you visit the Windows Update Web site or the Microsoft Update Web site: "0x800A0046" (910338)


The information in this article applies to:

  • Microsoft Update
  • Microsoft Windows Update

SYMPTOMS

When you visit the Microsoft Windows Update Web site or the Microsoft Update Web site, the Web site may appear to stop responding. Additionally, you may receive the following error message:
0x800A0046
One of the following entries may be logged in the %windir%\Windowsupdate.log file:
Date	Time	3096	c1c	COMAPI	WARNING: Unable to listen to self-update/shutdown event (hr=0X80070005)
Date	Time	3096	c1c	COMAPI	WARNING: Unable to establish connection to the service. (hr=80070005)

CAUSE

This issue occurs if one or more of the following conditions are true:
  • The DCOM configuration is incorrect.
  • Your user account is a member of the Guests group.
  • The security descriptor in the Automatic Updates service is incorrect.
  • The local security policy is incorrect.

RESOLUTION

To resolve this issue, follow these steps on client computers.

Step 1: Verify DCOM security

  1. Click Start, click Run, type Dcomcnfg, and then click OK.
  2. Expand Component Services, and then expand Computers.
  3. Right-click My Computer, and then click Properties.
  4. Click the COM Security tab.
  5. Under Access Permissions, click Edit Default.
  6. Verify that the following accounts are listed:

    On Microsoft Windows XP-based and Microsoft Windows Server 2003-based clients
    Account namePermission typePermission
    Self, Administrators, or a user who belongs to the Administrators groupLocal accessAllow
    SystemLocal accessAllow
    On Microsoft Windows 2000-based clients
    Account namePermission typePermission
    AdministratorsLocal accessAllow
    SystemLocal accessAllow
  7. If any one of these accounts is missing in the Access Permission box, follow these steps:
    1. Click Add, click Advanced, and then click Locations.
    2. In the Locations box, click the Local_Computer_Name, and then click OK.
    3. Click Find Now.
    4. Press CTRL, click the required account names, and then click OK two times.
    5. In the Group or User names box, click an account that you added, click Local Access in the Permissions for Account_Name box, and then click to select the check box in the Allow column.
    6. Repeat step 7e for all the accounts that you just added, and then click OK.

Step 2: Verify DCOM default properties

  1. Click the Default Properties tab.
  2. Verify that the following configuration:
    • The Enable Distributed COM on this computer check box is selected.
    • In the Default Authentication level box, Connect is selected.
    • In the Default Impersonation level box, Identify is selected.
  3. Make any required changes, and then click OK.
  4. Restart the computer.

Step 3: Verify that your user account is not a member of the Guests group

Note This step applies only to computers that are running Windows Server 2003, Windows XP Professional, or Windows 2000 and that are not joined to a domain.
  1. Click Start, click Settings, and then click Control Panel.
  2. Double-click Administrative Tools.
  3. Expand Computer Management, and then expand Local Users and Groups.
  4. Click Users.
  5. In the right-pane, double-click the account that you used to log on to the computer.
  6. Click the Member Of tab.
  7. Click Guests, click Remove, and then click OK.

Step 4: Verify the security descriptor in the Automatic Updates service

On Windows Server 2003-based and Windows XP-based clients
  1. Click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type the following command, and then press ENTER to reset the security descriptor:

    Sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

    Note In a domain environment, this security setting may be configured by a Group Policy object. If the issue is only temporarily resolved after you type this command, a Group Policy object is probably configured. The domain administrator must modify Group Policy to include the correct security settings.
On Windows 2000-based clients
  1. Download the Subinacl utility. To do this, visit the following Microsoft Web site:

    http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&DisplayLang=en

  2. Double-click the downloaded file, and then follow instructions in the Windows Resource Kit Tools Setup Wizard. By default, the Subinacl utility is installed in the following directory:

    C:\Program Files\Windows Resource Kits\Tools

  3. Click Start, click Run, type cmd, and then click OK.
  4. At the command prompt, type cd C:\Program Files\Windows Resource Kits\Tools to move to the directory where the Subinacl utility was installed.
  5. Type the following command, and then press ENTER:

    Subinacl /service wuauserv /sddl=D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

    Note In a domain environment, this security setting may be configured by a Group Policy object. If the issue is only temporarily resolved after you type this command, a Group Policy object is probably configured. The domain administrator must modify Group Policy to include the correct security settings.

Step 5: Verify the local security policy

Notes
  • This step applies only to Windows Server 2003-based, Windows XP Professional-based, or Windows 2000-based computers.
  • If your user account belongs to a domain, this security setting may be configured by a Group policy object that is located on the network. Contact the network administrator, or see the following Microsoft Knowledge Base article for more information:

    810739 White Paper: Troubleshooting Group Policy in Windows 2000

  1. Click Start, click Run, type gpedit.msc, and then click OK.
  2. Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Local Policies.
  3. Click User Rights Assignment.
  4. In the right-pane, double-click Impersonate a client after Authentication.
  5. Verify that the Service and Administrators accounts are included.
  6. If the Service account or the Administrators account is missing, follow these steps to add the account:
    1. Click Add User or Group, click Advanced, and then click Locations.
    2. In the Locations box, click Local_Computer_Name, and then click OK.
    3. Click Find Now.
    4. Press CTRL, click the required account names, and then click OK three times.
  7. Restart the computer.

Step 6: Enable user data persistence in Microsoft Internet Explorer

  1. Open Internet Explorer.
  2. On the Tools menu, click Internet Options.
  3. Click the Security tab, and then click Internet.
  4. Click Custom Level.
  5. In the Settings dialog box, scroll to the Miscellaneous section.
  6. Under Userdata persistence, click Enable.
  7. Click OK two times.

REFERENCES

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

902093 How to read the Windowsupdate.log file

906602 How to troubleshoot Windows Update, Microsoft Update, and Windows Server Update Services installation issues

Modification Type:MinorLast Reviewed:2/7/2006
Keywords:kbtshoot kbprb KB910338 kbAudITPRO kbAudEndUser
©2004 Microsoft Corporation. All rights reserved.