Article ID: 970789 - View products that this article applies to.
In the English version of Windows 7 Release Candidate (build 7100) 32-bit Ultimate, the folder that is created as the root folder of the system drive (%SystemDrive%) is missing entries in its security descriptor. One effect of this problem is that standard users such as non-administrators cannot perform all operations to subfolders that are created directly under the root. Therefore, applications that reference folders under the root may not install successfully or may not uninstall successfully. Additionally, operations or applications that reference these folders may fail.
For example, if a folder is created under the root of the system drive from an elevated command prompt, this folder will not correctly inherit permissions from the root of the drive. Therefore, some specific operations, such as deleting the folder, will fail when they are performed from a non-elevated command prompt. Additionally, the following error message appears when the operation fails:
Furthermore, the missing security descriptor entries protect non-admin file operations directly under the root.
Access is denied.
This problem occurs because the English version of Windows 7 Release Candidate 32-bit Ultimate incorrectly sets access control lists (ACLs) on the root.
For those customers who are affected by this problem, the fix is available through Windows Update:
Hotfix informationA supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
PrerequisitesYou must have Windows 7 Release Candidate 32-bit Ultimate installed to apply this hotfix.
Restart requirementYou do not have to restart the computer after you apply this hotfix.
Hotfix replacement informationThis hotfix does not replace a previously released hotfix.
File informationThe English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
The hotfix is released through Windows Update.
Collapse this tableExpand this table
The hotfix package
The CleanWin7RCRoot.exe tool
This issue affects only images that are based on Windows 7 Release Candidate (build 7100) 32-bit Ultimate. To make sure that this update does not affect your user experience, we recommend that you take the following actions:
Cd \When you run the command, the following text should appear:
If the text that appears differs from this text, and you have not previously made any other expected changes, you must install the hotfix.
If you want to manually apply a fix that replicates the functionality of the hotfix, run the following command from an elevated command prompt:
Cd \If you have already applied the hotfix that is described this article, but you have existing directories or folders that were created off the root folder of the system drive and want to apply the fix to those directories, run the following command from an elevated command prompt:
cacls \ /S:D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)
icacls \ /setintegritylevel (OI)(NP)(IO)H
Cd \Note Do not apply the icacls command to subdirectories off the root.
Cd <directory that you want to apply changes to>
cacls <directory that you want to apply changes to> /S:D:AI
This issue affects only images that are based on Windows 7 Release Candidate (build 7100) 32-bit Ultimate.
Offline instructionsThe following instructions apply to the technician who modifies images offline before deployment and before installing applications in the image.
Mount or apply the target image, and then run the following command from an elevated command prompt:
cacls <path to root dir on mounted wim> /S:D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)If you have to apply settings to any user-created folders off the root in the WIM image file, mount or apply the target image, and then run the following command from an elevated command prompt:
icacls <path to root drive on mounted wim> /setintegritylevel (OI)(NP)(IO)H
Cd <path to directory in the WIM that you want to apply changes to>Note Do not apply the icacls command to subdirectories off the root.
cacls <path to directory in the WIM that you want to apply changes to/S:D:AI
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
This hotfix has two distinct elements to it, the CleanWin7RCRoot.exe details and the package details.
The CleanWin7RCRoot.exe detailsThis is a scoped fix that tries to resolve the problem, tries to avoid future application compatibility problems, and tries not to take on additional risk by trying to merge user-modified settings. The fix addresses problem by preventing a standard user or guest from creating files under the system root. For any computer that has the problem, the resulting DACL on the system root is the same as the one that is included in the correct SKUs.
Issues that the hotfix does not addressThere are two main issues the hotfix does not address:
UninstallingThe executable file does not support uninstalling. The changes that the hotfix makes are permanent. Even if the package is uninstalled, the changes that CleanWin7RCRoot.exe makes are not reverted.
Error casesThe error cases for the tool are errors only when the executable file identifies the problem but cannot fix the problem. If the executable file determines that it cannot fix the problem because the ACL is not as expected, even if it is still wrong, the tool will return success.
For more information about ACLs and security descriptors, visit the following Microsoft MSDN Web sites:
http://msdn.microsoft.com/en-us/library/bb648648(VS.85).aspxFor more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/824684/ )Description of the standard terminology that is used to describe Microsoft software updates
Article ID: 970789 - Last Review: October 7, 2011 - Revision: 4.0
Contact us for more help