Microsoft Store Apps fail to start if default registry or file permissions modified

Applies to: Windows 10, version 1809Windows 10Windows 8 More

Notice


This article is intended for IT professionals. For home users who encounter Microsoft Store App issues, go to Fix problems with apps from Microsoft Store.

Symptoms


Issue 1

When you click the tile of a Microsoft Store App, the App begins to start, and then Windows just returns to the start screen. No on-screen error is displayed.

Microsoft-Windows-Immersive-Shell event 5961 is logged under the Applications and Services Logs\Microsoft\Windows\Apps\Microsoft-Windows-TWinUI/Operational event log path:

Note: The app portion of the example event, "<app name>", will change depending on the application that fails to start. 

Possible values for <app name> include but are not limited to:

microsoft.windowscommunicationsapps_8wekyb3d8bbwe!Microsoft.WindowsLive.Chat

Prefixes for other built-in Microsoft Store Apps include:

Microsoft.BingFinance_8wekyb3d8bbwe!<app identifier>
Microsoft.BingMaps_8wekyb3d8bbwe!<app identifier>
Microsoft.BingNews_8wekyb3d8bbwe!<app identifier>
Microsoft.BingSports_8wekyb3d8bbwe!<app identifier>
Microsoft.BingTravel_8wekyb3d8bbwe!<app identifier>
Microsoft.BingWeather_8wekyb3d8bbwe!<app identifier>
Microsoft.Bing_8wekyb3d8bbwe!<app identifier>
Microsoft.Camera_8wekyb3d8bbwe!<app identifier>
Microsoft.Media.PlayReadyClient_8wekyb3d8bbwe!<app identifier>
microsoft.microsoftskydrive_8wekyb3d8bbwe!<app identifier>
Microsoft.Reader_8wekyb3d8bbwe!<app identifier>
Microsoft.VCLibs.110.00_8wekyb3d8bbwe!<app identifier>
microsoft.windows.authhost.a_8wekyb3d8bbwe!<app identifier>
microsoft.windowscommunicationsapps_8wekyb3d8bbwe!<app identifier>
microsoft.windowsphotos_8wekyb3d8bbwe!<app identifier>
Microsoft.WinJS.1.0.RC_8wekyb3d8bbwe!<app identifier>
Microsoft.WinJS.1.0_8wekyb3d8bbwe!<app identifier>
Microsoft.XboxLIVEGames_8wekyb3d8bbwe!<app identifier>
Microsoft.ZuneMusic_8wekyb3d8bbwe!<app identifier>
Microsoft.ZuneVideo_8wekyb3d8bbwe!<app identifier>

Issue 2

You cannot start a Microsoft Store App, open Start screen, and use Search in Windows. Additionally, you receive the following event log in Application logs:

If you use Process Monitor to track the Apps' executables or related files, you may see "access denied" is logged, which points to missing permissions for the currently logon user. This includes the following:

  1. Registry hives and its subkeys:
    1. HKEY_CLASSES_ROOT

    2. HKEY_LOCAL_MACHINE\Drivers

    3. HKEY_LOCAL_MACHINE\HARDWARE

    4. HKEY_LOCAL_MACHINE\SAM

    5. HKEY_LOCAL_MACHINE\SOFTWARE

    6. HKEY_LOCAL_MACHINE\SYSTEM

    7. HKEY_USERS

  2. For file subsystem :

    1. Program Files - Read, Read and Execute, List folder Contents

    2. Windows - Read, Read and Execute, List folder Contents

    3. Users\<userName>\AppData\Local\Microsoft\Windows\WER - Special Permissions (List folder / read data, Create Folders /Append Data)

Cause


For issue 1

Registry and or file system permissions may have been changed from their defaults.  

The "All Application Packages" group (a well known group with a predefined SID) must have specific access to certain locations of the registry and file system for Microsoft Store Apps to function properly.

For issue 2

This issue occurs because the read permission is missing from any or all the keys. Therefore, 0xc000027b is logged. This error without exception is missing permission for ALL APPLICATION PACKAGES at registry location or file subsystem locations.

Registry and File System permission must be reverted to a state that will allow Microsoft Store App to function


If you use Group Policy to manage permissions, or if you are unsure whether Group Policy is used to manage permissions, follow these steps:

  • Unjoin the computer from the domain or put the computer in a test OU with block policy inheritance enabled. This prevents the domain-based Group Policy from reapplying the permission changes and breaking the modern applications again after you have fixed them.
  • Add permissions where they are required per the following details.
  • Edit the Group Policy that manages to permissions so that it no longer breaks modern application.

Registry and File System permission must be reverted back to a state that will allow Microsoft Store App to function. Follow this method to resolve the issue

  1. Determine if file system permissions have been changed. If not see the "More Information" section below
  2. If so how were they changed? Manually or with Group Policy?
  3. Determine if registry permissions have been changed If not see the "More Information" section below
  4. If so how were they changed? Manually or with Group Policy?
  5. Verify secpol and GPPs specifically.

Determining if File System permissions have been changed

Check the folders listed below. Determine if the All Application Packages group has the access indicated. Most but not all sub directories of Windows, Program Files and WER also grant permissions to the All Application Packages group.

  • Program Files - Read, Read and Execute, List folder Contents
  • Windows - Read, Read and Execute, List folder Contents
  • Users\<userName>\AppData\Local\Microsoft\Windows\WER - Special Permissions (List folder / read data, Create Folders /Append Data)

Determining if registry permissions have changed

Check the registry keys listed below. Make sure the All Applications Packages group has the Read permissions to the following registry paths:

  • HKEY_CLASSES_ROOT
  • HKEY_LOCAL_MACHINE\Drivers
  • HKEY_LOCAL_MACHINE\HARDWARE
  • HKEY_LOCAL_MACHINE\SAM
  • HKEY_LOCAL_MACHINE\SOFTWARE
  • HKEY_LOCAL_MACHINE\SYSTEM
  • HKEY_USERS

Most but not all of the subkeys of the registry keys listed above will grant the "All Application Packages" group read access.

Determining if Group Policy is being used to manage permissions

  1. Logon to a PC as a user experiencing the problem
  2. Open an administrative command prompt then run the following command:

    > gpresult /h <path>\gpreport.html
     
  3. Open the file gpreport.html and expand the following path:

    Computer Settings -> Policies\Windows Settings\Security Settings. look for "File System" and Registry. If these exist then GP is assigning permission. You must edit the GP to include the necessary permissions for the All Application Packages group.

Steps to fix the problem

Depending on how the file system permissions were changed will determine how to recover from the problem. The most common ways permissions are changed are manually and by Group Policy.

Important Note -  Make sure that you test your resolution in a lab before widely deploying. Always backup any important data before changing registry and file system permissions.

Fixing file system permissions that have been changed manually

  1. Open File Explorer
  2. Browse to "c:\Program Files "
  3. Right click and select properties
  4. Select the "Security" tab
  5. Click the "Advanced" button
  6. Click the "Change permissions" button
  7. Click the Add button
  8. Click "Select a principal" link
  9. Click the locations button and select the local computer
  10. Add the All Applications Packages group name and click ok
  11. Make sure that Type = allow and Applies to = This folder, subfolder and files.
  12. Check Read & Execute, List folder contents and Read.
  13. Check the box Replace all child object permissions with inheritable permission entries from this object
  14. Click Apply and OK.
  15. Repeat for c:\Windows
  16. Repeat for c:\Users but grant the "All Application Packages" group Full Control.
  17. Click Apply and Ok. 

Fixing file system permissions changed by Group Policy

Have a Group Policy administrator do the following:

  • Open Group Policy Administrative Console
  • Locate the GPO identified in the step "Determining if Group Policy is being used to manage permissions"
  • Right click and select edit.
  • Go to the location Computer Configuration\Policy\Windows Settings\Security Settings\File System
  • If there is an entry for the paths already created you can edit it. If no entry exists create a new entry for each path.
  • To create a new entry right click file system and select add file
  • Browse to the path c:\Program Files, click OK
  • Select the Add button.
  • Click the locations button and select the local machine name
  • Add the "All Application Packages" group and grant them the Read, Read and Execute, List folder Contents permissions
  • Click OK and OK
  • Select the option "Replace existing permissions on all subfolders and files with inheritable permissions.
  • Repeat for C:\Windows
  • Repeat for C:\Users however grant the "All Application Packages" group Full Control.
  • You will need to wait for the Group policy change to replicate to all Domain Controller s and for all clients to update their Group Policy settings.

    Note: Processing the File System changes will incur some logon delay the first time this policy is processed. Subsequent logons will not be impacted unless changes are made to the policy. As an alternative you can use a script that is called post logon by the user is run as a scheduled task.

    Fixing registry permissions that have been changed manually

    • Open regedit.exe
    • Right click on HKEY_Users and select properties
    • Make sure that All Application Packages has Read
    • Repeat for HKEY_CLASSES_ROOT
    • Expand HKEY_LOCAL_MACHINE. Check the subkeys HARDWARE, SAM,SOFTWARE,SYSTEM. Make sure that All Application Packages has the Read permission.

     Fixing Registry Permissions that have been changed by Group Policy

     Have a Group Policy administrator do the following:

  • Open Group Policy Administrative Console
  • Locate the GPO identified in the step "Determining if Group Policy is being used to manage permissions"
  • Right click and select edit.
  • Go to the location Computer Configuration\Policy\Windows Settings\Security Settings\Registry
  • Right Click and select Add Key
  • Select CLASSES_ROOT,
  • Select the Add button.
  • Click the locations button and select the local machine name
  • Add the "All Application Packages" group and grant them Read
  • Repeat for "Users"
  • Repeat for MACHINE\HARDWARE, MACHINE\SAM, MACHINE\SOFTWARE and MACHINE\SYSTEM
  • More Information


    For more information, refer to the following articles:

    Win8: App: Modern: Microsoft Store Apps Fail to Start if the User Profiles or the ProgramData directory are Moved from their Default Location

    And refer to the following article and its "File system and registry access control list modifications" section:

    Security configuration guidance support

    File system and registry access control list modifications

    Windows XP and later versions of Windows have significantly tightened permissions throughout the system. Therefore, extensive changes to default permissions should not be necessary.

    Additional discretionary access control list (DACL) changes may invalidate all or most of the application compatibility testing that is performed by Microsoft. Frequently, changes such as these have not undergone the thorough testing that Microsoft has performed on other settings. Support cases and field experience have shown that DACL edits change the fundamental behavior of the operating system, frequently in unintended ways. These changes affect application compatibility and stability and reduce functionality, with regard to both performance and capability.

    Because of these changes, we do not recommend that you modify file system DACLs on files that are included with the operating system on production systems. We recommend that you evaluate any additional ACL changes against a known threat to understand any potential advantages that the changes may lend to a specific configuration. For these reasons, our guides make only very minimal DACL changes and only to Windows 2000. For Windows 2000, several minor changes are required. These changes are described in the Windows 2000 Security Hardening Guide.

    Extensive permission changes that are propagated throughout the registry and file system cannot be undone. New folders, such as user profile folders that were not present at the original installation of the operating system, may be affected. Therefore, if you remove a Group Policy setting that performs DACL changes, or you apply the system defaults, you cannot roll back the original DACLs.

    Changes to the DACL in the %SystemDrive% folder may cause the following scenarios:

    • The Recycle Bin no longer functions as designed, and files cannot be recovered.
    • A reduction of security that lets a non-administrator view the contents of the administrator’s Recycle Bin.
    • The failure of user profiles to function as expected.
    • A reduction of security that provides interactive users with read access to some or to all user profiles on the system.
    • Performance problems when many DACL edits are loaded into a Group Policy object that includes long logon times or repeated restarts of the target system.
    • Performance problems, including system slowdowns, every 16 hours or so as Group Policy settings are reapplied.
    • Application compatibility problems or application crashes.

    To help you remove the worst results of such file and registry permissions, Microsoft will provide commercially reasonable efforts in line with your support contract. However, you cannot currently roll back these changes. We can guarantee only that you can return to the recommended out-of-the-box settings by reformatting the hard disk drive and by reinstalling the operating system.

    For example, modifications to registry DACLs affect large parts of the registry hives and may cause systems to no longer function as expected. Modifying the DACLs on single registry keys poses less of a problem to many systems. However, we recommend that you carefully consider and test these changes before you implement them. Again, we can guarantee only that you can return to the recommended out-of-the-box settings if you reformat and reinstall the operating system.