For example, if a folder is created under the root of the system drive from an elevated command prompt, this folder will not correctly inherit permissions from the root of the drive. Therefore, some specific operations, such as deleting the folder, will fail when they are performed from a non-elevated command prompt. Additionally, the following error message appears when the operation fails:
Hotfix informationA supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
PrerequisitesYou must have Windows 7 Release Candidate 32-bit Ultimate installed to apply this hotfix.
Restart requirementYou do not have to restart the computer after you apply this hotfix.
Hotfix replacement informationThis hotfix does not replace a previously released hotfix.
File informationThe English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
|File name||File version||File size||Date||Time||Platform|
The hotfix package
- The problem exists only on x86 versions of the Windows 7 Release Candidate Ultimate. Only an x86 version of the hotfix was created. This hotfix will install only on Windows 7 Release Candidate (build 7100) 32-bit Ultimate. To avoid additional offering complications, the hotfix will install on all five language versions of the program.
- If you successfully install the hotfix on your computer, an update that references this Microsoft Knowledge Base number (970789) will appear in Add or Remove Programs. You can review the list of updates in Add or Remove Programs to confirm that the hotfix installation was successful.
- You can uninstall this hotfix and then reinstall it. If you uninstall the hotfix, the ACLs do not return to their previous state. That is, the change that this hotfix makes to the ACLs is not reversed when you uninstall the hotfix.
The CleanWin7RCRoot.exe tool
- The CleanWin7RCRoot.exe tool examines the full security descriptor on the root of the system drive that has the "known bad" security descriptor. The tool replaces an incorrect security descriptor with a correct one. After the security descriptor is replaced, folders that are created under the root folder of the system drive inherit the correct ACLs, and applications install successfully.
- The hotfix does not repair applications that are already installed.
- If you have changed the root security descriptor, the CleanWin7RCRoot.exe tool does not make changes to the ACL. This prevents potential application compatibility problems.
- Back up your current system.
- Start from the DVD.
- Format your partition where you want to install Windows 7.
- After the Windows 7 installation is complete, install this update from Windows Update before you restore any backups or install any other software.
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
NT AUTHORITY\Authenticated Users:(AD)
Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
If you want to manually apply a fix that replicates the functionality of the hotfix, run the following command from an elevated command prompt:
cacls \ /S:D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)
icacls \ /setintegritylevel (OI)(NP)(IO)H
Cd <directory that you want to apply changes to>
cacls <directory that you want to apply changes to> /S:D:AI
This issue affects only images that are based on Windows 7 Release Candidate (build 7100) 32-bit Ultimate.
Offline instructionsThe following instructions apply to the technician who modifies images offline before deployment and before installing applications in the image.
Mount or apply the target image, and then run the following command from an elevated command prompt:
icacls <path to root drive on mounted wim> /setintegritylevel (OI)(NP)(IO)H
cacls <path to directory in the WIM that you want to apply changes to/S:D:AI
The CleanWin7RCRoot.exe detailsThis is a scoped fix that tries to resolve the problem, tries to avoid future application compatibility problems, and tries not to take on additional risk by trying to merge user-modified settings. The fix addresses problem by preventing a standard user or guest from creating files under the system root. For any computer that has the problem, the resulting DACL on the system root is the same as the one that is included in the correct SKUs.
- The executable file checks the full security descriptor on the root of the system drive that has the "known bad" security descriptor.
- If the CleanWin7RCRoot.exe tool determines that the security descriptor is incorrect, it replaces the security descriptor with the correct one. Correct SDDL: D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)S:P(ML;OINPIO;NW;;;HI)
- The tool replaces an incorrect security descriptor with a correct one. After the security descriptor is replaced, folders that are created under the root folder of the system drive inherit the correct ACLs, and application installations are successful.
Issues that the hotfix does not addressThere are two main issues the hotfix does not address:
- The hotfix changes the default DACL on the system root so that it is that same as it is on a Windows 7 RTM-based computer or on a Windows 7 Release Candidate-based computer. However, this hotfix does not propagate the changes to subdirectories.
- The hotfix does not try to fix any root security descriptors that have been modified by the end-user.
UninstallingThe executable file does not support uninstalling. The changes that the hotfix makes are permanent. Even if the package is uninstalled, the changes that CleanWin7RCRoot.exe makes are not reverted.
Error casesThe error cases for the tool are errors only when the executable file identifies the problem but cannot fix the problem. If the executable file determines that it cannot fix the problem because the ACL is not as expected, even if it is still wrong, the tool will return success.
Article ID: 970789 - Last Review: Oct 7, 2011 - Revision: 1