In the English version of Windows 7 Release Candidate (build 7100) 32-bit Ultimate, the folder that is created as the root folder of the system drive (%SystemDrive%) is missing entries in its security descriptor. One effect of this problem is that standard users such as non-administrators cannot perform all operations to subfolders that are created directly under the root. Therefore, applications that reference folders under the root may not install successfully or may not uninstall successfully. Additionally, operations or applications that reference these folders may fail.
For example, if a folder is created under the root of the system drive from an elevated command prompt, this folder will not correctly inherit permissions from the root of the drive. Therefore, some specific operations, such as deleting the folder, will fail when they are performed from a non-elevated command prompt. Additionally, the following error message appears when the operation fails:
Access is denied.
Furthermore, the missing security descriptor entries protect non-admin file operations directly under the root.
This problem occurs because the English version of Windows 7 Release Candidate 32-bit Ultimate incorrectly sets access control lists (ACLs) on the root.
For those customers who are affected by this problem, the fix is available through Windows Update:
A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.
You must have Windows 7 Release Candidate 32-bit Ultimate installed to apply this hotfix.
You do not have to restart the computer after you apply this hotfix.
Hotfix replacement information
This hotfix does not replace a previously released hotfix.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
The hotfix is released through Windows Update.
The hotfix package
The problem exists only on x86 versions of the Windows 7 Release Candidate Ultimate. Only an x86 version of the hotfix was created. This hotfix will install only on Windows 7 Release Candidate (build 7100) 32-bit Ultimate. To avoid additional offering complications, the hotfix will install on all five language versions of the program.
If you successfully install the hotfix on your computer, an update that references this Microsoft Knowledge Base number (970789) will appear in Add or Remove Programs. You can review the list of updates in Add or Remove Programs to confirm that the hotfix installation was successful.
You can uninstall this hotfix and then reinstall it. If you uninstall the hotfix, the ACLs do not return to their previous state. That is, the change that this hotfix makes to the ACLs is not reversed when you uninstall the hotfix.
The CleanWin7RCRoot.exe tool
The CleanWin7RCRoot.exe tool examines the full security descriptor on the root of the system drive that has the "known bad" security descriptor. The tool replaces an incorrect security descriptor with a correct one. After the security descriptor is replaced, folders that are created under the root folder of the system drive inherit the correct ACLs, and applications install successfully.
The hotfix does not repair applications that are already installed.
If you have changed the root security descriptor, the CleanWin7RCRoot.exe tool does not make changes to the ACL. This prevents potential application compatibility problems.
Note You cannot apply this hotfix offline. For information about how to apply this change to offline images, see the "Offline instructions" section later in this document.
This issue affects only images that are based on Windows 7 Release Candidate (build 7100) 32-bit Ultimate. To make sure that this update does not affect your user experience, we recommend that you take the following actions:
Back up your current system.
Start from the DVD.
Format your partition where you want to install Windows 7.
After the Windows 7 installation is complete, install this update from Windows Update before you restore any backups or install any other software.
If you have already installed the operating system without formatting your drive, make sure that your settings are correct. To do this, run the following command from an elevated command prompt:
When you run the command, the following text should appear:
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
NT AUTHORITY\Authenticated Users:(AD)
Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
If the text that appears differs from this text, and you have not previously made any other expected changes, you must install the hotfix.
If you want to manually apply a fix that replicates the functionality of the hotfix, run the following command from an elevated command prompt:
cacls \ /S:D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)
icacls \ /setintegritylevel (OI)(NP)(IO)H
If you have already applied the hotfix that is described this article, but you have existing directories or folders that were created off the root folder of the system drive and want to apply the fix to those directories, run the following command from an elevated command prompt:
Cd <directory that you want to apply changes to>
cacls <directory that you want to apply changes to> /S:D:AINote Do not apply the icacls command to subdirectories off the root.
This issue affects only images that are based on Windows 7 Release Candidate (build 7100) 32-bit Ultimate.
The following instructions apply to the technician who modifies images offline before deployment and before installing applications in the image.
Mount or apply the target image, and then run the following command from an elevated command prompt:
cacls <path to root dir on mounted wim> /S:D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)
icacls <path to root drive on mounted wim> /setintegritylevel (OI)(NP)(IO)H
If you have to apply settings to any user-created folders off the root in the WIM image file, mount or apply the target image, and then run the following command from an elevated command prompt:
Cd <path to directory in the WIM that you want to apply changes to>
cacls <path to directory in the WIM that you want to apply changes to/S:D:AINote Do not apply the icacls command to subdirectories off the root.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
This hotfix has two distinct elements to it, the CleanWin7RCRoot.exe details and the package details.
The CleanWin7RCRoot.exe details
This is a scoped fix that tries to resolve the problem, tries to avoid future application compatibility problems, and tries not to take on additional risk by trying to merge user-modified settings. The fix addresses problem by preventing a standard user or guest from creating files under the system root. For any computer that has the problem, the resulting DACL on the system root is the same as the one that is included in the correct SKUs.
The executable file checks the full security descriptor on the root of the system drive that has the "known bad" security descriptor.
If the CleanWin7RCRoot.exe tool determines that the security descriptor is incorrect, it replaces the security descriptor with the correct one.
Correct SDDL: D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)S:P(ML;OINPIO;NW;;;HI)
The tool replaces an incorrect security descriptor with a correct one. After the security descriptor is replaced, folders that are created under the root folder of the system drive inherit the correct ACLs, and application installations are successful.
Issues that the hotfix does not address
There are two main issues the hotfix does not address:
The hotfix changes the default DACL on the system root so that it is that same as it is on a Windows 7 RTM-based computer or on a Windows 7 Release Candidate-based computer. However, this hotfix does not propagate the changes to subdirectories.
The hotfix does not try to fix any root security descriptors that have been modified by the end-user.
The executable file does not support uninstalling. The changes that the hotfix makes are permanent. Even if the package is uninstalled, the changes that CleanWin7RCRoot.exe makes are not reverted.
The error cases for the tool are errors only when the executable file identifies the problem but cannot fix the problem. If the executable file determines that it cannot fix the problem because the ACL is not as expected, even if it is still wrong, the tool will return success.
For more information about ACLs and security descriptors, visit the following Microsoft MSDN Web sites:
http://msdn.microsoft.com/en-us/library/bb648648(VS.85).aspxFor more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates