Printer (driver) install fails due to Access Denied

Posted on 2007-12-04
Last Modified: 2010-04-21
I've been using the excellent PDFCreator for more than 2 years. Today it failed with an empty message box (just an OK button). I removed the software and attempted to install the latest version. It appears to install fine until it gets to the point of adding the printer to the OS - here it fails with an "Access Denied" error message.

I then downloaded Primo32 and that did the same - almost all the install completed and then "Access Denied" at the 'add printer to XP' stage.

Finally, I tried adding any old printer using the Add Printer Wizard. I made out that it was connected to LPT1 and added the first printer in the list. "Unable to Add Printer. Access Denied".

This is a single user machine and I am in the Administrators Group.

I'm guessing this is a permissions issue. I have carried out some bizarre command line security reset procedure (secedit?) but to no avail. I have downloaded an HP Access Denied fix, but that didn't work.

I don't have much more hair to lose, but I'm pulling it out fast while I try to avoid a whole OS reinstall!

Open in new window

Question by:yet_another_jash
  • 9
  • 4
  • 3
  • +1

Assisted Solution

jax79sg earned 100 total points
ID: 20407721
You are most likely right in the permissions issue. At this point of time i did not find any templates that can restore your machine to non hardened state. So we might want to try our luck with the following.

Go to 'Control Panel' -> 'Administrative tools' -> Local Security Policy. This will open up a window. Make sure your settings has the following.
Under local policies -> User rights assignment
- Add administrators to 'Load and unload device drivers'
- Take ownership of files or other objects
Under local policies -> Security Options
- Set disabled to 'Devices: Prevent users fro installing printer drivers'
- Set 'silently succeed' to 'Devices: Unsigned driver installation behaviour"

Hope it helps.

Author Comment

ID: 20407839

Thanks for your prompt response. I checked the settings you suggested and they were set as you described them. On the way in to these individual policies though I was met with a message box "The Group Policy security setting that apply to this machine could not be determined. The error returned when trying to retrieve these settings from the local security database (%windir%\security\database\secedit.sdb) was: The parameter in incorrect.

So with that, I'm not sure if the settings you refer to are even relevant in this context - because the the local policies may be overridden by domain-level policies it suggests.

This machine is networked but is not in a domain.

(There are two spelling mistakes in the message box too!)

Expert Comment

ID: 20407872
Try logging onto the machine as the Local Administrator and installing the printer.
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.


Author Comment

ID: 20407944

Tried that and it failed in the same way!

Expert Comment

ID: 20411394
Try running a windows repair.  Then log in as local administrator

Author Comment

ID: 20421805
Unfortunately, the restore CD I have does not support the RAID array and complains about not being able to see the CDROM drive. I can't take the risk of breaking it through trying to fix it...So, Windows Repair is not an option for me right now....


Expert Comment

ID: 20424378
Try the following to reset your security policies.;%5BLN%5D;278316

Author Comment

ID: 20426132
Nope, that didn't work either....

Expert Comment

ID: 20426176
Have you actually tried to create a new, additional Administrative user and see if you get the same problem?  Maybe something is wrong with your profile?

Author Comment

ID: 20426294
I like that idea, but when I did just as you suggest, the process of adding a printer failed in exactly the same way.  It *has* to be something along the lines of policies/permissions though, doesn't it?

I also noticed today that when I delete something, the recycle bin is reported as being corrupt. I'm off to google that one now and hope it's related somehow.

Assisted Solution

crossl earned 100 total points
ID: 20426675
ok.  Can you use your CD rom logged on as you.  If so, run a Windows consistency check?

At Start / Run  type SFC /SCANNOW.  IT will probably ask you to insert your windows CD.

Author Comment

ID: 20541941
I ran a Windows consistency check - it didn't ask for my CD, neither did it throw up any problems.

I'm still stumped.

Any more suggestions?

Accepted Solution

Radar07 earned 300 total points
ID: 20545188
You said you tried "some bizarre command line security reset procedure (secedit?)". Can you place here exactly what you tried? It may or may not have been something like what I suggest below.

The following could help if your security database has not been shutdown properly:

- open a cmd prompt
- change to the windows\security folder
- run "esentutl /r edb" (no quotes)
- run "esentutl /mh"

If this doesn't fix the problem, try a repair:

- open a cmd prompt
- run "esentutl /p %windir%\security\database\secedit.sdb" (no quotes) - to repair
- run "esentutl /d %windir%\security\database\secedit.sdb" (no quotes) - to defrag

If that still doesn't work, you coud reset securities back to defaults (;en-us;313222) but you lose a lot of custom information (file/folder and registry permissions, policy settings, group membership, etc).

Please report any errors shown in event viewer.


Author Comment

ID: 20547244

Thanks for taking the time to post your suggestions. I have attached the output of them as a code snippet. The first two commands you gave me appeared to be without the necessary arguments ( I have piped the output of them and put it at the top of the code snippet). The next two completed without issue.

After each stage, I checked and can confirm that I still cannot add a printer - it fails with the same error message.

I then performed the security reset procedure that you directed me to in the knowledge base. That completed with errors, so I have included the log file from that operation in the code snippet too.

I really am coming round to the view that there is little I can do to avoid a damn reinstall here....

Thanks again.
- open a cmd prompt
- change to the windows\security folder
- run "esentutl /r edb" (no quotes)
- run "esentutl /mh"
Microsoft(R) Windows(TM) Database Utilities
Version 5.1
Copyright (C) Microsoft Corporation. All Rights Reserved.
Initiating RECOVERY mode...
    Logfile base name: edb
            Log files: <current directory>
         System files: <current directory>
Performing soft recovery...
Operation terminated with error -528 (JET_errMissingLogFile, Current log file missing) after 0.16 seconds.
Microsoft(R) Windows(TM) Database Utilities
Version 5.1
Copyright (C) Microsoft Corporation. All Rights Reserved.
Usage Error: Missing database/filename specification.
Operation terminated with error -1003 (JET_errInvalidParameter, Invalid API parameter) after 0.0 seconds.
If that still doesn't work, you coud reset securities back to defaults...
Saturday, December 29, 2007 9:03:53 AM
----Configuration engine was initialized successfully.----
----Reading Configuration Template info...
----Configure User Rights...
	Configure S-1-5-21-4082297255-3916078401-944108286-1002.
		remove SeBatchLogonRight.
		remove SeDenyNetworkLogonRight.
		remove SeDenyInteractiveLogonRight.
	Configure S-1-5-21-4082297255-3916078401-944108286-1003.
		remove SeNetworkLogonRight.
		remove SeBatchLogonRight.
		remove SeServiceLogonRight.
		remove SeDenyInteractiveLogonRight.
		remove SeDenyRemoteInteractiveLogonRight.
		remove SeImpersonatePrivilege.
	Configure S-1-5-21-4082297255-3916078401-944108286-1005.
		remove SeBatchLogonRight.
	Configure S-1-5-21-4082297255-3916078401-944108286-501.
		remove SeInteractiveLogonRight.
		remove SeDenyInteractiveLogonRight.
	Configure S-1-5-20.
		remove SeServiceLogonRight.
	Configure S-1-5-19.
	Configure S-1-5-32-551.
	Configure S-1-5-32-544.
	Configure S-1-1-0.
	Configure S-1-5-32-545.
	Configure S-1-5-32-547.
	Configure S-1-5-6.
	Configure S-1-5-4.
	Configure S-1-5-21-861567501-1078081533-725345543-501.
		add SeInteractiveLogonRight.
		add SeDenyNetworkLogonRight.
		add SeDenyInteractiveLogonRight.
	Configure S-1-5-32-555.
	User Rights configuration was completed successfully.
----Configure Group Membership...
	Configure Users.
	Group Membership configuration was completed successfully.
----Configure Registry Keys...
	Configure users\.default.
	Configure users\.default\software\microsoft\netdde.
	Configure machine\software.
	Configure machine\software\classes.
	Configure machine\software\classes\.hlp.
	Configure machine\software\classes\helpfile.
	Configure machine\software\microsoft\ads\providers\ldap\extensions.
	Configure machine\software\microsoft\ads\providers\nds.
	Configure machine\software\microsoft\ads\providers\nwcompat.
	Configure machine\software\microsoft\ads\providers\winnt.
	Configure machine\software\microsoft\bidinterface.
	Configure machine\software\microsoft\command processor.
	Configure machine\software\microsoft\cryptography.
	Configure machine\software\microsoft\cryptography\calais.
	Configure machine\software\microsoft\devicemanager.
	Configure machine\software\microsoft\driver signing.
	Configure machine\software\microsoft\enterprisecertificates.
	Configure machine\software\microsoft\netdde.
	Configure machine\software\microsoft\non-driver signing.
	Configure machine\software\microsoft\ole.
	Configure machine\software\microsoft\rpc.
	Configure machine\software\microsoft\secure.
	Configure machine\software\microsoft\systemcertificates.
	Configure machine\software\microsoft\upnp device host.
	Configure machine\software\microsoft\windows\currentversion\explorer\user shell folders.
	Configure machine\software\microsoft\windows\currentversion\reliability.
	Configure machine\software\microsoft\windows\currentversion\runonce.
	Configure machine\software\microsoft\windows\currentversion\runonceex.
	Configure machine\software\microsoft\windows\currentversion\telephony.
	Configure machine\software\microsoft\windows nt\currentversion\accessibility.
	Configure machine\software\microsoft\windows nt\currentversion\aedebug.
	Configure machine\software\microsoft\windows nt\currentversion\asr\commands.
	Configure machine\software\microsoft\windows nt\currentversion\classes.
	Configure machine\software\microsoft\windows nt\currentversion\drivers32.
	Configure machine\software\microsoft\windows nt\currentversion\efs.
	Configure machine\software\microsoft\windows nt\currentversion\font drivers.
	Configure machine\software\microsoft\windows nt\currentversion\fontmapper.
	Configure machine\software\microsoft\windows nt\currentversion\image file execution options.
	Configure machine\software\microsoft\windows nt\currentversion\inifilemapping.
	Configure machine\software\microsoft\windows nt\currentversion\perflib.
	Configure machine\software\microsoft\windows nt\currentversion\profilelist.
	Configure machine\software\microsoft\windows nt\currentversion\secedit.
	Configure machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole.
	Configure machine\software\microsoft\windows nt\currentversion\svchost.
	Configure machine\software\microsoft\windows nt\currentversion\terminal server\install\software\microsoft\windows\currentversion\run.
	Configure machine\software\microsoft\windows nt\currentversion\terminal server\install\software\microsoft\windows\currentversion\runonce.
	Configure machine\software\microsoft\windows nt\currentversion\time zones.
	Configure machine\software\microsoft\windows nt\currentversion\windows.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon.
	Configure machine\software\policies.
	Configure machine\system.
	Configure machine\system\currentcontrolset\control\class.
	Configure machine\system\currentcontrolset\control\keyboard layout.
	Configure machine\system\currentcontrolset\control\keyboard layouts.
	Configure machine\system\currentcontrolset\control\lsa\data.
	Configure machine\system\currentcontrolset\control\lsa\gbg.
	Configure machine\system\currentcontrolset\control\lsa\jd.
	Configure machine\system\currentcontrolset\control\lsa\skew1.
	Configure machine\system\currentcontrolset\control\securepipeservers\winreg.
	Configure machine\system\currentcontrolset\control\session manager\executive.
	Configure machine\system\currentcontrolset\control\timezoneinformation.
	Configure machine\system\currentcontrolset\control\wmi\security.
	Configure machine\system\currentcontrolset\services\appmgmt\security.
	Configure machine\system\currentcontrolset\services\clipsrv\security.
	Configure machine\system\currentcontrolset\services\cryptsvc\security.
	Configure machine\system\currentcontrolset\services\dnscache.
	Configure machine\system\currentcontrolset\services\ersvc\security.
	Configure machine\system\currentcontrolset\services\eventlog\security.
	Configure machine\system\currentcontrolset\services\irenum\security.
	Configure machine\system\currentcontrolset\services\netbt.
	Configure machine\system\currentcontrolset\services\netdde\security.
	Configure machine\system\currentcontrolset\services\netddedsdm\security.
	Configure machine\system\currentcontrolset\services\remoteaccess.
	Configure machine\system\currentcontrolset\services\rpcss\security.
	Configure machine\system\currentcontrolset\services\samss\security.
Warning 2: The system cannot find the file specified.
 	Error enumerating info for machine\system\currentcontrolset\services\scarddrv.
	Configure machine\system\currentcontrolset\services\scardsvr\security.
	Configure machine\system\currentcontrolset\services\stisvc\security.
	Configure machine\system\currentcontrolset\services\sysmonlog\log queries.
	Configure machine\system\currentcontrolset\services\tapisrv\security.
	Configure machine\system\currentcontrolset\services\tcpip.
	Configure machine\system\currentcontrolset\services\tcpip\linkage.
	Configure machine\system\currentcontrolset\services\w32time\security.
	Configure machine\system\currentcontrolset\services\wmi\security.
	Configuration of Registry Keys was completed successfully.
----Configure File Security...
	Configure c:\.
	File Security configuration was completed with one or more errors.
----Configure General Service Settings...
	Configure w32time.
	Configure upnphost.
	Configure TrkWks.
	Configure SSDPSRV.
	Configure Spooler.
	Configure SENS.
	Configure seclogon.
	Configure secdrv.
Warning 2: The system cannot find the file specified.
 	Error configuring secdrv.
	General Service configuration was completed with one or more errors.
----Configure available attachment engines...
	Configuration of attachment engines was completed successfully.
----Configure Security Policy...
	Configure password information.
	LSA anonymous lookup names setting : existing SD = D:(D;;0x800;;;AN)(A;;0xf1fff;;;BA)(A;;0x20801;;;WD)(A;;0x801;;;AN)(A;;0x1000;;;LS)(A;;0x1000;;;NS).
	Configure LSA anonymous lookup setting.
	Guest account is disabled.
	System Access configuration was completed successfully.
	Configure log settings.
	Audit/Log configuration was completed successfully.
	Configure machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\securitylevel.
	Configure machine\software\microsoft\windows nt\currentversion\setup\recoveryconsole\setcommand.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon\allocatecdroms.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon\allocatedasd.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon\allocatefloppies.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon\forceunlocklogon.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon\passwordexpirywarning.
	Configure machine\software\microsoft\windows nt\currentversion\winlogon\scremoveoption.
	Configure machine\software\microsoft\windows\currentversion\policies\system\dontdisplaylastusername.
	Configure machine\software\microsoft\windows\currentversion\policies\system\legalnoticecaption.
	Configure machine\software\microsoft\windows\currentversion\policies\system\legalnoticetext.
	Configure machine\software\microsoft\windows\currentversion\policies\system\shutdownwithoutlogon.
	Configure machine\software\microsoft\windows\currentversion\policies\system\undockwithoutlogon.
	Configure machine\system\currentcontrolset\control\lsa\auditbaseobjects.
	Configure machine\system\currentcontrolset\control\lsa\crashonauditfail.
	Configure machine\system\currentcontrolset\control\lsa\disabledomaincreds.
	Configure machine\system\currentcontrolset\control\lsa\everyoneincludesanonymous.
	Configure machine\system\currentcontrolset\control\lsa\fipsalgorithmpolicy.
	Configure machine\system\currentcontrolset\control\lsa\forceguest.
	Configure machine\system\currentcontrolset\control\lsa\fullprivilegeauditing.
	Configure machine\system\currentcontrolset\control\lsa\limitblankpassworduse.
	Configure machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel.
	Configure machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminclientsec.
	Configure machine\system\currentcontrolset\control\lsa\msv1_0\ntlmminserversec.
	Configure machine\system\currentcontrolset\control\lsa\nodefaultadminowner.
	Configure machine\system\currentcontrolset\control\lsa\nolmhash.
	Configure machine\system\currentcontrolset\control\lsa\restrictanonymous.
	Configure machine\system\currentcontrolset\control\lsa\restrictanonymoussam.
	Configure machine\system\currentcontrolset\control\print\providers\lanman print services\servers\addprinterdrivers.
	Configure machine\system\currentcontrolset\control\session manager\kernel\obcaseinsensitive.
	Configure machine\system\currentcontrolset\control\session manager\memory management\clearpagefileatshutdown.
	Configure machine\system\currentcontrolset\control\session manager\protectionmode.
	Configure machine\system\currentcontrolset\services\lanmanserver\parameters\autodisconnect.
	Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enableforcedlogoff.
	Configure machine\system\currentcontrolset\services\lanmanserver\parameters\enablesecuritysignature.
	Configure machine\system\currentcontrolset\services\lanmanserver\parameters\requiresecuritysignature.
	Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\enableplaintextpassword.
	Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\enablesecuritysignature.
	Configure machine\system\currentcontrolset\services\lanmanworkstation\parameters\requiresecuritysignature.
	Configure machine\system\currentcontrolset\services\ldap\ldapclientintegrity.
	Configure machine\system\currentcontrolset\services\netlogon\parameters\disablepasswordchange.
	Configure machine\system\currentcontrolset\services\netlogon\parameters\maximumpasswordage.
	Configure machine\system\currentcontrolset\services\netlogon\parameters\requiresignorseal.
	Configure machine\system\currentcontrolset\services\netlogon\parameters\requirestrongkey.
	Configure machine\system\currentcontrolset\services\netlogon\parameters\sealsecurechannel.
	Configure machine\system\currentcontrolset\services\netlogon\parameters\signsecurechannel.
	Configuration of Registry Values was completed successfully.
----Configure available attachment engines...
	Configuration of attachment engines was completed successfully.
----Un-initialize configuration engine...

Open in new window


Expert Comment

ID: 20596349
I have no more suggestions. The errors in your detailed submission are not great but are sufficient to encourage me toward a reinstall. The cause of this situation remains a mystery to me but I'm not sure it's worth the hours to avoid the reinstall.

Author Comment

ID: 20598260

Thanks for your patience and suggestions. OK, so let me round this off with a last related query. Is there no easy way of reinstalling (with all apps too) than starting from scratch? I've done it enough times to know it's nauseous and time consuming, but often wondered if there is anyway of making it easier...just wondered. All my data is backed up and so safe...


Expert Comment

ID: 20603462
I use an imaging product when I first install a machine. This captures the operating system and all drivers in a working (and pristine) condition. I then add applications and capture another image. I tend to blat the machine with this second image regularly (say, monthly). This keeps things fresh. If anything drastic happens I use the original image and then reload programs manually. Of course, this means automatic updates need to be reloaded after each reimage so it pays to update the image every so often. A reimage takes about 20 minutes. I know this doesn't really address your current predicament but may help develop new strategies for the future.

As for now, it probably isn't worth setting up an unattended install but it is possible to script all the answers to the install wizard, have the correct drivers load, and then install applications automatically. See (for the short version) or (for the full detailed discussion). There are plenty of other helpful sites available (see Google).

In short, I think the quickest option for you at this stage is a manual (and tiem consuming) install. Sorry.

Author Closing Comment

ID: 31412727
Thanks for your help guys. While I wasn't able to sort this out, you did give me more than one thing to try and in doing so have added to my education! I appreciate your input.

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

We have adopted the strategy to use Computers in Student Labs as the bulletin boards. The same target can be achieved by using a Login Notice feature in Group policy but it’s not as attractive as graphical wallpapers with message which grabs the att…
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In an interesting question ( here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

680 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question