Temporary install folders (for example *.msi) having permission problems in Win7

Posted on 2011-03-01
Last Modified: 2012-05-11
When this Windows 7 Enterprise 64 bit runs software updates or uninstalls (examples; Win 7 updates, Apple Quicktime, etc) it often creates a temporary folder and places files in there to uncompress, etc which will be deleted after installation is complete. However, I now often get error messages to the effect that I do not have sufficeint permission to access the folder used (remember this is the installer making and using the folder). If I hit "retry" it usually proceeds correctly. I can also go into the C: drive directory and open the file folder which will be used but even then, I get the error message about folder permission after the OS writes a file into it.

I believe this is preventing a lot of normal updating to install correctly. If I manually install the updates (i.e. start the RUN process and then hit "retry" throughout the installation) it works. But there are probably updates I am missing and some pushed SW from Corp doesnt install at all.


Question by:reevesrw
  • 4
  • 3
LVL 40

Expert Comment

by:Vadim Rapp
ID: 35012307
> Ideas?

I'm pretty sure it will be absolutely impossible to say for sure, especially because you hit retry and it works, so it involves some timing... but what certainly comes to mind is some recent security update applied. If you can uninstall them, it's definitely something to try out.

Author Comment

ID: 35013038

Well there are 144 updates in all and maybe 60 of those are windows security patches. I cant recall when this started but its been a while. Its only recently I noticed some things were actually NOT getting installed or updated. So I dont think I can go back and uninstall until I get a winner.

I do note that there are a variety of different permissions and that the Config.msi folderfor example,  in the C:\ drive which is a frequent recipient of the error has less objects described than either C:\ or c:\windows. For example the C:\windows has the provision for trusted installer as well as User whereas Config.MSI has only SYSTEM and Administrators defined. I am guessing that there are different entities being called to create the folder, write a file to the folder, read the file and delete it afterward. I could probably trace those in the windows error log the next time I try a forced update. I am also going to compare permission settings to similarly configured laptops in the corporate sphere which dont have this folder problem.  

LVL 40

Assisted Solution

by:Vadim Rapp
Vadim Rapp earned 500 total points
ID: 35013159
Look in event log/security; also, you can enable object access audit in local security settings. But I think, the chances to pinpoint the exact root of the trouble are not very high. I think, if the problem was indeed in permissions of some object not being right, you wouldn't be able to get through by simply hitting "retry".
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!


Author Comment

ID: 35021014
I dont think the same object is making the folders and then having trouble with the files. When I hit "retry" I am acting as Trusted User or Authenticated User which may have more permissions that the object doingt the installing. I have tried to delete and recreate manually the folders in which the files are having problems so my permissions override it but and it doesnt change the behavior- so its the files and not the folders. I think the objects that make and use the files may be different in some cases also. In watching the traffic in some of the temporaray folders I can see that not all of the files are flagged this way, only some. I may be able to "catch it in the act" this. Note I get the same behavior when I run certain uninstallers so I may be able to recreate the problem for logging. This seems like a minor annoyance but its absolute game stopper for IT if they cant push their software out to users. Not all of it has manual options to do the installation.
LVL 40

Accepted Solution

Vadim Rapp earned 500 total points
ID: 35021098
Could it be some antivirus or similar. What about safe mode. This could be something like, when you first touch the file (by installer), it gets blocked by the antivirus until it's checked; then when you hit "retry" it's already checked and unblocked.

Running system monitor while this is going on, or enabling object access audit (found in local security policy) might also reveal what i/o attempts are made, and if any are denied.

You are right, the installation is indeed being run by the local service which impersonates the user when required, and yes, there were, are, and will be problems in Installer with that; still, I'd think that "retry" does it on the same credential, not some other than the initial attempt.

Another thing to try is to always run installation elevated, a group policy setting you can enable. Or if you publish or assign the installation in the group policy, it is also elevated when it runs.

Author Comment

ID: 35022438
I looked at msiexec.exe priviledges and found that only one of its class of objects had write permissions. But of couse I could not change them since its an IT locked folder overall. I need to get an IT admin priviledge to do it then it should take.

Hard to say on the antivirus.. I would normally expect a message from the Symantec Enterprise system that guards everything. I havent tried Task Monitor but it would indeed be useful to see what error handler and or other fallbacks are invoked. I have a file now I cna download and install and uninstall and cause errors to test with.I also have IT coming over to work with me on this so we may be able to turn off the antivirus selectively and see if it clears the error but I think its the permissions. We can try that also. I think its just a policy conflict at this point.

Im going to go ahead and accept and close this out...I think Im close enough now and it seems unlikely to be some global fix so thanks for the help

Author Closing Comment

ID: 35022477
Although I do not have all the tools necessary to isolate the final root cause, i am close enough now to reach resolution. Clearly being able to run on policy higher than that configured would do it.

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

One of the most frequently asked questions on EE in the "Windows Installer" zone is how to eliminate self-triggered installation of some product.  The problem occurs when, suddenly, whenever a certain application is launched, or even when a folder i…
First some basics on Windows 7 Backup.  It has 2 components one is a file based backup which is stored in .zip files each zip is split at around 200 Megabytes and there is the Image Backup which is as the name implies a total image of the partition …
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now