Quick Solution: Check the permissions on the root of C: and ensure that BUILTIN\Users have Read access.
8000FFFF == E_UNEXPECTED, not very helpful…
Had a client where windows update was continually failing with the error code 8000FFFF. When looking in the Windows Update log we’d see errors like this:
WARNING: PTError: 0x80248014 Handler FATAL: CBS called Error with 0x8000ffff, <— Checked the CBS.log file but that didn’t give any clues. Handler FATAL: Error source is 106. DnldMgr Error 0x8000ffff occurred while downloading update; notifying dependent calls. AU # WARNING: Download failed, error = 0x8000FFFF AU # WARNING: Download failed, error = 0x8000FFFF AU WARNING: BeginInteractiveInstall failed, error = 0x8024000C CltUI WARNING: AU directive Interactive Progress is exiting due to error 8024000C
And in the event viewer upon each run we’d see these events:
Log Name: Application Source: ESENT Date: 7/2/2008 3:05:16 PM Event ID: 491 Task Category: General Level: Error Keywords: Classic User: N/A Computer: XXXX Description: Catalog Database (1560) Catalog Database: An attempt to determine the minimum I/O block size for the volume "C:\" containing "C:\Windows\system32\CatRoot2\" failed with system error 5 (0x00000005): "Access is denied. ". The operation will fail with error -1032 (0xfffffbf8).
Log Name: Application Source: Microsoft-Windows-CAPI2 Date: 7/2/2008 3:05:16 PM Event ID: 257 Task Category: None Level: Error Keywords: Classic User: N/A Computer: XXXX Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -1032.
After seeing this data I did a stare and compare between my root permissions and his and found that he’d modified the c:\ permissions on his system:
His machine: c:\temp\xcacls c: C:\ NT AUTHORITY\SYSTEM:(OI)(CI)F BUILTIN\Administrators:(OI)(CI)F
Mine: C:\>xcacls c:\ c:\ BUILTIN\Administrators:F BUILTIN\Administrators:(OI)(CI)(IO)F NT AUTHORITY\SYSTEM:F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F BUILTIN\Users:(OI)(CI)R <— This is the key one missing that was causing the headache. NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)C NT AUTHORITY\Authenticated Users:(special access:) FILE_APPEND_DATA
The Cryptographic Services runs under “Network Service” which would require Users to have read access. I added BUILTIN\Users with read access to C and all worked again.
Hopefully this post will guide others with similar issues to the solution quickly.
Thanks , solved my problem, hardening W2K8 is not that straight forward.
Careful though, you can always crew up omre stuff if you adjust permissions on the root and then apply it to all folder/subfolders.
Make sure you backup that machine before doing this!
I spent a bunch of time hunting around trying to find a solution to this issue. We remove the Users group from the root of our servers but don't cascade the change down on the system drive. We've done this with NT4, Win2000 Server, Win2003 Server, and thought we'd be able to do it with Win2008 Server but apparently not.
Adding it back in worked like a charm, however I don't necessarily like having it there. If I knew exactly where else it belonged I'd prefer to just add it to the needed directories.
Any tech note / kb from Microsoft on this issue?
I am going to try this now and if it works, remove the BUILTIN\Users (R) from root again.
Hopefully, it is a one off for updates.
I spent a lot of time trying to research this, and finally something works! Thanks!!!
I've been looking everywhere for a resolution to this problem. Finally a solution that works.
Thanks for the opening line about root security - rather stupitly I removed local user read rights
That's why I put 'em out here!
Thank you very much for this.. I couldn't work out why either, and most people have no idea what they are talking about, or post irrelevant information.
This was spot on, cheers!
dude you are the man!!.. wasted 2 hours on this and finally worked.
Recently, I was helping a colleague troubleshoot an installation error in the .NET Framework 3.5 SP1
Thank you soooo much! I spent almost all day trying to figure this out!
I never would have figured this out!! You saved my day and about 100 hours! Thanks again!
Wow.... after MONTHS of searching, finally an answer that works! We removed the Users group from the root for security purposes, and that's been stopping our updates since February!!
Dude you freaking ROCK!!! I'm sitting here in the middle of Afghanistan with limited everything and I have been messing with this for a week now. Found your blog and fixed it in 1 minute. Thank You!!!
I agree you rock, I've been messing with this error for a couple months off and on.
Thank you very much for this.. You Rock ||