Quick Solution: Check the permissions on the root of C: and ensure that BUILTIN\Users have Read access.
8000FFFF == E_UNEXPECTED, not very helpful…
Had a client where windows update was continually failing with the error code 8000FFFF. When looking in the Windows Update log we’d see errors like this:
WARNING: PTError: 0x80248014 Handler FATAL: CBS called Error with 0x8000ffff, <— Checked the CBS.log file but that didn’t give any clues. Handler FATAL: Error source is 106. DnldMgr Error 0x8000ffff occurred while downloading update; notifying dependent calls. AU # WARNING: Download failed, error = 0x8000FFFF AU # WARNING: Download failed, error = 0x8000FFFF AU WARNING: BeginInteractiveInstall failed, error = 0x8024000C CltUI WARNING: AU directive Interactive Progress is exiting due to error 8024000C
And in the event viewer upon each run we’d see these events:
Log Name: Application Source: ESENT Date: 7/2/2008 3:05:16 PM Event ID: 491 Task Category: General Level: Error Keywords: Classic User: N/A Computer: XXXX Description: Catalog Database (1560) Catalog Database: An attempt to determine the minimum I/O block size for the volume "C:\" containing "C:\Windows\system32\CatRoot2\" failed with system error 5 (0x00000005): "Access is denied. ". The operation will fail with error -1032 (0xfffffbf8).
Log Name: Application Source: Microsoft-Windows-CAPI2 Date: 7/2/2008 3:05:16 PM Event ID: 257 Task Category: None Level: Error Keywords: Classic User: N/A Computer: XXXX Description: The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -1032.
After seeing this data I did a stare and compare between my root permissions and his and found that he’d modified the c:\ permissions on his system:
His machine: c:\temp\xcacls c: C:\ NT AUTHORITY\SYSTEM:(OI)(CI)F BUILTIN\Administrators:(OI)(CI)F
Mine: C:\>xcacls c:\ c:\ BUILTIN\Administrators:F BUILTIN\Administrators:(OI)(CI)(IO)F NT AUTHORITY\SYSTEM:F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F BUILTIN\Users:(OI)(CI)R <— This is the key one missing that was causing the headache. NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)C NT AUTHORITY\Authenticated Users:(special access:) FILE_APPEND_DATA
The Cryptographic Services runs under “Network Service” which would require Users to have read access. I added BUILTIN\Users with read access to C and all worked again.
Hopefully this post will guide others with similar issues to the solution quickly.
You are great! Thank you so much for posting this!
Thanks for the Quick Solution, it worked with my Windows 2008 SP1 x64 server
you sir a genius, thanks a million :-)
this advice saved a lot of time
Grand, thanks for this post it saved me from a huge headache.
This guy needs a buy me a beer button. Thank you!
yep - saved me too - thanks
Even microsoft havent worked this one out yet
please write the solution again please
Awesome. Finally a fix that worked. Great job.
Yes, it's works, but... I don't want that users of my domain have read acces to some folders. Could it be possible changing Cryptographic Services to work under Local system account instead of Network Service? I did it with DNS Server by the same problem and it works.
Checked... Mine has
And it's having problem when updating. More specifically, installing the Vista SP2. Any clue?
Yay, thanks so much for this!!! Now, if only I understood what this meant I could finally install SP2.... Can anyone explain for us stupid people :D Simple step-by-step directions such as checking if I even have this thing to begin with. It'd be much appreciated!
That worked. Thanks!