Windows Update fails with 8000FFFF (E_UNEXPECTED)

Windows Update fails with 8000FFFF (E_UNEXPECTED)

  • Comments 53
  • Likes

Quick Solution:  Check the permissions on  the root of C: and ensure that BUILTIN\Users have Read access.

Long Story:

8000FFFF == E_UNEXPECTED, not very helpful…

Had a client where windows update was continually failing with the error code 8000FFFF.  When looking in the Windows Update log we’d see errors like this:

WARNING: PTError: 0x80248014
Handler FATAL: CBS called Error with 0x8000ffff, <— Checked the CBS.log file but that didn’t give any clues.
Handler FATAL: Error source is 106.
DnldMgr Error 0x8000ffff occurred while downloading update; notifying dependent calls.
AU        # WARNING: Download failed, error = 0x8000FFFF
AU        # WARNING: Download failed, error = 0x8000FFFF
AU      WARNING: BeginInteractiveInstall failed, error = 0x8024000C
CltUI   WARNING: AU directive Interactive Progress is exiting due to error 8024000C


And in the event viewer upon each run we’d see these events:

Log Name:      Application
Source:        ESENT
Date:          7/2/2008 3:05:16 PM
Event ID:      491
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      XXXX
Catalog Database (1560) Catalog Database: An attempt to determine the minimum I/O block size for the volume "C:\" containing "C:\Windows\system32\CatRoot2\" failed with system error 5 (0x00000005): "Access is denied. ".  The operation will fail with error -1032 (0xfffffbf8).

Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Date:          7/2/2008 3:05:16 PM
Event ID:      257
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      XXXX
The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -1032.

After seeing this data I did a stare and compare between my root permissions and his and found that he’d modified the c:\ permissions on his system:

His machine:
c:\temp\xcacls c:

C:\>xcacls c:\
c:\ BUILTIN\Administrators:F
    BUILTIN\Users:(OI)(CI)R <— This is the key one missing that was causing the headache.
    NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)C
    NT AUTHORITY\Authenticated Users:(special access:)

The Cryptographic Services runs under “Network Service” which would require Users to have read access.  I added BUILTIN\Users with read access to C and all worked again.

Hopefully this post will guide others with similar issues to the solution quickly.


  • You are great! Thank you so much for posting this!

  • Thanks for the Quick Solution, it worked with my Windows 2008 SP1 x64 server

  • you sir a genius, thanks a million :-)

  • good job,

    this advice saved a lot of time


  • Grand, thanks for this post it saved me from a huge headache.

  • This guy needs a buy me a beer button.  Thank you!

  • yep - saved me too - thanks

  • Even microsoft havent worked this one out yet

  • please write the solution again please

  • Awesome.  Finally a fix that worked.  Great job.

  • Yes, it's works, but... I don't want that users of my domain have read acces to some folders. Could it be possible changing Cryptographic Services to work under Local system account instead of Network Service? I did it with DNS Server by the same problem and it works.

  • Thanks!

  • Checked... Mine has

    BUILTIN\Users: (OI)(CI)(RX)

    And it's having problem when updating. More specifically, installing the Vista SP2. Any clue?

  • Yay, thanks so much for this!!!  Now, if only I understood what this meant I could finally install SP2.... Can anyone explain for us stupid people :D  Simple step-by-step directions such as checking if I even have this thing to begin with.  It'd be much appreciated!

  • That worked. Thanks!

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment