Permission Error in MS04-015 and MS04-016 on WinXP

• Previous message: James D. Stallard: "Doubleclick programs entry on start menu"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date:         Tue, 15 Jun 2004 13:08:29 -0400
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

While logged in as a user with administrator permissions, you receive the
following error while attempting to install the security patch from MS04-015
or MS04-016:
"You do not have permission to update Windows XP. Please contact your system
administrator."

The patch log reads:
C:\35hb3j53h5...\sp2\update\update.exe (version 5.4.15.0)
Failed to Enable SE_TAKE_OWVERSHIP_PRIVILEDGE
Update.exe extended error code = 0xf004
Update.exe return code was masked to 0x643 for msi custom action compliance

Solution:
Update.exe in MS04-015 and MS04-016 has been updated to version 5.4.15.0
(4/9/2004). Unlike previous versions, ver 5.4.15.0 requires that the
administrator be able to take ownership of files. If you extract the files
from MS04-015 or MS04-016 and replace update.exe with and older version (e.g.
5.4.1.0 1/9/2004), both patches would install correctly.

However, the main reason this occurs is because a Local Security Policy has
been modified. Specifically, User Rights Assignment -> Take ownership of
files or other objects. The default value is administrators. If this value is
modified and administrators removed, then you will receive the permission
error. Some network administrators have modified this value in environments
where all users are running as local administrator in a domain in hopes of
improving security.

Lastly, this problem as exists in Windows XP Service Pack 2 RC 2142 which
uses update.exe version 5.5.17.2.

Wally Beck
Network Admin
Gainesville College

-----
NTBugtraq Editor's Note:

Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----

• Previous message: James D. Stallard: "Doubleclick programs entry on start menu"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Cannot take ownership of a folder ... > Open Folder, Delete Folder ... > If I Right click, select Sharing & Security, Security tab I get the ... > You do not have permission to view or edit the current permission ... > I am logged in as the Administrator. ... (microsoft.public.security) Re: 837272 & 839643 Updates wont install on W2K SP4 domain PCs - Permission Error ... > 3.455: Failed To Enable SE_BACKUP_PRIVILEGE> 3.565: Setup encountered an error: You do not have> permission to update Windows 2000. ... > Please contact your system administrator. ... (microsoft.public.windowsupdate) Re: XP Accessibility feature saving profile ... >> think you should have the System Administrator, ... >>> the network storage they provide or my thumbdrive and restore it for my ... I have WRITTEN permission + if they refused to ... >>>> multi-user environments to protect setups from exactly the kind of ... (microsoft.public.windowsxp.accessibility) Re: Administrator account has "SEND AS" right on every Mailbox ... We all know Administrator can change any permission in AD. ... > dutch SBS 2003 servers. ... >> probably by Exchange Installation. ... (microsoft.public.exchange.admin) Re: Office 2007 Docs open read only from Webdav folder ... "I did copy all the files while logged on as administrator. ... I had copied them all into the Shared Documents" ... Users should have PERMISSION to access the Shared Docs directory. ... assume that your user account can access these files on your backup ... (microsoft.public.office.misc)