Permission Error in MS04-015 and MS04-016 on WinXP
From: Wally Beck (wbeck_at_GC.PEACHNET.EDU)
Date: 06/15/04
- Previous message: James D. Stallard: "Doubleclick programs entry on start menu"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 15 Jun 2004 13:08:29 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
While logged in as a user with administrator permissions, you receive the
following error while attempting to install the security patch from MS04-015
or MS04-016:
"You do not have permission to update Windows XP. Please contact your system
administrator."
The patch log reads:
C:\35hb3j53h5...\sp2\update\update.exe (version 5.4.15.0)
Failed to Enable SE_TAKE_OWVERSHIP_PRIVILEDGE
Update.exe extended error code = 0xf004
Update.exe return code was masked to 0x643 for msi custom action compliance
Solution:
Update.exe in MS04-015 and MS04-016 has been updated to version 5.4.15.0
(4/9/2004). Unlike previous versions, ver 5.4.15.0 requires that the
administrator be able to take ownership of files. If you extract the files
from MS04-015 or MS04-016 and replace update.exe with and older version (e.g.
5.4.1.0 1/9/2004), both patches would install correctly.
However, the main reason this occurs is because a Local Security Policy has
been modified. Specifically, User Rights Assignment -> Take ownership of
files or other objects. The default value is administrators. If this value is
modified and administrators removed, then you will receive the permission
error. Some network administrators have modified this value in environments
where all users are running as local administrator in a domain in hopes of
improving security.
Lastly, this problem as exists in Windows XP Service Pack 2 RC 2142 which
uses update.exe version 5.5.17.2.
Wally Beck
Network Admin
Gainesville College
-----
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you''ll have to copy their email address out of the message and place it in your TO: field.
-----
- Previous message: James D. Stallard: "Doubleclick programs entry on start menu"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
