A while back, I wrote a blog post about a .NET Framework 2.

0 beta 2
installation problem that was caused by incorrect access control list (ACL)
permissions on some registry hives. In that post, I described how to use a
tool in the Windows Resource Kit named SubInACL to reset file and registry
ACLs to help solve this problem.
Ever since I wrote that post, I have run into installation errors for several
other products that have been solved by using the SubInACL tool.
Therefore, I wanted to write a standalone set of instructions for how and
when to use the SubInACL tool because the previous blog post is specific to
the .NET Framework 2.0 setup and does not always appear in search results
when people run into this kind of a problem and search the Internet for
assistance.
How to download and run SubInACL
Here are some steps that can be used to download and run the SubInACL
tool to repair file and registry permissions that are often needed to
successfully install programs on Windows, particularly for MSI-based
(Windows Installer) setups:

1. Download the SubInACL tool and install it. By default it will install to
c:\Program Files\Windows Resource Kits\Tools
2. If you are running Windows Vista, click on the Start menu, choose All
Programs, then Accessories, then right-click on the item
named Command Prompt and choose Run as administrator
3. If you are running an OS other than Windows Vista, go to the Start
menu, choose Run, type cmd and click OK
4. In the cmd prompt, type notepad reset.cmd and click yes to open
Notepad.exe and create a new text file named reset.cmd
5. Copy and paste the following contents into reset.cmd (or download it
from this location on my file server and rename it from reset.cmd.txt
to reset.cmd):

@echo off
title Resetting ACLs...
setlocal
echo.
echo Determine whether we are on an 32 or 64 bit machine
echo.
if "%PROCESSOR_ARCHITECTURE%"=="x86" if "%PROCESSOR_ARCHITEW6432%"==""
goto x86
set ProgramFilesPath=%ProgramFiles(x86)%
goto startResetting
:x86
set ProgramFilesPath=%ProgramFiles%
:startResetting
echo.
if exist "%ProgramFilesPath%\Windows Resource Kits\Tools\subinacl.exe"
goto filesExist
echo ***ERROR*** - Could not find file %ProgramFilesPath%\Windows
Resource Kits\Tools\subinacl.exe. Double-check that SubInAcl is correctly
installed and re-run this script.
goto END
:filesExist
pushd "%ProgramFilesPath%\Windows Resource Kits\Tools"
echo.
echo Resetting ACLs...
echo (this may take several minutes to complete)
echo.
echo IMPORTANT NOTE: For this script to run correctly, you must change
echo the values named YOURUSERNAME to be the Windows user account that
echo you are logged in with.
echo.
echo
=========================================================================
=
echo.
echo.
subinacl.exe /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
/grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f
/setowner=administrators > %temp%\subinacl_output.txt
echo.
echo.
subinacl.exe /keyreg HKEY_CURRENT_USER /grant=administrators=f
/grant=system=f /grant=restricted=r /grant=YOURUSERNAME=f
/setowner=administrators >> %temp%\subinacl_output.txt
echo.
echo.
subinacl.exe /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
/grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r
/setowner=administrators >> %temp%\subinacl_output.txt
echo.
echo.
subinacl.exe /keyreg HKEY_LOCAL_MACHINE /grant=administrators=f
/grant=system=f /grant=users=r /grant=everyone=r /grant=restricted=r
/setowner=administrators >> %temp%\subinacl_output.txt
echo.
echo.
subinacl.exe /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
/grant=system=f /grant=users=r /setowner=administrators >>
%temp%\subinacl_output.txt
echo.
echo.
subinacl.exe /keyreg HKEY_CLASSES_ROOT /grant=administrators=f
/grant=system=f /grant=users=r /setowner=administrators >>
%temp%\subinacl_output.txt
echo.
echo.
echo System Drive...
subinacl.exe /subdirectories %ProgramFilesPath%\ /grant=administrators=f
/grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
echo.
echo.
echo Windows Directory...
subinacl.exe /subdirectories %windir%\ /grant=administrators=f
/grant=system=f /grant=users=e >> %temp%\subinacl_output.txt
echo.
echo.
echo
=========================================================================
=
echo.
echo FINISHED.
echo.
echo Press any key to exit . . .
pause >NUL
popd
 :END
endlocal

view rawreset.cmd hosted with by GitHub

6. Change the values named YOURUSERNAME to be the Windows user

account that you are logged in with.

Note: The YOURUSERNAME value should match the name of your

user folder at c:\Documents and Settings (or c:\users on Windows
Vista and higher). You can also find the value to use for
YOURUSERNAME by launching Task Manager and looking at the user
name listed in the User Name column of the Processes tab.

7. Save and close reset.cmd.

8. In the cmd prompt, type reset.cmd and press enter to run the
SubInACL tool. This tool will take several minutes to run, and it
requires that the user account you are using has administrator
privileges on the system. This is why it is necessary to run it from an
elevated cmd prompt on Windows Vista. Step 2 above can be used to
start an elevated cmd prompt on Windows Vista.
9. After reset.cmd completes, try to install the product that previously
failed to install correctly on your system.

Note: There are a couple of scenarios where installing or running SubInAcl

can fail. For example, some non-English versions of Windows have the
name of the Administrators group translated to another language, and the
command lines listed above will fail in that case. I have posted workarounds
for the issues that I know of in this separate blog post.
Also note: Running the above command lines will cause SubInAcl to create
a log file named %temp%\subinacl_output.txt. If you see any errors
reported in the cmd prompt after running SubInAcl, you can look in this log
file for more detailed information about what file(s), folder(s) or registry
value(s) are causing the errors. To open this log file, you can click on the
Start menu, choose Run, type notepad %temp%\subinacl_output.txt and
click OK.
When looking at this log file, you may see some errors reported with error
code 5. That error code means Access Denied, and it is typically caused by
Windows or some other program running on your system that is holding
files, folders or registry values in use so that SubInAcl is unable to update
the permissions for them. Most of the time, that type of error in the
SubInAcl output can be safely ignored, but you may need to try to reboot
and then manually fix the permissions for these files, folders or registry keys
as a workaround.
When is SubInACL useful
I have found that the SubInACL tool is most useful when a setup package
fails with error code 5 or 0x5 or 0x80070005. All of these error codes mean
Access Denied, and this type of error code is often caused by missing ACLs
for the Administrators group or the built-in System account. The Windows
Installer service runs with System account permissions in most cases. If the
System account does not have sufficient permissions to access the file
system or parts of the registry, an MSI-based setup package will fail with an
Access Denied error.
SubInACL can also help resolve Internet Explorer script errors caused by
incorrect access control permissions for specific user accounts on the
system.
Example of a setup failure that was fixed by SubInACL
A customer contacted me with a problem installing Visual Studio 2005. I
looked at the main Visual Studio log file located at
%temp%\dd_vsinstall80.txt, and I found that Windows Installer 3.1 setup
was failing. Then, I looked at the Windows Installer 3.1 setup log file
located at %windir%\KB893803v2.log. It showed the following error:
30.844: DoRegistryUpdates:UpdSpInstallFromInfSection Failed for
MSI.Reg.Install: 0x5
30.844: DoInstallation:DoRegistryUpdates failed
30.875: Access is denied.
I had the customer run the above steps to use the SubInACL tool to update
the file and registry ACLs on their system, and then they were able to install
Windows Installer 3.1 and Visual Studio 2005 with no further problems.
<update date="11/15/2006"> Updated subinacl command lines to include
recursive ACL updating for folders and files under %windir% </update>
<update date="3/22/2007"> Updated the steps to make them easier to
follow by moving the directory change into the batch file. </update>
<update date="9/25/2007"> Updated the notes to indicate that some
Internet Explorer script errors can be resolved with this tool as well.
</update>
<update date="5/30/2008"> Updated command lines based on customer
feedback regarding their experiences on Windows Vista. </update>
<update date="6/16/2008"> Updated command lines to cause SubInAcl to
create a log file in the %temp% directory in case it is needed for
troubleshooting afterwards. </update>
<update date="6/17/2008"> Added a link to a blog post where I describe a
couple of workarounds for problems that can occur while trying to install
and/or run SubInAcl. </update>
<update date="6/20/2008"> Updated command line to include a backslash
after %SystemDrive% in the 2nd to last command. </update>
<update date="6/24/2008"> Updated wording of link to the post for
troubleshooting SubInAcl errors to try to make it more visible. </update>
<update date="7/29/2008"> Updated directory ACL command lines to not
affect the Documents and Settings sub-folders. </update>
<update date="3/12/2009"> Fixed broken link to reset.cmd. </update>
<update date="4/7/2009"> Added clarification about how to determine the
correct value to substitute for YOURUSERNAME in the sample SubInAcl
script. </update>
<update date="5/18/2009"> Added clarification about where to run
reset.cmd after creating it. </update>