Cannot install new printer drivers
Brilliant@discussions.microsoft.com Martin Brilliant
this when I hit Finish whenever I try to install any printer that needs a
driver that isn't already installed. Microsoft can install new drivers; when
I installed the new Office trial I got a new OneNote driver.
It all started when I installed an HP LaserJet Plus driver for a Brother
printer on LPT1, as a shared printer with an additional driver for Win9x. I
then connected to it from a Win98 laptop on the network. Then I uninstalled
the LJPlus and tried to install a LaserJet Series II driver. That's when I
started getting that error message.
The reason I installed the LaserJet drivers was that I had some problems
after the Brother laser came back from repair. I had physically moved
printers around and reconfigured drivers. When I switched everything back,
DTP jobs sent from a Win98 laptop to the Brother printer on the XP were only
partially printed, hanging the printer in mid-page. I thought an alternative
driver might work better. I think it did, but I can't verify that now,
because I followed some advice to remove all potentially interfering printer
drivers, and now the XP machine has no drivers that could work on the Brother
laser.
Any ideas, suggestions, explnnations, etc.?
Alan Morris [MSFT]
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto
This posting is provided "AS IS" with no warranties, and confers no rights.
"Martin Brilliant" <Martin Bril...@discussions.microsoft.com> wrote in
message news:68E41BF3-E4AD-4492...@microsoft.com...
Martin Brilliant
files for the Generic IBM Graphics 9pin printer, and merged in the registry
keys for that printer (as copied from another XP machine), and the printer
appeared in the Printers and Faxes list -- but -- the printer doesn't work.
Next question?
Martin Brilliant
folder. I can also add entries in all the places in the Windows registry that
(a) I can see and (b) seem to be relevant to the printer driver.
But each key in the registry has permissions, including read permissions.
Suppose that by some obscure accident the Administrators group was denied
permission to read certain keys, and suppose those keys were important for
printer installation. How would I know that I didn't have permission to see
those keys? How could I get permission to read and write keys that I don't
even know exist?
And where are those registry permissions kept, anyway?
Alan Morris [MSFT]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto
This posting is provided "AS IS" with no warranties, and confers no rights.
"Martin Brilliant" <MartinB...@discussions.microsoft.com> wrote in
message news:9DD3C35D-2916-4E45...@microsoft.com...
Martin Brilliant
exported that key I don't see anything about permissions.
Anyway, I gave Users full control of that key, propagated to all subkeys,
and I still get "permission is denied" when I try to add a printer.
Am I seeing all the necessary subkeys? Environments has several subkeys
including Windows NT x86, which has subkeys Drivers and Print Processors.
Drivers has subkeys Version-2 and Version-3, and all the printer drivers are
subkeys of Version-3. Print Processors has 4 subkeys: BRPPROC, BrPrint (both
of which I guess are for the Brother laser printer, OneNotePrint2007 (which I
guess came with Office 2007 trial) and winprint (whatever that is). Do I need
any more there?
Administrators and SYSTEM had and still have full control everywhere, Users
did not but does now. CREATOR OWNER has neither allow nor deny. All OK? (I'm
not worried about Users having full control because in there are no Users who
are not also Administrators, and they both have passwords).
Alan Morris [MSFT]
shipped with XP using the Add Driver Wizard rather than the Add Printer
Wizard, correct?
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto
This posting is provided "AS IS" with no warranties, and confers no rights.
"Martin Brilliant" <MartinB...@discussions.microsoft.com> wrote in
message news:61B06A48-D80A-4873...@microsoft.com...
Martin Brilliant
in a printer property sheet? Yes, but instead of "Printer driver was not
installed. Access is denied" I get "Unable to install [driver name]. Access
is denied." Slightly different message, same error.
"Alan Morris [MSFT]" wrote:
> You get the same access denied error just adding one of the drivers that
> shipped with XP using the Add Driver Wizard rather than the Add Printer
> Wizard, correct?
>
> --
> Alan Morris
> Windows Printing Team
> Search the Microsoft Knowledge Base here:
> http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto
>
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Martin Brilliant" <MartinB...@discussions.microsoft.com> wrote in
> message news:61B06A48-D80A-4873...@microsoft.com...
> > ...
Alan Morris [MSFT]
Open Secpol.msc
Local Policies, Security Options, User Rights Assignment, Load and unload
device drivers
Administrator should have this privilege.
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto
This posting is provided "AS IS" with no warranties, and confers no rights.
"Martin Brilliant" <MartinB...@discussions.microsoft.com> wrote in
message news:F3A4DA7B-F844-4DCF...@microsoft.com...
Alan Morris [MSFT]
to the Home machine , it would not work. If the file is not on Home, I
don't see how the security policies would have been altered.
But you can always give it a try. Is this a new machine or did you inherit
it?
When you installed the LaserJet II driver that started the problem, I
assume this was the inbox XP version of the driver.
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto
This posting is provided "AS IS" with no warranties, and confers no rights.
"Martin Brilliant" <MartinB...@discussions.microsoft.com> wrote in
message news:C2B810FA-A8FF-4015...@microsoft.com...
>I am admin on the system because Administrator can't log on to Windows XP
> Home Edition except in Safe Mode. This is by design....?
>
> I can't find secpol.msc. It is rumored not to be available in Windows XP
> Home Edition. This is by design.
>
> Is there any other way of doing the same thing? Can secpol.msc be
> installed
> in Windows XP Home? There is a system running Windows XP Pro on my home
> network; could that be used to fix my system?
Martin Brilliant
Management Console that said
Snap-in failed to initialize.
Name: <unknown>
CLSID: {big long hes string}
and then a bigger window titled Local Security Settings said Snap-in
Creation Failed.
But I thought a Windows XP Pro system could do administrative tasks on other
computers in the same LAN. Alternatively, maybe secpol.msc makes changes in
the Registry that could be made by mucking about directly in the Registry.
What do you mean by "inbox XP version of the driver"?
Th eprinter I installed just before the trouble started was an HP LaserJet
Plus. I selected the driver from the list that comes up in the Add Printer
Wizard. At the bottom of the window it says "The driver is digitally signed."
But at some point I was asked whether I wanted to install additional
drivers. I installed a Windows 98 driver, but I don't remember where I got
it. I just tried to run the Wizard again telling it that the printer was on
LPT1 and I wanted to share it, but I didn't got to that point before the
printer was "not installed."
The first printer I was unable to install was an NP LaserJet Series II, also
from the Wizard's list, also digitally signed.
The computer was new in 2003, delivered with the current Windows XP
installation. I added another hard drive with partitions from the computer I
had before, including partitions from the computer before that, etc. Those
other partitions should not have affected Windows XP. But when I tried to use
System Restore right after the trouble started, it failed, because System
Restore was monitoring every little partition, and it suspends monitoring on
all partitions if any monitored partition doesn't have enough free space, and
of course I didn't want to waste free space on inactive partitions....
"Alan Morris [MSFT]" wrote:
> > ....
Alan Morris [MSFT]
spooler issue. Unsure how remote security administration is performed
--
Alan Morris
Windows Printing Team
Search the Microsoft Knowledge Base here:
http://support.microsoft.com/default.aspx?scid=fh;[ln];kbhowto
This posting is provided "AS IS" with no warranties, and confers no rights.
"Martin Brilliant" <MartinB...@discussions.microsoft.com> wrote in
message news:B3F8113D-C75F-4F4E...@microsoft.com...
Martin Brilliant
Paul Baker [MVP, Windows - SDK]
I am not sure about how to handle this either, but if everyone else is going
to bail, I'll give it a shot.
When Alan says "inbox driver", he means a driver that came with Windows XP
(I know because I asked him the same thing in another post!). If you
installed a printer driver for Windows 98 that you got elsewhere, it is
possible that it also updated the Windows XP version of the driver and that
you no longer have an "inbox driver". In that case, it might just be
something quirky about the driver or driver installation that was not tested
by Microsoft.
Did you try just installing the Generic / Text Only driver or one that came
with Windows XP you know you haven't messed with?
I don't know what effect Safe Mode is supposed to have, but I'd like to hear
more about what you were saying about that.
In Windows Vista, as Alan explained to me, anyone can add a printer or
"inbox driver". In Windows XP, however, you must be a member of the
Administrators or Power Users group and also be given the "Load and unload
device drivers" right, which is given by default to Administrators (except
that anyone can add a connection to a network printer).
Are you an Administrator? Is your computer part of a domain or not?
Shortcuts to Administrative Tools are in this folder:
C:\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools
You can add it to your Start Menu by right-clicking on the Start button,
choosing Properties, then Customize, then Advanced, then look at the choices
for System Administrative Tools.
Computer Management:
From the root, choose Action > Connect to another computer to administer
remotely.
Look for log entries in System Tools\Event Viewer at the times where a
failure occurs.
System Tools\Local Users and Groups will show you users group membership.
Local Security Policy:
This will show you Local Policies\User Rights Assignment.
For other MMC-based tools, use Start/Run to run MMC, then File > Add/Remove
Snap-in, then Add.
Group Policy Object Editor:
This lists group policies and can be used to administer remotely. I am not
sure whether any of these are relevant here.
These instructions were intended for Windows XP Professional. It may be
different or unavailable in Windows XP Home Edition. But you can use the
remote option.
Paul
"Martin Brilliant" <MartinB...@discussions.microsoft.com> wrote in
message news:62079022-52E3-40C1...@microsoft.com...
Martin Brilliant
Let me get you up to speed by answering your questions.
INBOX DRIVERS: I guessed that "inbox driver" meant anything that came with
Windows but I wanted to be sure.
The HP LaserJet Plus and HP LaserJet Series II drivers I originally had
trouble with still show a note that says the driver is digitally signed. Just
in case that didn't really mean what it implied, and that the drivers were
changed behind the curtain, I tried a generic driver.
The Text-Only driver is no test because I have one installed already, and
the Add Printer Wizard just picks up the existing driver. I don't want to
tell it to change the driver because then I might lose the Text-Only printer
I already have.
I tried the Generic IBM Graphics printer and that failed the same way as the
others. I also tried some other "inbox drivers"; they also failed the same
way. I really can't add any printer drivers I don't already have installed.
SAFE MODE: I don't really have anything to add. A few sites on the web (but
not Microsoft) answered questions about not being able to log on as
Administrator, pointing out that in XP Home (but not XP Pro) Administrator
can only log on in Safe Mode.
So I tried Safe Mode. I logged on as Administrator. I opened Printers and
Faxes. I clicked on Add Printer. I got a little pop-up that said Printer
Spooler wasn't running so I couldn't add any printers. I opened Services and
tried to start the Print Spooler service. I got another message that the
spooler couldn't be started in Safe Mode. So I can't install printers as
Administrator.
ADMINISTRATOR: The account I always use is a member of the Administrators
group (if, technically, there is such a thing as a group in XP Home). I also
created another account in the same group; that one can't install new printer
drivers either. The point is, I was installing printers and a few minutes
later I couldn't.
"LOAD AND UNLOAD DRIVERS RIGHT": the funny thing is, I found that I could
delete printers but not install them. What kind of access control is that?
DOMAIN: My computer is not in a domain. MS Knowledge Base article 304718
says "Microsoft Windows XP Home Edition-based computers cannot join Microsoft
Windows NT 4.0-based, Windows 2000-based, or Windows Server 2003-based
domains."
ADMINISTRATIVE TOOLS: Administrative Tools\Computer Management is on my
Start Menu, and I've been exploring it. Start, Properties, Customize, check
(was not checked) Display Administrative Tools has no effect; either way,
Start\Programs\Accessories\Adminstrative Tools has six entries.
I went to the XP Pro system on my home network and didn't see Admnistrative
Tools in the Accessories menu. I entered mmc in Run, loaded compmgmt.msc and
connected to my XP Home system. It gave me the same set of snapins as on the
Home system, but they all either just showed nothing, said access denied, or
something vacuous like that. No help there, it seems, even if I could access
the Home system. And Security Policies (secpol.msc) is only local (on the Pro
machine); no option to connect to another system.
REMOTE ADMINISTRATION: I think that's a false lead. Article 304718 leads me
to believe that the Administration Tools Pack is intended only to manage
systems with "server" in the Windows OS name, and Remote Desktop just allows
a remote user to log on as though seated at the console, which wouldn't help.
WHAT NEXT? I don't know what we can do from here.
The amazing part of it is that I can remove printer drivers but not install
them. Maybe something that's needed in the process of installing printer
drivers (but not needed for removing them) is missing or corrupted. It might
(or might not) have been messed up either when I added an additional driver
to the shared printer, when I connected to it from a Win98 system, or when I
removed the driver (without first disconnecting the Win98 system, I don't
remember). I think the devil is in the details of one or more of those
processes.
Paul Baker [MVP, Windows - SDK]
Thanks for the information. You are right, the various administrative tools
are not helping.
The built-in Administrator account may behave differently than one you added
yourself, though I don't know much about that. If I were you, I would
continue your tests with an administrative account you added rather than the
built-in one. I found these related articles:
http://support.microsoft.com/kb/314412/en-us
http://support.microsoft.com/kb/298252/en-us
http://support.microsoft.com/kb/926183/en-us
Yes, there is an built-in Administratrors group in Windows XP Home Edition
that a new user is added to when you choose the "Administrative user" radio
button in the Users and Accounts Control Panel.
What changed between the time it worked and the time it didn't work? Did you
log off? Reboot? Install software? Or just use the bathroom and come back to
find everything went to heck?!
Did you check the permissions in the C:\WINDOWS\system32\spool\drivers
folder, especially C:\WINDOWS\system32\spool\drivers\w32x86\3? You may find
it easier to examine if you use Folder Options to turn off "Use Simple File
Sharing".
You can turn on auditing of successes and failures (or can you in Windows XP
Home Edition?) to see what the last thing it succeeded in doing was and the
first thing that failed. You can also use a tool like File Monitor or
Registry Monitor from Sysinternals to produce a log of file or registry
access.
Unfortunately, in Windows XP Home Edition, some security features are
missing, some are hidden but can be shown and some are hidden eg. in the
registry. For security-specific questions, you could try
microsoft.public.platformsdk.security. But it would probably be preferable
to continue this thread as long as it is productive instead of explaining it
all over again.
Paul
"Martin Brilliant" <MartinB...@discussions.microsoft.com> wrote in
message news:2EC3D3C1-71AF-442F...@microsoft.com...
Martin Brilliant
To avoid repeating myself: "what changed" is described in the first post in
this thread. Permissions in the folder you asked about are covered in the
third post (my second post), but briefly, I can read/write/delete in that
folder.
I looked up auditing of events on the web and it seems to involve group
policies and local security policy, neither of which exist in Win XP Home.
I downloaded and ran Process Monitor (which supersedes File Monitor and
Registry Monitor in Win XP) from Sysinternals. A lot of other processes are
active: svchost, mozybackup, nprotect, winlogon, . It seems that explorer.exe
is doing all the work of installing the printer driver. There are a lot of
SUCCESSes and a few other things, but the non-SUCCESSes look as though they
might be intended to find something if it's there, or to make sure it's not
there, so I can't say I've found a smoking gun.
It would help if I could identify to the microsecond when the installer
declares failure, so I could know where to look in the Process Monitor
output. What's the process that sets up the Access denied message?
"Paul Baker [MVP, Windows - SDK]" wrote:
> Martin,
>
Paul Baker [MVP, Windows - SDK]
I had to use Google Groups to find old posts that I had deleted, but I got
the information I needed.
I do think it is Explorer that is getting the access denied error, as this
is the process hosting the Add Printer Wizard. It must go through the
AddPrinterDriver and AddPrinter Winspool APIs. So if the Print Spooler
service or any components it is using is compromised in any way, it could
cause failure here. So I would advise deleting all the stuff the Print
Spooler service might be using with this Cleanspl utility, then try again.
It will delete the Brother driver that may have started this all, for one
thing.
In Process Monitor, you probably don't need to be concerned with NOT FOUND
messages, only ACCESS DENIED messages. You may post the log here if you want
us to examine it, noting the approximate time of failure.
Paul
"Martin Brilliant" <MartinB...@discussions.microsoft.com> wrote in
message news:2B590A80-90CD-42B6...@microsoft.com...
Paul Baker [MVP, Windows - SDK]
I was actually looking for Bruce Sanderson's page and couldn't find it. Yes,
I would follow his instructions. It may resolve your problem.
What is the registry key that Process Monitor reported ACCESS DENIED for? If
access was granted shortly before and after on the same key, perhaps
different access was requested. The access requested should be logged. Can
you please email me the Print Monitor log so I can examine that?
The Process Monitor and Cleanspl results both suggest a registry permissions
problem.
Administrators should have Full Control to HKEY_LOCAL_MACHINE\SYSTEM and
that should be inherited by this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows
NT x86\Drivers\Version-3
You can also test permissions by creating a test subkey and test values.
Paul
"Martin Brilliant" <MartinB...@discussions.microsoft.com> wrote in
message news:6B38CAE0-F923-40B6...@microsoft.com...
> That spooler cleaner doesn't work. The download page says it's supported
> in
> Windows XP Home and XP Home SP1. I have SP2. It kept giving me "not found"
> and "cannot delete" messages. I deleted manually the files it said it
> couldn't delete, but when it got to "Unable to get the sub key names of
> the
> registry key
> '\\Martin\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows
> 4.0\Drivers'. More data is available." I didn't know how to help it.
>
> There's a manual procedure for cleaning the spooler at
> http://members.shaw.ca/bsanders/CleanPrinterDrivers.htm - do you think it
> might help?
>
> The only ACCESS DENIED message I saw that had anything to do with the
> printer installation was for a registry key that had been successfully
> accessed milliseconds before and again milliseconds later. I don't know
> what
> that might mean, if anything.
>
> Meanwhile I still can't install printers and all the printers that used to
> work are deleted. I do have a restore point and a copy of the whole spool
> folder, so I might be able to get back the ones that were working.
>
> "Paul Baker [MVP, Windows - SDK]" wrote:
>
>> Martin,
>>
Martin Brilliant
Thanks (not). Between what cleanspl could accomplish and what Bruce
Sanderson told me to do (including some things he said I shouldn't have let
cleanspl do) I have no printers at all, no BJ Language monitor, no standard
TCP/IP port, no fax, and I still get access denied from the Add Printer
Wizard.
I stopped a couple of processes that were putting irrelevant stuff in the
Process Monitor. This time, and the time before, Process Monitor showed only
one ACCESS DENIED event, and that was for a file creation, not a registry
value. There are no ACCESS DENIED events from the registry. As I remember,
the registry access that was denied before was for a desired access of
something like Length: 144, for a value that had previously been reported
with length 30.
I have no access problems in the registry as an administrator. I
successfully created and deleted a test subkey and a test value in the
registry key you named.
The whole Process Monitor output, saved in CSV format for the 35 seconds it
took to run the Add Printer Wizard, is nearly 5MB. I don't think you want
that posted here. A short segment, from the creation of the ...3\New folder
to ACCESS DENIED for a file creation in that folder, is posted below. I
stopped capturing events as soon as I could after I saw the failure message
from the wizard, and the log ended at 9:16:23.5789621 AM, about 0.6 seconds
after the ACCESS DENIED, so if there's any smoking gun, that would be it.
Let me know if you have any other ideas. If not, I hope System Restore and
my full registry export can bring back the printers I had.
"Sequence","Time of Day","Process
Name","PID","Operation","Path","Result","Detail"
"45412","9:16:22.9890210
AM","spoolsv.exe","1516","CreateFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\New","NAME
NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open
Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete,
AllocationSize: n/a, Impersonating: MARTIN\Martin"
"45413","9:16:22.9904913
AM","spoolsv.exe","1516","CreateFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\New","SUCCESS","Desired
Access: Read Data/List Directory, Synchronize, Disposition: Create, Options:
Directory, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write,
AllocationSize: 0, OpenResult: Created"
"45414","9:16:22.9923549
AM","spoolsv.exe","1516","CloseFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\New","SUCCESS",""
"45416","9:16:22.9937308
AM","spoolsv.exe","1516","CreateFile","C:\WINDOWS\system32\spool\drivers\w32x86\4282640","SUCCESS","Desired
Access: Read Data/List Directory, Synchronize, Disposition: Open, Options:
Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write,
AllocationSize: n/a, Impersonating: MARTIN\Martin, OpenResult: Opened"
"45417","9:16:22.9947868
AM","spoolsv.exe","1516","QueryDirectory","C:\WINDOWS\system32\spool\drivers\w32x86\4282640\UNIDRV.DLL","SUCCESS","Filter: UNIDRV.DLL, 1: UNIDRV.DLL"
"45418","9:16:22.9958308
AM","spoolsv.exe","1516","CloseFile","C:\WINDOWS\system32\spool\drivers\w32x86\4282640","SUCCESS",""
"45420","9:16:22.9970586
AM","spoolsv.exe","1516","CreateFile","C:\WINDOWS\system32\spool\drivers\w32x86\3","SUCCESS","Desired
Access: Read Data/List Directory, Synchronize, Disposition: Open, Options:
Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write,
AllocationSize: n/a, Impersonating: MARTIN\Martin, OpenResult: Opened"
"45421","9:16:22.9981098
AM","spoolsv.exe","1516","QueryDirectory","C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL","NO SUCH FILE","Filter: UNIDRV.DLL"
"45422","9:16:22.9991385
AM","spoolsv.exe","1516","CloseFile","C:\WINDOWS\system32\spool\drivers\w32x86\3","SUCCESS",""
"45424","9:16:23.0007049
AM","spoolsv.exe","1516","CreateFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\New\UNIDRV.DLL","ACCESS
DENIED","Desired Access: Generic Write, Read Attributes, Disposition:
OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert,
Non-Directory File, Attributes: A, ShareMode: None, AllocationSize: 0,
Impersonating: MARTIN\Martin"
"Paul Baker [MVP, Windows - SDK]" wrote:
> Martin,
>
Paul Baker [MVP, Windows - SDK]
This log entry should explain your problem:
"spoolsv.exe","1516","CreateFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\New\UNIDRV.DLL","ACCESS
DENIED","Desired Access: Generic Write, Read Attributes, Disposition:
I know you've already looked at the permissions of
C:\windows\system32\spool\drivers\w32x86\3, but I think you need to look
again.
At the Command Prompt, type this:
cacls C:\windows\system32\spool\drivers\w32x86\3 > C:\test.txt
You will then have a test.txt file in the root of your C:\ drive that
details the permissions that you can post here.
Do you have any files or folders within your w32x86\3 folderv or it empty?
If so, which files and folders do you have?
Paul
"Martin Brilliant" <MartinB...@discussions.microsoft.com> wrote in
message news:D760936F-AFF1-44EA...@microsoft.com...
Paul Baker [MVP, Windows - SDK]
It's been almost a week since I wrote this, and you seemed pretty desparate
now that I persuaded you to delete all your third party print spooler
components, so I am suprised that I did not yet see a reply. Is everything
okay over there?
Paul
"Paul Baker [MVP, Windows - SDK]" <pa...@online.rochester.rr.com> wrote in
message news:eciJ62Z5...@TK2MSFTNGP04.phx.gbl...
Martin B. Brilliant
You missed my last three posts. I was posting on the Microsoft
communities newsgroups website, and they showed up there. But I just
looked in the newsgroup (microsoft.public.windowsxp.print_fax) with a
real newsreader (Free Agent), and they aren't there. Your message
(shown below) appeared in both the website and the newsgroup.
So there's a lot of catching up to do. In brief, I solved the printer
problem, and then got myself in worse trouble.
On 8/26/2007 9:46 AM PST I posted:
---------------------------------------
Sorry about the delay. For some reason I did not get email notice of
your reply.
I just tried CACLS. The results are interesting. Could you please
explain how this works? How I can write in a directory but the System,
impersonating me, can't?
For the ...\3 folder I got just the name of the directory, nothing
else:
C:\windows\system32\spool\drivers\w32x86\3
That's all she wrote!
For the parent directory I got a lot more:
C:\windows\system32\spool\drivers\w32x86 Everyone:R
Everyone:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
CREATOR OWNER:(OI)(CI)(IO)F
So, in C:\WINDOWS\system32\spool\drivers\w32x86, I entered
cacls 3 /e /p BUILTIN\Administrators:F
and now I can install printers just the way I used to!
I have no fax, but I hope removing fax and reinstalling it in
Add/Remove Windows Components will work now (it didn't work before).
----------------------------------
I did, in fact, get the fax working again.
On 8/28/2007 12:51 AM PST I posted:
---------------------------------------
I found the answer to the question I just asked.
Subfolder "3" must have had a NULL ACL, that is, no ACL, which means
access is granted to everybody. When subfolder "New" was created in
"3" it first got an empty ACL, and then it inherited all its parent's
ACEs, that is, none. An empty ACL, unlike a NULL ACL, denies access to
everybody. Therefore an attempt to create a file in "New" resulted in
ACCESS DENIED.
I could delete printers because subfolder "3" had a NULL ACL. I could
not install printers because that required creating files in a
subfolder of "3", snf all subfolders of "3" had empty ACLs. That
answers my previous question about "what kind of access control is
this?"
The next question is, how did subfolder "3" lose its ACL?
I was installing and removing printers. I installed a local shared
printer, I installed an additional driver for Win9x on that printer, I
connected to it from another computer on my home network, and then I
removed the printer. Then I could not install any more printers. What
part of this deleted the ACL?
By the way, I went into Safe Mode and arranged for "3" (and all its
siblings) to inherit permissions from its parent, instead of the
stopgap ACE I originally put in.
-------------------------------------------
Then on 8/28/2007 6:15 PM PST I was once again frantic:
Help! I can't boot Windows. I can't start anything except Recovery
Console. I must have done something wrong in ACLview. I did notice
that there were no permissions one way or the other for the Windows
folder. Now any attempt at a normal boot stops with a cyan screen with
nothing but a working mouse cursor on it. No response to
CTRL-ALT-DELETE either.
I know this is the wrong discussion group for this problem. What's the
right one?
-------------------------
I later posted a query on microsoft.public.windowsxp.help_and_support
on 8/29/2007 5:59 PM (that must be EDT) with the title "Win XP Home
boots to the wrong copy - change systemroot?" That post tells where I
stand now.
On Wed, 29 Aug 2007 13:54:46 -0400, "Paul Baker [MVP, Windows - SDK]"
<pa...@online.rochester.rr.com> wrote:
> Martin,
>
> It's been almost a week since I wrote this, and you seemed pretty desparate
> now that I persuaded you to delete all your third party print spooler
> components, so I am suprised that I did not yet see a reply. Is everything
> okay over there?
>
> Paul
>
Marty
Martin B. Brilliant at home in Holmdel, NJ
Paul Baker [MVP, Windows - SDK]
That's weird that I missed your posts. I am using a newsreader (NNTP).
The w32x86 permissions are exactly the same as mine and look appropriate, so
I think they are correct.
There are some things I do not understand about the access to the 3 folder.
I will post to microsoft.public.windowsxp.print_fax, if you are interested
in following up on that.
In order to reset permissions correctly, I would recommend doing the
following:
- Right-click on C:\windows\system\spool\drivers and click Properties (be
careful to get exactly the right path).
- On the Security page, choose Advanced.
- Check the 'Replace permission entries on all child objects with entries
shown here that apply to child objects' check box and click OK.
To answer your question about how the 2 folder lost its DACL, I suppose you
would have to follow the same steps again one by one to see which one caused
it. After each step, you can use CACLS to check the DACL. For finer control,
you can use Process Monitor. Too bad you cannot use auditing, as you have
Home not Professional. I do think it might be worthwhile doing this, as an
understanding of what caused it will help ensure it does not happen
unexpectedly again to you or to anyone else who might write this. If we can
pinpoint the error, we may even be able to complain to the software vendor
so their shoddy software development can be exposed. I am a software
developer myself, and I cannot stand shoddy work that software vendors get
away with simply because they can.
Paul
>
> I was installing and removing printers. I installed a local shared
> printer, I installed an additional driver for Win9x on that printer, I
> connected to it from another computer on my home network, and then I
> removed the printer. Then I could not install any more printers. What
> part of this deleted the ACL?
"Martin B. Brilliant" <mbril...@alum.mit.edu> wrote in message
news:46d61447...@newsgroups.comcast.net...
Paul Baker [MVP, Windows - SDK]
did, using the subject "NULL DACL versis Empty DACL and Owner implcit
access".
It is a Managed Newsgroup and I am an MSDN Subscriber. Therefore, even if
noone else has an answer, Microsoft should.
Paul
"Paul Baker [MVP, Windows - SDK]" <pa...@online.rochester.rr.com> wrote in
message news:uqsNc2w6...@TK2MSFTNGP03.phx.gbl...
Martin B. Brilliant
posts, because I couldn't see them with my newsreader either. What's
weird is that didn't get to the newsgroup after posting on the
Microsoft site.
I did do the 'Replace permission entries on all child objects' thing
as you suggested. But I can't do the further experiments you suggest
because at present I can't boot to the Windows XP installation where I
had the problem. I'm running now on a new WinXP installation on the
same computer. My post on microsoft.public.windowsxp.help_and_support
dated 8/29/07 5:59 PM EDT has the details of that setup.
I thought I wanted to repair the old installation and go back to using
it. But it's so cluttered with utilities and applications and
mysterious things that start up at startup that it can be painfully
slow, and I'm thinking of killing it off and staying with the new one.
And I don't want to mess up the new one.
Better yet, I might kill the old one, format the new one and do a
clean install. That's because right now the "system drive" is C: and
the "boot drive" is R:. I think I have that straight: the "system
drive" is the one with BOOT.INI and the "boot drive" is the one with
SYSTEM32. Great mnemonics.
I can't blame anybody for the printer drivers. Windows says that both
the manufacturer's driver for the Brother printer, and the Windows 9x
driver that I installed for remote access, are "not signed" and
glitches should be expected. The Brother printer is now attached to a
Win9x system, with the manufacturer's driver, and I just installed a
signed HP driver for it on the new XP system, so everything should be
stable now. I'd rather leave it that way.
On Thu, 30 Aug 2007 09:56:47 -0400, "Paul Baker [MVP, Windows - SDK]"
<pa...@online.rochester.rr.com> wrote:
> Martin,
>
> ...
Paul Baker [MVP, Windows - SDK]
Now that appear to be using a Newsreader with a Comcast server, Microsoft's
server thinks it has an invalid message ID and so refuses any reply I
attempt. So this will appear as a separate thread.
For future reference, the most reliable way is going to be to use a
Newsreader with Microsoft's server, msnews.microsoft.com.
Paul