Cannot install new printer drivers

[Paul Baker [MVP, Windows - SDK]]

Martin,

I was actually looking for Bruce Sanderson's page and couldn't find it. Yes,
I would follow his instructions. It may resolve your problem.

What is the registry key that Process Monitor reported ACCESS DENIED for? If
access was granted shortly before and after on the same key, perhaps
different access was requested. The access requested should be logged. Can
you please email me the Print Monitor log so I can examine that?

The Process Monitor and Cleanspl results both suggest a registry permissions
problem.

Administrators should have Full Control to HKEY_LOCAL_MACHINE\SYSTEM and
that should be inherited by this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows
NT x86\Drivers\Version-3

You can also test permissions by creating a test subkey and test values.

Paul

 

[Guest]

Paul,

Thanks (not). Between what cleanspl could accomplish and what Bruce
Sanderson told me to do (including some things he said I shouldn't have let
cleanspl do) I have no printers at all, no BJ Language monitor, no standard
TCP/IP port, no fax, and I still get access denied from the Add Printer
Wizard.

I stopped a couple of processes that were putting irrelevant stuff in the
Process Monitor. This time, and the time before, Process Monitor showed only
one ACCESS DENIED event, and that was for a file creation, not a registry
value. There are no ACCESS DENIED events from the registry. As I remember,
the registry access that was denied before was for a desired access of
something like Length: 144, for a value that had previously been reported
with length 30.

I have no access problems in the registry as an administrator. I
successfully created and deleted a test subkey and a test value in the
registry key you named.

The whole Process Monitor output, saved in CSV format for the 35 seconds it
took to run the Add Printer Wizard, is nearly 5MB. I don't think you want
that posted here. A short segment, from the creation of the ...3\New folder
to ACCESS DENIED for a file creation in that folder, is posted below. I
stopped capturing events as soon as I could after I saw the failure message
from the wizard, and the log ended at 9:16:23.5789621 AM, about 0.6 seconds
after the ACCESS DENIED, so if there's any smoking gun, that would be it.

Let me know if you have any other ideas. If not, I hope System Restore and
my full registry export can bring back the printers I had.

"Sequence","Time of Day","Process
Name","PID","Operation","Path","Result","Detail"
"45412","9:16:22.9890210
AM","spoolsv.exe","1516","CreateFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\New","NAME
NOT FOUND","Desired Access: Read Attributes, Disposition: Open, Options: Open
Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete,
AllocationSize: n/a, Impersonating: MARTIN\Martin"
"45413","9:16:22.9904913
AM","spoolsv.exe","1516","CreateFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\New","SUCCESS","Desired
Access: Read Data/List Directory, Synchronize, Disposition: Create, Options:
Directory, Synchronous IO Non-Alert, Attributes: N, ShareMode: Read, Write,
AllocationSize: 0, OpenResult: Created"
"45414","9:16:22.9923549
AM","spoolsv.exe","1516","CloseFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\New","SUCCESS",""
"45416","9:16:22.9937308
AM","spoolsv.exe","1516","CreateFile","C:\WINDOWS\system32\spool\drivers\w32x86\4282640","SUCCESS","Desired
Access: Read Data/List Directory, Synchronize, Disposition: Open, Options:
Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write,
AllocationSize: n/a, Impersonating: MARTIN\Martin, OpenResult: Opened"
"45417","9:16:22.9947868
AM","spoolsv.exe","1516","QueryDirectory","C:\WINDOWS\system32\spool\drivers\w32x86\4282640\UNIDRV.DLL","SUCCESS","Filter: UNIDRV.DLL, 1: UNIDRV.DLL"
"45418","9:16:22.9958308
AM","spoolsv.exe","1516","CloseFile","C:\WINDOWS\system32\spool\drivers\w32x86\4282640","SUCCESS",""
"45420","9:16:22.9970586
AM","spoolsv.exe","1516","CreateFile","C:\WINDOWS\system32\spool\drivers\w32x86\3","SUCCESS","Desired
Access: Read Data/List Directory, Synchronize, Disposition: Open, Options:
Directory, Synchronous IO Non-Alert, Attributes: n/a, ShareMode: Read, Write,
AllocationSize: n/a, Impersonating: MARTIN\Martin, OpenResult: Opened"
"45421","9:16:22.9981098
AM","spoolsv.exe","1516","QueryDirectory","C:\WINDOWS\system32\spool\drivers\w32x86\3\UNIDRV.DLL","NO SUCH FILE","Filter: UNIDRV.DLL"
"45422","9:16:22.9991385
AM","spoolsv.exe","1516","CloseFile","C:\WINDOWS\system32\spool\drivers\w32x86\3","SUCCESS",""
"45424","9:16:23.0007049
AM","spoolsv.exe","1516","CreateFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\New\UNIDRV.DLL","ACCESS
DENIED","Desired Access: Generic Write, Read Attributes, Disposition:
OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert,
Non-Directory File, Attributes: A, ShareMode: None, AllocationSize: 0,
Impersonating: MARTIN\Martin"

 

[Paul Baker [MVP, Windows - SDK]]

Martin,

This log entry should explain your problem:

"spoolsv.exe","1516","CreateFile","C:\WINDOWS\system32\spool\drivers\w32x86\3\New\UNIDRV.DLL","ACCESS
DENIED","Desired Access: Generic Write, Read Attributes, Disposition:

I know you've already looked at the permissions of
C:\windows\system32\spool\drivers\w32x86\3, but I think you need to look
again.

At the Command Prompt, type this:
cacls C:\windows\system32\spool\drivers\w32x86\3 > C:\test.txt

You will then have a test.txt file in the root of your C:\ drive that
details the permissions that you can post here.

Do you have any files or folders within your w32x86\3 folderv or it empty?
If so, which files and folders do you have?

Paul

 

[Paul Baker [MVP, Windows - SDK]]

Martin,

It's been almost a week since I wrote this, and you seemed pretty desparate
now that I persuaded you to delete all your third party print spooler
components, so I am suprised that I did not yet see a reply. Is everything
okay over there?

Paul

 

[Martin B. Brilliant]

Paul,

You missed my last three posts. I was posting on the Microsoft
communities newsgroups website, and they showed up there. But I just
looked in the newsgroup (microsoft.public.windowsxp.print_fax) with a
real newsreader (Free Agent), and they aren't there. Your message
(shown below) appeared in both the website and the newsgroup.

So there's a lot of catching up to do. In brief, I solved the printer
problem, and then got myself in worse trouble.

On 8/26/2007 9:46 AM PST I posted:

---------------------------------------
Sorry about the delay. For some reason I did not get email notice of
your reply.

I just tried CACLS. The results are interesting. Could you please
explain how this works? How I can write in a directory but the System,
impersonating me, can't?

For the ...\3 folder I got just the name of the directory, nothing
else:

C:\windows\system32\spool\drivers\w32x86\3

That's all she wrote!

For the parent directory I got a lot more:

C:\windows\system32\spool\drivers\w32x86 Everyone:R
EveryoneOI)(CI)(IO)(special access

GENERIC_READ
GENERIC_EXECUTE

BUILTIN\Users:R
BUILTIN\UsersOI)(CI)(IO)(special access


GENERIC_READ

GENERIC_EXECUTE

BUILTIN\Administrators:F
BUILTIN\AdministratorsOI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEMOI)(CI)(IO)F
CREATOR OWNEROI)(CI)(IO)F

So, in C:\WINDOWS\system32\spool\drivers\w32x86, I entered

cacls 3 /e /p BUILTIN\Administrators:F

and now I can install printers just the way I used to!

I have no fax, but I hope removing fax and reinstalling it in
Add/Remove Windows Components will work now (it didn't work before).
----------------------------------

I did, in fact, get the fax working again.

On 8/28/2007 12:51 AM PST I posted:

---------------------------------------
I found the answer to the question I just asked.

Subfolder "3" must have had a NULL ACL, that is, no ACL, which means
access is granted to everybody. When subfolder "New" was created in
"3" it first got an empty ACL, and then it inherited all its parent's
ACEs, that is, none. An empty ACL, unlike a NULL ACL, denies access to
everybody. Therefore an attempt to create a file in "New" resulted in
ACCESS DENIED.

I could delete printers because subfolder "3" had a NULL ACL. I could
not install printers because that required creating files in a
subfolder of "3", snf all subfolders of "3" had empty ACLs. That
answers my previous question about "what kind of access control is
this?"

The next question is, how did subfolder "3" lose its ACL?

I was installing and removing printers. I installed a local shared
printer, I installed an additional driver for Win9x on that printer, I
connected to it from another computer on my home network, and then I
removed the printer. Then I could not install any more printers. What
part of this deleted the ACL?

By the way, I went into Safe Mode and arranged for "3" (and all its
siblings) to inherit permissions from its parent, instead of the
stopgap ACE I originally put in.
-------------------------------------------

Then on 8/28/2007 6:15 PM PST I was once again frantic:

Help! I can't boot Windows. I can't start anything except Recovery
Console. I must have done something wrong in ACLview. I did notice
that there were no permissions one way or the other for the Windows
folder. Now any attempt at a normal boot stops with a cyan screen with
nothing but a working mouse cursor on it. No response to
CTRL-ALT-DELETE either.

I know this is the wrong discussion group for this problem. What's the
right one?
-------------------------

I later posted a query on microsoft.public.windowsxp.help_and_support
on 8/29/2007 5:59 PM (that must be EDT) with the title "Win XP Home
boots to the wrong copy - change systemroot?" That post tells where I
stand now.

Martin,

It's been almost a week since I wrote this, and you seemed pretty desparate
now that I persuaded you to delete all your third party print spooler
components, so I am suprised that I did not yet see a reply. Is everything
okay over there?

Paul

Marty
Martin B. Brilliant at home in Holmdel, NJ

 

[Paul Baker [MVP, Windows - SDK]]

Martin,

That's weird that I missed your posts. I am using a newsreader (NNTP).

The w32x86 permissions are exactly the same as mine and look appropriate, so
I think they are correct.

There are some things I do not understand about the access to the 3 folder.
I will post to microsoft.public.windowsxp.print_fax, if you are interested
in following up on that.

In order to reset permissions correctly, I would recommend doing the
following:
- Right-click on C:\windows\system\spool\drivers and click Properties (be
careful to get exactly the right path).
- On the Security page, choose Advanced.
- Check the 'Replace permission entries on all child objects with entries
shown here that apply to child objects' check box and click OK.

To answer your question about how the 2 folder lost its DACL, I suppose you
would have to follow the same steps again one by one to see which one caused
it. After each step, you can use CACLS to check the DACL. For finer control,
you can use Process Monitor. Too bad you cannot use auditing, as you have
Home not Professional. I do think it might be worthwhile doing this, as an
understanding of what caused it will help ensure it does not happen
unexpectedly again to you or to anyone else who might write this. If we can
pinpoint the error, we may even be able to complain to the software vendor
so their shoddy software development can be exposed. I am a software
developer myself, and I cannot stand shoddy work that software vendors get
away with simply because they can.

Paul

 

[Paul Baker [MVP, Windows - SDK]]

I meant that I will post to microsoft.public.platformsdk.security, and I
did, using the subject "NULL DACL versis Empty DACL and Owner implcit
access".

It is a Managed Newsgroup and I am an MSDN Subscriber. Therefore, even if
noone else has an answer, Microsoft should.

Paul

 

[Martin B. Brilliant]

Paul, if you're using a newsreader, that explains why you missed my
posts, because I couldn't see them with my newsreader either. What's
weird is that didn't get to the newsgroup after posting on the
Microsoft site.

I did do the 'Replace permission entries on all child objects' thing
as you suggested. But I can't do the further experiments you suggest
because at present I can't boot to the Windows XP installation where I
had the problem. I'm running now on a new WinXP installation on the
same computer. My post on microsoft.public.windowsxp.help_and_support
dated 8/29/07 5:59 PM EDT has the details of that setup.

I thought I wanted to repair the old installation and go back to using
it. But it's so cluttered with utilities and applications and
mysterious things that start up at startup that it can be painfully
slow, and I'm thinking of killing it off and staying with the new one.
And I don't want to mess up the new one.

Better yet, I might kill the old one, format the new one and do a
clean install. That's because right now the "system drive" is C: and
the "boot drive" is R:. I think I have that straight: the "system
drive" is the one with BOOT.INI and the "boot drive" is the one with
SYSTEM32. Great mnemonics.

I can't blame anybody for the printer drivers. Windows says that both
the manufacturer's driver for the Brother printer, and the Windows 9x
driver that I installed for remote access, are "not signed" and
glitches should be expected. The Brother printer is now attached to a
Win9x system, with the manufacturer's driver, and I just installed a
signed HP driver for it on the new XP system, so everything should be
stable now. I'd rather leave it that way.

Martin,

That's weird that I missed your posts. I am using a newsreader (NNTP).

The w32x86 permissions are exactly the same as mine and look appropriate, so
I think they are correct.

There are some things I do not understand about the access to the 3 folder.
I will post to microsoft.public.windowsxp.print_fax, if you are interested
in following up on that.

In order to reset permissions correctly, I would recommend doing the
following:
- Right-click on C:\windows\system\spool\drivers and click Properties (be
careful to get exactly the right path).
- On the Security page, choose Advanced.
- Check the 'Replace permission entries on all child objects with entries
shown here that apply to child objects' check box and click OK.

To answer your question about how the 2 folder lost its DACL, I suppose you
would have to follow the same steps again one by one to see which one caused
it. After each step, you can use CACLS to check the DACL. For finer control,
you can use Process Monitor. Too bad you cannot use auditing, as you have
Home not Professional. I do think it might be worthwhile doing this, as an
understanding of what caused it will help ensure it does not happen
unexpectedly again to you or to anyone else who might write this. If we can
pinpoint the error, we may even be able to complain to the software vendor
so their shoddy software development can be exposed. I am a software
developer myself, and I cannot stand shoddy work that software vendors get
away with simply because they can.

Paul
...

Marty
Martin B. Brilliant at home in Holmdel, NJ