Windows Update - "You must be an Administrator..." Error

[Don Holmes]

I have a Gateway 600YGR running Win2K Pro Version 5.0 (build 2195: Service Pack 4).

For roughly the last two or three months (it appears) the automatic (and manual, web based) Windows Updates have been failing. I did notice one or two that worked over the last few months but I believe they were drivers only. When I run the web update from v4.windowsupdate.microsoft.com the downloads work however the installations fail. The message on the resulting "failed to install" webpage is "No Updates Were Installed" and there are no error codes whatsoever. When I try to do the updates manually or one by one they all return the error message that "You do not have permission to update Windows 2000. Please contact your system administrator." I am the system administrator and have even made myself a domain administrator to try to fix this problem...

To the best of my knowledge and research there were no security policies/authorities changed since this last worked. Using secpol.msc (Local Policies-> User Rights Assignment) I verified that Administrators (and even my own user account and local machine Administrator) had the authority to:

a.. Back up files and directories
b.. Manage auditing and security log
c.. Modify firmware environment values
d.. Restore files and directories
e.. Take ownership of files or other objects
It doesn't matter if I login as the Network Administrator, Local Administrator, or Domain Administrator - same behavior...

I've completely removed the WUTemp directory and have forced recreation of the WindowsUpdate\V4 directory as well. I do not have a firewall running on the machine and the network firewall protects dozens of other machines on which Windows Update works fine... Downloads of the update files are received fine and security permissions on them are as expected (meaning I have full control of them). I've turned off all real-time file protection in Symantec AV just in case there was something strange there but still no change...

I've search high and low for anything on Microsoft's site and the web in general for ANYTHING on the message that "You do not have permission to update Windows 2000" and while I have found a few for XP, I've found nothing for Win2K. Just in case, I verified all of the dll registrations, MS root certificate, etc as suggested there to no avail.

When I attempt to run the "repair Windows 2000" feature using the original CD, (by clicking on the Install Windows 2000 link), I receive the infamous message "You must be an administrator to run this application". Again, I'm about as much of an Administrator (authority-wise) as one can be... Note that when using the "Install Add-On Components" link from the Win2K Pro CD - I can install/remove components using the Windows Components Wizard apparently without any issues... (at least none that Windows complains about where I can see it...)

I sure could use a fresh perspective on this one as it has stumped me completely... I'll include excerpts from the WindowsUpdate.log file as well as the iuhist.xml file below... At the bottom I include an excerpt from the KB839645.log file (one that is failing and representative of all that are failing) and it has references in it to Update.exe issuing an error code of 0xf004 and indicates something about failing to enable SE_SECURITY_PRIVILEGE but for the life of me I can't tell why... Thoughts ...



Below is an excerpt of the WindowsUpdate.log file for this last attempt via website:

2004-07-28 09:22:57 16:22:57 Success IUCTL Starting

2004-07-28 09:22:57 16:22:57 Success IUCTL Downloaded iuident.cab from http://windowsupdate.microsoft.com/v4/ to C:\Program Files\WindowsUpdate\V4

2004-07-28 09:22:57 16:22:57 Success IUCTL Current iuengine.dll version: 5.4.3790.14

2004-07-28 09:22:57 16:22:57 Success IUCTL Current iuctl.dll version: 5.4.3790.14

2004-07-28 09:22:57 16:22:57 Success IUENGINE Starting

2004-07-28 09:22:57 16:22:57 Success IUENGINE Determining machine configuration

2004-07-28 09:22:57 16:22:57 Success IUENGINE Determining machine configuration

2004-07-28 09:23:00 16:23:00 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:01 16:23:01 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:02 16:23:02 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:07 16:23:07 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:08 16:23:08 Success IUENGINE Determining machine configuration

2004-07-28 09:23:09 16:23:09 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/consumerdrivers/getmanifest.asp

2004-07-28 09:23:51 16:23:51 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:52 16:23:52 Success IUENGINE Asynchronous Download started

2004-07-28 09:23:52 16:23:52 Success IUENGINE Download destination root folder is: C:\WUTemp

2004-07-28 09:23:59 16:23:59 Success IUENGINE Downloaded file http://download.windowsupdate.com/m...U-express_67a0bec57f33208902e15d3ae1968f9.exe

2004-07-28 09:23:59 16:23:59 Success IUENGINE Local path C:\WUTemp\com_microsoft.840315_W2K_SP5_WinSE_95927_Express\Windows2000-KB840315-x86-ENU-express.exe

2004-07-28 09:23:59 16:23:59 Success IUENGINE Downloaded file http://download.windowsupdate.com/m...U-express_2f310dd9e91121cb09b4de620d7ae33.EXE

....

2004-07-28 09:24:00 16:24:00 Success IUENGINE Local path C:\WUTemp\com_microsoft.839645_W2K_SP5_WinSE_96133_Express\Windows2000-KB839645-x86-ENU-express.exe

2004-07-28 09:24:01 16:24:01 Success IUENGINE See iuhist.xml for details: Download finished

2004-07-28 09:24:01 16:24:01 Success IUENGINE Asynchronous Install started

2004-07-28 09:24:01 16:24:01 Success IUENGINE Asynchronous Install completed startup

2004-07-28 09:24:01 16:24:01 Success IUENGINE Installing SOFTWARE item from publisher com_microsoft

2004-07-28 09:24:01 16:24:01 Success IUENGINE Installer Command Type: EXE

....

2004-07-28 09:24:21 16:24:21 Error IUENGINE See iuhist.xml for details: Install finished (Error 0x8007F004)



Below is an excerpt of the iuhist.xml file for this last attempt via website:

<?xml version="1.0" ?>

- <items xmlns="x-schema:http://schemas.windowsupdate.com/iu/resultschema.xml">

- <itemStatus xmlns="" timestamp="2004-07-28T09:24:21">

- <identity itemID="win2k.windows2000.ver_platform_win32_nt.5.0.x86.en...2195.4.0.com_microsoft.839645_w2k_sp5_winse_96133_express." name="839645_W2K_SP5_WinSE_96133_Express">

<publisherName>com_microsoft</publisherName>

<language>en</language>

</identity>

- <description hidden="0">

- <descriptionText>

<title>Security Update for Windows 2000 (KB839645)</title>

<eula href="/msdownload/update/v3/static/eula/en/eula.htm" />

<details href="http://go.microsoft.com/fwlink/?LinkId=30585" />

</descriptionText>

</description>

- <platform name="ver_platform_win32_nt">

<processorArchitecture>x86</processorArchitecture>

<version major="5" minor="0" build="2195" servicePackMajor="4" servicePackMinor="0" />

</platform>

<downloadStatus value="COMPLETE" />

<downloadPath>C:\WUTemp\com_microsoft.839645_W2K_SP5_WinSE_96133_Express</downloadPath>

<client>IU_Site</client>

<installStatus value="FAILED" needsReboot="0" errorCode="-2146963452" />

</itemStatus>

- <itemStatus xmlns="" timestamp="2004-07-28T09:24:19">

- <identity itemID="win2k.windows2000.ver_platform_win32_nt.5.0.x86.en...2195.4.0.com_microsoft.directx_839643_w2k_9_0." name="DirectX_839643_W2K_9_0">

<publisherName>com_microsoft</publisherName>

<language>en</language>

</identity>

- <description hidden="0">

- <descriptionText>

<title>Security Update for DirectX 9.0 (KB839643)</title>

<eula href="/msdownload/update/v3/static/eula/en/eula.htm" />

<details href="http://go.microsoft.com/fwlink/?LinkId=27992" />

</descriptionText>

</description>

- <platform name="ver_platform_win32_nt">

<processorArchitecture>x86</processorArchitecture>

<version major="5" minor="0" build="2195" servicePackMajor="4" servicePackMinor="0" />

</platform>

<downloadStatus value="COMPLETE" />

<downloadPath>C:\WUTemp\com_microsoft.DirectX_839643_W2K_9_0</downloadPath>

<client>IU_Site</client>

<installStatus value="FAILED" needsReboot="0" errorCode="-2146963452" />



Below is an excerpt of the KB839645.log file for this last attempt via website:

0.170: ================================================================================

0.170: 2004/07/28 09:24:21.116 (local)

0.170: c:\2a9f1fb20ffb27eb1352e2\update\update.exe (version 5.4.15.0)

0.170: Failed To Enable SE_RESTORE_PRIVILEGE

0.170: Setup encountered an error: You do not have permission to update Windows 2000.

Please contact your system administrator.

0.170: You do not have permission to update Windows 2000.

Please contact your system administrator.

0.170: Update.exe extended error code = 0xf004

 

[Steven L Umbach]

The error message references " 0.170: Failed To Enable SE_RESTORE_PRIVILEGE " and you said you verified that administrators had that right. I would verify that the administrators group was in the "effective" settings for that user right also if you have not done such. Sometimes using secedit to restore default defined security settings has helped in situations where an administrator has been denied access. The link below describes how to do this and I would start off by appending /areas user_rights to the command to reset just user rights to start. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
I have a Gateway 600YGR running Win2K Pro Version 5.0 (build 2195: Service Pack 4).

For roughly the last two or three months (it appears) the automatic (and manual, web based) Windows Updates have been failing. I did notice one or two that worked over the last few months but I believe they were drivers only. When I run the web update from v4.windowsupdate.microsoft.com the downloads work however the installations fail. The message on the resulting "failed to install" webpage is "No Updates Were Installed" and there are no error codes whatsoever. When I try to do the updates manually or one by one they all return the error message that "You do not have permission to update Windows 2000. Please contact your system administrator." I am the system administrator and have even made myself a domain administrator to try to fix this problem...

To the best of my knowledge and research there were no security policies/authorities changed since this last worked. Using secpol.msc (Local Policies-> User Rights Assignment) I verified that Administrators (and even my own user account and local machine Administrator) had the authority to:

a.. Back up files and directories
b.. Manage auditing and security log
c.. Modify firmware environment values
d.. Restore files and directories
e.. Take ownership of files or other objects
It doesn't matter if I login as the Network Administrator, Local Administrator, or Domain Administrator - same behavior...

I've completely removed the WUTemp directory and have forced recreation of the WindowsUpdate\V4 directory as well. I do not have a firewall running on the machine and the network firewall protects dozens of other machines on which Windows Update works fine... Downloads of the update files are received fine and security permissions on them are as expected (meaning I have full control of them). I've turned off all real-time file protection in Symantec AV just in case there was something strange there but still no change...

I've search high and low for anything on Microsoft's site and the web in general for ANYTHING on the message that "You do not have permission to update Windows 2000" and while I have found a few for XP, I've found nothing for Win2K. Just in case, I verified all of the dll registrations, MS root certificate, etc as suggested there to no avail.

When I attempt to run the "repair Windows 2000" feature using the original CD, (by clicking on the Install Windows 2000 link), I receive the infamous message "You must be an administrator to run this application". Again, I'm about as much of an Administrator (authority-wise) as one can be... Note that when using the "Install Add-On Components" link from the Win2K Pro CD - I can install/remove components using the Windows Components Wizard apparently without any issues... (at least none that Windows complains about where I can see it...)

I sure could use a fresh perspective on this one as it has stumped me completely... I'll include excerpts from the WindowsUpdate.log file as well as the iuhist.xml file below... At the bottom I include an excerpt from the KB839645.log file (one that is failing and representative of all that are failing) and it has references in it to Update.exe issuing an error code of 0xf004 and indicates something about failing to enable SE_SECURITY_PRIVILEGE but for the life of me I can't tell why... Thoughts ...



Below is an excerpt of the WindowsUpdate.log file for this last attempt via website:

2004-07-28 09:22:57 16:22:57 Success IUCTL Starting

2004-07-28 09:22:57 16:22:57 Success IUCTL Downloaded iuident.cab from http://windowsupdate.microsoft.com/v4/ to C:\Program Files\WindowsUpdate\V4

2004-07-28 09:22:57 16:22:57 Success IUCTL Current iuengine.dll version: 5.4.3790.14

2004-07-28 09:22:57 16:22:57 Success IUCTL Current iuctl.dll version: 5.4.3790.14

2004-07-28 09:22:57 16:22:57 Success IUENGINE Starting

2004-07-28 09:22:57 16:22:57 Success IUENGINE Determining machine configuration

2004-07-28 09:22:57 16:22:57 Success IUENGINE Determining machine configuration

2004-07-28 09:23:00 16:23:00 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:01 16:23:01 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:02 16:23:02 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:07 16:23:07 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:08 16:23:08 Success IUENGINE Determining machine configuration

2004-07-28 09:23:09 16:23:09 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/consumerdrivers/getmanifest.asp

2004-07-28 09:23:51 16:23:51 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:52 16:23:52 Success IUENGINE Asynchronous Download started

2004-07-28 09:23:52 16:23:52 Success IUENGINE Download destination root folder is: C:\WUTemp

2004-07-28 09:23:59 16:23:59 Success IUENGINE Downloaded file http://download.windowsupdate.com/m...U-express_67a0bec57f33208902e15d3ae1968f9.exe

2004-07-28 09:23:59 16:23:59 Success IUENGINE Local path C:\WUTemp\com_microsoft.840315_W2K_SP5_WinSE_95927_Express\Windows2000-KB840315-x86-ENU-express.exe

2004-07-28 09:23:59 16:23:59 Success IUENGINE Downloaded file http://download.windowsupdate.com/m...U-express_2f310dd9e91121cb09b4de620d7ae33.EXE

...

2004-07-28 09:24:00 16:24:00 Success IUENGINE Local path C:\WUTemp\com_microsoft.839645_W2K_SP5_WinSE_96133_Express\Windows2000-KB839645-x86-ENU-express.exe

2004-07-28 09:24:01 16:24:01 Success IUENGINE See iuhist.xml for details: Download finished

2004-07-28 09:24:01 16:24:01 Success IUENGINE Asynchronous Install started

2004-07-28 09:24:01 16:24:01 Success IUENGINE Asynchronous Install completed startup

2004-07-28 09:24:01 16:24:01 Success IUENGINE Installing SOFTWARE item from publisher com_microsoft

2004-07-28 09:24:01 16:24:01 Success IUENGINE Installer Command Type: EXE

...

2004-07-28 09:24:21 16:24:21 Error IUENGINE See iuhist.xml for details: Install finished (Error 0x8007F004)



Below is an excerpt of the iuhist.xml file for this last attempt via website:

<?xml version="1.0" ?>

- <items xmlns="x-schema:http://schemas.windowsupdate.com/iu/resultschema.xml">

- <itemStatus xmlns="" timestamp="2004-07-28T09:24:21">

- <identity itemID="win2k.windows2000.ver_platform_win32_nt.5.0.x86.en...2195.4.0.com_microsoft.839645_w2k_sp5_winse_96133_express." name="839645_W2K_SP5_WinSE_96133_Express">

<publisherName>com_microsoft</publisherName>

<language>en</language>

</identity>

- <description hidden="0">

- <descriptionText>

<title>Security Update for Windows 2000 (KB839645)</title>

<eula href="/msdownload/update/v3/static/eula/en/eula.htm" />

<details href="http://go.microsoft.com/fwlink/?LinkId=30585" />

</descriptionText>

</description>

- <platform name="ver_platform_win32_nt">

<processorArchitecture>x86</processorArchitecture>

<version major="5" minor="0" build="2195" servicePackMajor="4" servicePackMinor="0" />

</platform>

<downloadStatus value="COMPLETE" />

<downloadPath>C:\WUTemp\com_microsoft.839645_W2K_SP5_WinSE_96133_Express</downloadPath>

<client>IU_Site</client>

<installStatus value="FAILED" needsReboot="0" errorCode="-2146963452" />

</itemStatus>

- <itemStatus xmlns="" timestamp="2004-07-28T09:24:19">

- <identity itemID="win2k.windows2000.ver_platform_win32_nt.5.0.x86.en...2195.4.0.com_microsoft.directx_839643_w2k_9_0." name="DirectX_839643_W2K_9_0">

<publisherName>com_microsoft</publisherName>

<language>en</language>

</identity>

- <description hidden="0">

- <descriptionText>

<title>Security Update for DirectX 9.0 (KB839643)</title>

<eula href="/msdownload/update/v3/static/eula/en/eula.htm" />

<details href="http://go.microsoft.com/fwlink/?LinkId=27992" />

</descriptionText>

</description>

- <platform name="ver_platform_win32_nt">

<processorArchitecture>x86</processorArchitecture>

<version major="5" minor="0" build="2195" servicePackMajor="4" servicePackMinor="0" />

</platform>

<downloadStatus value="COMPLETE" />

<downloadPath>C:\WUTemp\com_microsoft.DirectX_839643_W2K_9_0</downloadPath>

<client>IU_Site</client>

<installStatus value="FAILED" needsReboot="0" errorCode="-2146963452" />



Below is an excerpt of the KB839645.log file for this last attempt via website:

0.170: ================================================================================

0.170: 2004/07/28 09:24:21.116 (local)

0.170: c:\2a9f1fb20ffb27eb1352e2\update\update.exe (version 5.4.15.0)

0.170: Failed To Enable SE_RESTORE_PRIVILEGE

0.170: Setup encountered an error: You do not have permission to update Windows 2000.

Please contact your system administrator.

0.170: You do not have permission to update Windows 2000.

Please contact your system administrator.

0.170: Update.exe extended error code = 0xf004

 

[Don Holmes]

Hello Steve - thanks for the reply. Very interesting. My results are just about as interesting too...

I'm not sure exactly which accounts are being reconfigured but after I followed the suggested changes I checked the log and a number of S-1-5-xxxxxxx user accounts had various "privilege" settings removed and added. Following that neither my own user account (member of Administrators and Domain Administrators) nor the local Administrator account could make the Windows Updates work however the network Administrator account was successful - once, and for most of the updates. It left one undone and despite several retries even that account didn't work. I thought it odd that the"resetting" of the various privileges to their default settings would only allow the network admin to do this - and then to only allow it for one "shot". So - I ran secedit again the exact same way I did before and low and behold I was then able to do the one remaining update as the network administrator (but not as the local admin nor under my own user login)... I checked the secedit configuration utilities log file again and as suspected it had MORE changes, again. Much fewer than before but still more than a handful and all but two are replicas of actions taken in the first go around... Either the changes were being "undone" by the updates or a restart or something, or they really weren't being made in the first place... Still don't know.

So - at least for the moment I'm up to date on the Windows Updates but I don't know if I really fixed something permanently or not...

Also, I haven't been able to determine which user accounts were being reconfigured yet because I haven't mapped the S-1-5-xxx numbers to anything. Would you know how to do this by chance?

Thanks again,

Don

--

The error message references " 0.170: Failed To Enable SE_RESTORE_PRIVILEGE " and you said you verified that administrators had that right. I would verify that the administrators group was in the "effective" settings for that user right also if you have not done such. Sometimes using secedit to restore default defined security settings has helped in situations where an administrator has been denied access. The link below describes how to do this and I would start off by appending /areas user_rights to the command to reset just user rights to start. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
I have a Gateway 600YGR running Win2K Pro Version 5.0 (build 2195: Service Pack 4).

For roughly the last two or three months (it appears) the automatic (and manual, web based) Windows Updates have been failing. I did notice one or two that worked over the last few months but I believe they were drivers only. When I run the web update from v4.windowsupdate.microsoft.com the downloads work however the installations fail. The message on the resulting "failed to install" webpage is "No Updates Were Installed" and there are no error codes whatsoever. When I try to do the updates manually or one by one they all return the error message that "You do not have permission to update Windows 2000. Please contact your system administrator." I am the system administrator and have even made myself a domain administrator to try to fix this problem...

To the best of my knowledge and research there were no security policies/authorities changed since this last worked. Using secpol.msc (Local Policies-> User Rights Assignment) I verified that Administrators (and even my own user account and local machine Administrator) had the authority to:

a.. Back up files and directories
b.. Manage auditing and security log
c.. Modify firmware environment values
d.. Restore files and directories
e.. Take ownership of files or other objects
It doesn't matter if I login as the Network Administrator, Local Administrator, or Domain Administrator - same behavior...

I've completely removed the WUTemp directory and have forced recreation of the WindowsUpdate\V4 directory as well. I do not have a firewall running on the machine and the network firewall protects dozens of other machines on which Windows Update works fine... Downloads of the update files are received fine and security permissions on them are as expected (meaning I have full control of them). I've turned off all real-time file protection in Symantec AV just in case there was something strange there but still no change...

I've search high and low for anything on Microsoft's site and the web in general for ANYTHING on the message that "You do not have permission to update Windows 2000" and while I have found a few for XP, I've found nothing for Win2K. Just in case, I verified all of the dll registrations, MS root certificate, etc as suggested there to no avail.

When I attempt to run the "repair Windows 2000" feature using the original CD, (by clicking on the Install Windows 2000 link), I receive the infamous message "You must be an administrator to run this application". Again, I'm about as much of an Administrator (authority-wise) as one can be... Note that when using the "Install Add-On Components" link from the Win2K Pro CD - I can install/remove components using the Windows Components Wizard apparently without any issues... (at least none that Windows complains about where I can see it...)

I sure could use a fresh perspective on this one as it has stumped me completely... I'll include excerpts from the WindowsUpdate.log file as well as the iuhist.xml file below... At the bottom I include an excerpt from the KB839645.log file (one that is failing and representative of all that are failing) and it has references in it to Update.exe issuing an error code of 0xf004 and indicates something about failing to enable SE_SECURITY_PRIVILEGE but for the life of me I can't tell why... Thoughts ...



Below is an excerpt of the WindowsUpdate.log file for this last attempt via website:

2004-07-28 09:22:57 16:22:57 Success IUCTL Starting

2004-07-28 09:22:57 16:22:57 Success IUCTL Downloaded iuident.cab from http://windowsupdate.microsoft.com/v4/ to C:\Program Files\WindowsUpdate\V4

2004-07-28 09:22:57 16:22:57 Success IUCTL Current iuengine.dll version: 5.4.3790.14

2004-07-28 09:22:57 16:22:57 Success IUCTL Current iuctl.dll version: 5.4.3790.14

2004-07-28 09:22:57 16:22:57 Success IUENGINE Starting

2004-07-28 09:22:57 16:22:57 Success IUENGINE Determining machine configuration

2004-07-28 09:22:57 16:22:57 Success IUENGINE Determining machine configuration

2004-07-28 09:23:00 16:23:00 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:01 16:23:01 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:02 16:23:02 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:07 16:23:07 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:08 16:23:08 Success IUENGINE Determining machine configuration

2004-07-28 09:23:09 16:23:09 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/consumerdrivers/getmanifest.asp

2004-07-28 09:23:51 16:23:51 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:52 16:23:52 Success IUENGINE Asynchronous Download started

2004-07-28 09:23:52 16:23:52 Success IUENGINE Download destination root folder is: C:\WUTemp

2004-07-28 09:23:59 16:23:59 Success IUENGINE Downloaded file http://download.windowsupdate.com/m...U-express_67a0bec57f33208902e15d3ae1968f9.exe

2004-07-28 09:23:59 16:23:59 Success IUENGINE Local path C:\WUTemp\com_microsoft.840315_W2K_SP5_WinSE_95927_Express\Windows2000-KB840315-x86-ENU-express.exe

2004-07-28 09:23:59 16:23:59 Success IUENGINE Downloaded file http://download.windowsupdate.com/m...U-express_2f310dd9e91121cb09b4de620d7ae33.EXE

...

2004-07-28 09:24:00 16:24:00 Success IUENGINE Local path C:\WUTemp\com_microsoft.839645_W2K_SP5_WinSE_96133_Express\Windows2000-KB839645-x86-ENU-express.exe

2004-07-28 09:24:01 16:24:01 Success IUENGINE See iuhist.xml for details: Download finished

2004-07-28 09:24:01 16:24:01 Success IUENGINE Asynchronous Install started

2004-07-28 09:24:01 16:24:01 Success IUENGINE Asynchronous Install completed startup

2004-07-28 09:24:01 16:24:01 Success IUENGINE Installing SOFTWARE item from publisher com_microsoft

2004-07-28 09:24:01 16:24:01 Success IUENGINE Installer Command Type: EXE

...

2004-07-28 09:24:21 16:24:21 Error IUENGINE See iuhist.xml for details: Install finished (Error 0x8007F004)



Below is an excerpt of the iuhist.xml file for this last attempt via website:

<?xml version="1.0" ?>

- <items xmlns="x-schema:http://schemas.windowsupdate.com/iu/resultschema.xml">

- <itemStatus xmlns="" timestamp="2004-07-28T09:24:21">

- <identity itemID="win2k.windows2000.ver_platform_win32_nt.5.0.x86.en...2195.4.0.com_microsoft.839645_w2k_sp5_winse_96133_express." name="839645_W2K_SP5_WinSE_96133_Express">

<publisherName>com_microsoft</publisherName>

<language>en</language>

</identity>

- <description hidden="0">

- <descriptionText>

<title>Security Update for Windows 2000 (KB839645)</title>

<eula href="/msdownload/update/v3/static/eula/en/eula.htm" />

<details href="http://go.microsoft.com/fwlink/?LinkId=30585" />

</descriptionText>

</description>

- <platform name="ver_platform_win32_nt">

<processorArchitecture>x86</processorArchitecture>

<version major="5" minor="0" build="2195" servicePackMajor="4" servicePackMinor="0" />

</platform>

<downloadStatus value="COMPLETE" />

<downloadPath>C:\WUTemp\com_microsoft.839645_W2K_SP5_WinSE_96133_Express</downloadPath>

<client>IU_Site</client>

<installStatus value="FAILED" needsReboot="0" errorCode="-2146963452" />

</itemStatus>

- <itemStatus xmlns="" timestamp="2004-07-28T09:24:19">

- <identity itemID="win2k.windows2000.ver_platform_win32_nt.5.0.x86.en...2195.4.0.com_microsoft.directx_839643_w2k_9_0." name="DirectX_839643_W2K_9_0">

<publisherName>com_microsoft</publisherName>

<language>en</language>

</identity>

- <description hidden="0">

- <descriptionText>

<title>Security Update for DirectX 9.0 (KB839643)</title>

<eula href="/msdownload/update/v3/static/eula/en/eula.htm" />

<details href="http://go.microsoft.com/fwlink/?LinkId=27992" />

</descriptionText>

</description>

- <platform name="ver_platform_win32_nt">

<processorArchitecture>x86</processorArchitecture>

<version major="5" minor="0" build="2195" servicePackMajor="4" servicePackMinor="0" />

</platform>

<downloadStatus value="COMPLETE" />

<downloadPath>C:\WUTemp\com_microsoft.DirectX_839643_W2K_9_0</downloadPath>

<client>IU_Site</client>

<installStatus value="FAILED" needsReboot="0" errorCode="-2146963452" />



Below is an excerpt of the KB839645.log file for this last attempt via website:

0.170: ================================================================================

0.170: 2004/07/28 09:24:21.116 (local)

0.170: c:\2a9f1fb20ffb27eb1352e2\update\update.exe (version 5.4.15.0)

0.170: Failed To Enable SE_RESTORE_PRIVILEGE

0.170: Setup encountered an error: You do not have permission to update Windows 2000.

Please contact your system administrator.

0.170: You do not have permission to update Windows 2000.

Please contact your system administrator.

0.170: Update.exe extended error code = 0xf004

 

[Steven L Umbach]

The sid numbers refer to unresolved users or groups. Possibly a user or group that once existed and has since been deleted. That is common with the power users group on a domain controller, since that group is removed with dcpromo. I don't really know why only the domain admin can make changes. One thought is that there is a higher priority policy configured for user rights such as domain/ou/domain controller level which reconfigure your changes done with secedit upon refresh since secedit works on Local Security Policy so you may want to check out other Group Policies. You can run gpresult on a domain computer and it will show you what GPO's are applying security policy via computer configuration tom that computer. --- Steve
Hello Steve - thanks for the reply. Very interesting. My results are just about as interesting too...

I'm not sure exactly which accounts are being reconfigured but after I followed the suggested changes I checked the log and a number of S-1-5-xxxxxxx user accounts had various "privilege" settings removed and added. Following that neither my own user account (member of Administrators and Domain Administrators) nor the local Administrator account could make the Windows Updates work however the network Administrator account was successful - once, and for most of the updates. It left one undone and despite several retries even that account didn't work. I thought it odd that the"resetting" of the various privileges to their default settings would only allow the network admin to do this - and then to only allow it for one "shot". So - I ran secedit again the exact same way I did before and low and behold I was then able to do the one remaining update as the network administrator (but not as the local admin nor under my own user login)... I checked the secedit configuration utilities log file again and as suspected it had MORE changes, again. Much fewer than before but still more than a handful and all but two are replicas of actions taken in the first go around... Either the changes were being "undone" by the updates or a restart or something, or they really weren't being made in the first place... Still don't know.

So - at least for the moment I'm up to date on the Windows Updates but I don't know if I really fixed something permanently or not...

Also, I haven't been able to determine which user accounts were being reconfigured yet because I haven't mapped the S-1-5-xxx numbers to anything. Would you know how to do this by chance?

Thanks again,

Don

--

The error message references " 0.170: Failed To Enable SE_RESTORE_PRIVILEGE " and you said you verified that administrators had that right. I would verify that the administrators group was in the "effective" settings for that user right also if you have not done such. Sometimes using secedit to restore default defined security settings has helped in situations where an administrator has been denied access. The link below describes how to do this and I would start off by appending /areas user_rights to the command to reset just user rights to start. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;313222
I have a Gateway 600YGR running Win2K Pro Version 5.0 (build 2195: Service Pack 4).

For roughly the last two or three months (it appears) the automatic (and manual, web based) Windows Updates have been failing. I did notice one or two that worked over the last few months but I believe they were drivers only. When I run the web update from v4.windowsupdate.microsoft.com the downloads work however the installations fail. The message on the resulting "failed to install" webpage is "No Updates Were Installed" and there are no error codes whatsoever. When I try to do the updates manually or one by one they all return the error message that "You do not have permission to update Windows 2000. Please contact your system administrator." I am the system administrator and have even made myself a domain administrator to try to fix this problem...

To the best of my knowledge and research there were no security policies/authorities changed since this last worked. Using secpol.msc (Local Policies-> User Rights Assignment) I verified that Administrators (and even my own user account and local machine Administrator) had the authority to:

a.. Back up files and directories
b.. Manage auditing and security log
c.. Modify firmware environment values
d.. Restore files and directories
e.. Take ownership of files or other objects
It doesn't matter if I login as the Network Administrator, Local Administrator, or Domain Administrator - same behavior...

I've completely removed the WUTemp directory and have forced recreation of the WindowsUpdate\V4 directory as well. I do not have a firewall running on the machine and the network firewall protects dozens of other machines on which Windows Update works fine... Downloads of the update files are received fine and security permissions on them are as expected (meaning I have full control of them). I've turned off all real-time file protection in Symantec AV just in case there was something strange there but still no change...

I've search high and low for anything on Microsoft's site and the web in general for ANYTHING on the message that "You do not have permission to update Windows 2000" and while I have found a few for XP, I've found nothing for Win2K. Just in case, I verified all of the dll registrations, MS root certificate, etc as suggested there to no avail.

When I attempt to run the "repair Windows 2000" feature using the original CD, (by clicking on the Install Windows 2000 link), I receive the infamous message "You must be an administrator to run this application". Again, I'm about as much of an Administrator (authority-wise) as one can be... Note that when using the "Install Add-On Components" link from the Win2K Pro CD - I can install/remove components using the Windows Components Wizard apparently without any issues... (at least none that Windows complains about where I can see it...)

I sure could use a fresh perspective on this one as it has stumped me completely... I'll include excerpts from the WindowsUpdate.log file as well as the iuhist.xml file below... At the bottom I include an excerpt from the KB839645.log file (one that is failing and representative of all that are failing) and it has references in it to Update.exe issuing an error code of 0xf004 and indicates something about failing to enable SE_SECURITY_PRIVILEGE but for the life of me I can't tell why... Thoughts ...



Below is an excerpt of the WindowsUpdate.log file for this last attempt via website:

2004-07-28 09:22:57 16:22:57 Success IUCTL Starting

2004-07-28 09:22:57 16:22:57 Success IUCTL Downloaded iuident.cab from http://windowsupdate.microsoft.com/v4/ to C:\Program Files\WindowsUpdate\V4

2004-07-28 09:22:57 16:22:57 Success IUCTL Current iuengine.dll version: 5.4.3790.14

2004-07-28 09:22:57 16:22:57 Success IUCTL Current iuctl.dll version: 5.4.3790.14

2004-07-28 09:22:57 16:22:57 Success IUENGINE Starting

2004-07-28 09:22:57 16:22:57 Success IUENGINE Determining machine configuration

2004-07-28 09:22:57 16:22:57 Success IUENGINE Determining machine configuration

2004-07-28 09:23:00 16:23:00 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:01 16:23:01 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:02 16:23:02 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:07 16:23:07 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:08 16:23:08 Success IUENGINE Determining machine configuration

2004-07-28 09:23:09 16:23:09 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/consumerdrivers/getmanifest.asp

2004-07-28 09:23:51 16:23:51 Success IUENGINE Querying software update catalog from https://v4.windowsupdate.microsoft.com/getmanifest.asp

2004-07-28 09:23:52 16:23:52 Success IUENGINE Asynchronous Download started

2004-07-28 09:23:52 16:23:52 Success IUENGINE Download destination root folder is: C:\WUTemp

2004-07-28 09:23:59 16:23:59 Success IUENGINE Downloaded file http://download.windowsupdate.com/m...U-express_67a0bec57f33208902e15d3ae1968f9.exe

2004-07-28 09:23:59 16:23:59 Success IUENGINE Local path C:\WUTemp\com_microsoft.840315_W2K_SP5_WinSE_95927_Express\Windows2000-KB840315-x86-ENU-express.exe

2004-07-28 09:23:59 16:23:59 Success IUENGINE Downloaded file http://download.windowsupdate.com/m...U-express_2f310dd9e91121cb09b4de620d7ae33.EXE

...

2004-07-28 09:24:00 16:24:00 Success IUENGINE Local path C:\WUTemp\com_microsoft.839645_W2K_SP5_WinSE_96133_Express\Windows2000-KB839645-x86-ENU-express.exe

2004-07-28 09:24:01 16:24:01 Success IUENGINE See iuhist.xml for details: Download finished

2004-07-28 09:24:01 16:24:01 Success IUENGINE Asynchronous Install started

2004-07-28 09:24:01 16:24:01 Success IUENGINE Asynchronous Install completed startup

2004-07-28 09:24:01 16:24:01 Success IUENGINE Installing SOFTWARE item from publisher com_microsoft

2004-07-28 09:24:01 16:24:01 Success IUENGINE Installer Command Type: EXE

...

2004-07-28 09:24:21 16:24:21 Error IUENGINE See iuhist.xml for details: Install finished (Error 0x8007F004)



Below is an excerpt of the iuhist.xml file for this last attempt via website:

<?xml version="1.0" ?>

- <items xmlns="x-schema:http://schemas.windowsupdate.com/iu/resultschema.xml">

- <itemStatus xmlns="" timestamp="2004-07-28T09:24:21">

- <identity itemID="win2k.windows2000.ver_platform_win32_nt.5.0.x86.en...2195.4.0.com_microsoft.839645_w2k_sp5_winse_96133_express." name="839645_W2K_SP5_WinSE_96133_Express">

<publisherName>com_microsoft</publisherName>

<language>en</language>

</identity>

- <description hidden="0">

- <descriptionText>

<title>Security Update for Windows 2000 (KB839645)</title>

<eula href="/msdownload/update/v3/static/eula/en/eula.htm" />

<details href="http://go.microsoft.com/fwlink/?LinkId=30585" />

</descriptionText>

</description>

- <platform name="ver_platform_win32_nt">

<processorArchitecture>x86</processorArchitecture>

<version major="5" minor="0" build="2195" servicePackMajor="4" servicePackMinor="0" />

</platform>

<downloadStatus value="COMPLETE" />

<downloadPath>C:\WUTemp\com_microsoft.839645_W2K_SP5_WinSE_96133_Express</downloadPath>

<client>IU_Site</client>

<installStatus value="FAILED" needsReboot="0" errorCode="-2146963452" />

</itemStatus>

- <itemStatus xmlns="" timestamp="2004-07-28T09:24:19">

- <identity itemID="win2k.windows2000.ver_platform_win32_nt.5.0.x86.en...2195.4.0.com_microsoft.directx_839643_w2k_9_0." name="DirectX_839643_W2K_9_0">

<publisherName>com_microsoft</publisherName>

<language>en</language>

</identity>

- <description hidden="0">

- <descriptionText>

<title>Security Update for DirectX 9.0 (KB839643)</title>

<eula href="/msdownload/update/v3/static/eula/en/eula.htm" />

<details href="http://go.microsoft.com/fwlink/?LinkId=27992" />

</descriptionText>

</description>

- <platform name="ver_platform_win32_nt">

<processorArchitecture>x86</processorArchitecture>

<version major="5" minor="0" build="2195" servicePackMajor="4" servicePackMinor="0" />

</platform>

<downloadStatus value="COMPLETE" />

<downloadPath>C:\WUTemp\com_microsoft.DirectX_839643_W2K_9_0</downloadPath>

<client>IU_Site</client>

<installStatus value="FAILED" needsReboot="0" errorCode="-2146963452" />



Below is an excerpt of the KB839645.log file for this last attempt via website:

0.170: ================================================================================

0.170: 2004/07/28 09:24:21.116 (local)

0.170: c:\2a9f1fb20ffb27eb1352e2\update\update.exe (version 5.4.15.0)

0.170: Failed To Enable SE_RESTORE_PRIVILEGE

0.170: Setup encountered an error: You do not have permission to update Windows 2000.

Please contact your system administrator.

0.170: You do not have permission to update Windows 2000.

Please contact your system administrator.

0.170: Update.exe extended error code = 0xf004