Some Microsoft software updates use Update.exe as the Setup program. Update.exe version 220.127.116.11 and later versions require that the user who installs the software update is an administrator with certain user rights. This article lists those user rights requirements.
If a user does not have the required user rights and tries to install a software update package that uses Update.exe, they may receive the following error message:
You do not have permission to update <OS name>. Please contact your system administrator.
If the software update installation was performed in unattended mode by specifying either the /quiet
command-line switches, this error message is displayed in the installation log. By default, the installation log is located at %systemroot%/KB######
.log, where ######
is the number of the Microsoft Knowledge Base article for the fix that was applied.
To determine whether a software update uses Update.exe as the Setup program for packages released after July 2004, examine the Installer Engine value on the Version
tab of the Properties
dialog box for the software update package. For packages released before July 2004, you must extract the package contents to determine which installer is used and what version it is.
For additional information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
Description of the new features in the package installer for Windows software updates
The following table lists the user rights required by Update.exe.
Collapse this tableExpand this table
|Group Policy Object Display Name|| Required by Update.exe ||Description |
|Back up files and directories
||You must have this user right to perform backup operations.|
Restore files and directories
||You must have this user right to perform restore operations. This user right lets you set any valid user or group security identifier (SID) as the owner of an object.|
|Manage auditing and security log
||You must have this user right to perform many security-related functions, such as controlling and viewing audit messages. This user right identifies its holder as a security operator.|
|Take ownership of files or other objects
||You must have this user right to take ownership of an object without being granted discretionary access. This user right allows for the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.|
|Shutdown the system
||Required||You must have this user right to shut down the computer. Some software updates require that the computer be restarted. If this user right is not available, the software update installation will complete, and the user will have to contact an administrator with that user right to restart the computer, if it is required.|
|Debug programs||Required||You must have this user right to debug a process. Update.exe versions earlier than 18.104.22.168 may require that administrators have this user right to successfully install software updates.|
Hotpatching technology, also known as in-memory patching, is scheduled for delivery with Microsoft Windows Server 2003 Service Pack 1 (SP1) and will be available for some updates. You must have the Debug programs user right to use hotpatching.
For additional information about patch and update management, visit the following Microsoft Web site: http://technet.microsoft.com/en-us/library/cc768045.aspx
For additional information about earlier versions of Update.exe and Debug programs that require that administrators have rights, click the following article number to view the article in the Microsoft Knowledge Base:
Windows Product Updates may stop responding or may use most or all the CPU resources
To determine the missing user right, examine the installation log file. The installation log file contains the following similar error messages:
2.744: d:\aab949b8ae7e35434dde6b\update\update.exe (version X.X.X.X)
2.744: Failed To Enable SE_SECURITY_PRIVILEGE
2.754: Setup encountered an error: You do not have permission to update OS_name. Please contact your system administrator.
2.764: You do not have permission to update OS_name.
represents the operating system name. SE_SECURITY_PRIVILEGE
represents the missing user right. X.X.X.X
represents the version number.
To view and modify user rights, follow these steps:
- Start the Group Policy Editor in either your local or your domain
environment. For more information about how to do this, visit the following Microsoft Web site:
- Under Computer Configuration, click Windows Settings.
- Click Security Settings, click Local Policies, and then click User Rights Assignments.
- To assign the policies listed earlier, right-click the policy, click Properties, and then add the user.
for other considerations.