In the English version of Windows 7 Release Candidate (build 7100) 32-bit Ultimate,
the folder that is created as the root folder of the system drive
) is missing entries in its security descriptor. One effect of this problem is that standard
users such as non-administrators cannot perform all operations to subfolders that are created directly under
the root. Therefore, applications that reference folders under the root may not install successfully or may not uninstall successfully. Additionally, operations or applications that reference these folders may fail.
For example, if a folder is created under the root of the
system drive from an elevated command prompt, this folder will not correctly
inherit permissions from the root of the drive. Therefore, some specific
operations, such as deleting the folder, will fail when they are performed from a non-elevated command
prompt. Additionally, the following error message appears when the
Furthermore, the missing security descriptor entries
protect non-admin file operations directly under the root.
This problem occurs because the English version of Windows 7 Release Candidate 32-bit Ultimate incorrectly sets access control lists (ACLs) on the root.
For those customers who are affected by this problem, the fix is available through Windows Update:
supported hotfix is available from Microsoft. However, this hotfix is intended
to correct only the problem that is described in this article. Apply this
hotfix only to systems that are experiencing this specific problem.
You must have Windows 7 Release Candidate 32-bit Ultimate installed to apply this hotfix.
You do not have to restart the computer after you apply this
Hotfix replacement information
This hotfix does not replace a previously released hotfix.
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone
tab in the Date and Time
item in Control Panel.
Collapse this tableExpand this table
|File name||File version||File
The hotfix is released through Windows
The hotfix package
- The problem exists only on x86 versions of the Windows 7 Release Candidate Ultimate. Only an x86 version of the hotfix was created. This hotfix will install only on Windows 7 Release Candidate (build 7100) 32-bit Ultimate. To avoid additional offering complications, the hotfix will install on all
five language versions of the program.
- If you successfully install the hotfix on your computer, an update that references this Microsoft Knowledge Base number (970789) will appear in Add or Remove Programs. You can review the list of updates in Add or Remove Programs to confirm that the hotfix installation was successful.
- You can uninstall this hotfix and then reinstall it. If you uninstall the hotfix, the ACLs do not return to their previous state. That is, the change that this hotfix makes to the ACLs is not reversed when you uninstall the hotfix.
The CleanWin7RCRoot.exe tool
- The CleanWin7RCRoot.exe tool examines the full security descriptor on the root of the system drive that has the "known bad" security
descriptor. The tool replaces an incorrect security descriptor with a correct one. After the security descriptor is replaced, folders that are created under the root folder of the system drive inherit the correct ACLs, and applications install successfully.
- The hotfix does not repair applications that are already
- If you have changed the root security descriptor, the CleanWin7RCRoot.exe tool does not make changes to the ACL. This prevents
potential application compatibility problems.
You cannot apply this hotfix offline. For information about how to apply this change to offline images, see the "Offline instructions" section later in this document.
This issue affects only images that are based on Windows 7 Release Candidate (build 7100) 32-bit Ultimate. To make
sure that this update does not affect your user experience, we recommend that you
take the following actions:
- Back up your current system.
- Start from the DVD.
- Format your partition where you want to install Windows
- After the Windows 7 installation is complete, install this update from
Windows Update before you restore any backups or install
any other software.
If you have already installed the operating system without
formatting your drive, make sure that your settings
are correct. To do this, run the following command from an elevated command prompt:
When you run the command, the following text should appear:
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
NT AUTHORITY\Authenticated Users:(AD)
Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
If the text that appears differs from this text, and you have not previously made any other expected changes, you must install the hotfix.
want to manually apply a fix that replicates the functionality of the hotfix, run the following command from an elevated command prompt:
cacls \ /S:D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)
icacls \ /setintegritylevel (OI)(NP)(IO)H
If you have already applied the hotfix that is described this article, but you have existing
directories or folders that were created off the root folder of the system drive and want to apply the fix to those directories, run the following
command from an elevated command prompt:
Cd <directory that you want to apply changes to>
cacls <directory that you want to apply changes to> /S:D:AI
Do not apply the icacls
command to subdirectories off the
This issue affects only images that are based on Windows 7 Release Candidate (build 7100) 32-bit Ultimate.
The following instructions apply to the technician who modifies images
offline before deployment and before installing applications in the
Mount or apply the target image, and then run the following command
from an elevated command prompt:
cacls <path to root dir on mounted wim> /S:D:PAI(A;;FA;;;BA)(A;OICIIO;GA;;;BA)(A;;FA;;;SY)(A;OICIIO;GA;;;SY)(A;OICI;0x1200a9;;;BU)(A;OICIIO;SDGXGWGR;;;AU)(A;;LC;;;AU)
icacls <path to root drive on mounted wim> /setintegritylevel (OI)(NP)(IO)H
If you have to apply settings to any user-created folders off the
root in the WIM image file, mount or apply the target image, and then
run the following command from an elevated command prompt:
Cd <path to directory in the WIM that you want to apply changes to>
cacls <path to directory in the WIM that you want to apply changes to/S:D:AI
Do not apply the icacls
command to subdirectories off the
has confirmed that this is a problem in the Microsoft products that are listed
in the "Applies to" section.
This hotfix has two distinct elements to it, the
CleanWin7RCRoot.exe details and the package details.
The CleanWin7RCRoot.exe details
This is a scoped fix that tries to resolve the
problem, tries to avoid future application compatibility
problems, and tries not to take on additional risk by trying to merge user-modified
settings. The fix addresses problem by preventing a standard user or guest
from creating files under the system root. For any computer that has the
problem, the resulting DACL on the system root is the same as the one
that is included in the correct SKUs.
Issues that the hotfix does not address
There are two main issues the hotfix does not address:
- The hotfix changes the default DACL on the system root so that it is that same as it is on a Windows 7 RTM-based computer or on a Windows 7 Release Candidate-based
computer. However, this hotfix does not propagate the changes to subdirectories.
- The hotfix does not try to fix any root security descriptors that have been
modified by the end-user.
The executable file does not support uninstalling. The changes that the hotfix makes are permanent. Even if the package is uninstalled, the changes that CleanWin7RCRoot.exe
makes are not reverted.
The error cases for the tool are errors only when the
executable file identifies the problem but cannot fix the problem. If the
executable file determines that it cannot fix the problem because the ACL is not as expected, even if it is still wrong, the tool will return success.
For more information about ACLs and security descriptors, visit the following
Microsoft MSDN Web sites:
For more information about software update terminology, click the
following article number to view the article in the Microsoft Knowledge Base:
Description of the standard terminology that is used to describe Microsoft software updates