Error when you download updates using Windows Update or Microsoft Update: 8000FFFF

Author Johnny Josefsson on April 19, 2010 | Print | Bookmark
When you trying to update Windows update (so you can proceed with the Service Packe installation) this
error 8000FFFF appears.

Windows Update/Cryptographic Service is run by NETWORK SERVICES. NETWORK SERVICES always requires atleast
'List folder' permission or more on the ROOT of a partition (this folder only). This is normally done
with the Users groups. But on servers you tighten the security and remove everything but SYSTEM and
Administrators.


------------------------[SOLUTION 1]------------------------------

Quick Solution:
---------------
Check the permissions on  the root of C: and ensure that BUILTIN\Users have Read access.



Long Story:
-----------
8000FFFF == E_UNEXPECTED, not very helpful…

Had a client where windows update was continually failing with the error code 8000FFFF.  When looking
in the Windows Update log we’d see errors like this:

WARNING: PTError: 0x80248014 
Handler FATAL: CBS called Error with 0x8000ffff, <— Checked the CBS.log file but that didn’t give any clues. 
Handler FATAL: Error source is 106. 
DnldMgr Error 0x8000ffff occurred while downloading update; notifying dependent calls. 
AU        # WARNING: Download failed, error = 0x8000FFFF 
AU        # WARNING: Download failed, error = 0x8000FFFF 
AU      WARNING: BeginInteractiveInstall failed, error = 0x8024000C 
CltUI   WARNING: AU directive Interactive Progress is exiting due to error 8024000C


And in the event viewer upon each run we’d see these events:

Log Name:      Application 
Source:        ESENT 
Date:          7/2/2008 3:05:16 PM 
Event ID:      491 
Task Category: General 
Level:         Error 
Keywords:      Classic 
User:          N/A 
Computer:      XXXX 
Description: 
Catalog Database (1560) Catalog Database: An attempt to determine the minimum I/O block size for the volume "C:\" containing "C:\Windows\system32\CatRoot2\" failed with system error 5 (0x00000005): "Access is denied. ".  The operation will fail with error -1032 (0xfffffbf8). 

Log Name:      Application 
Source:        Microsoft-Windows-CAPI2 
Date:          7/2/2008 3:05:16 PM 
Event ID:      257 
Task Category: None 
Level:         Error 
Keywords:      Classic 
User:          N/A 
Computer:      XXXX 
Description: 
The Cryptographic Services service failed to initialize the Catalog Database. The ESENT error was: -1032.


After seeing this data I did a stare and compare between my root permissions and his and found that
he’d modified the c:\ permissions on his system:

His machine: 
c:\temp\xcacls c: 
C:\ NT AUTHORITY\SYSTEM:(OI)(CI)F 
    BUILTIN\Administrators:(OI)(CI)F 

Mine: 
C:\>xcacls c:\ 
c:\ BUILTIN\Administrators:F 
    BUILTIN\Administrators:(OI)(CI)(IO)F 
    NT AUTHORITY\SYSTEM:F 
    NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F 
    BUILTIN\Users:(OI)(CI)R <— This is the key one missing that was causing the headache. 
    NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)C 
    NT AUTHORITY\Authenticated Users:(special access:) 
                                     FILE_APPEND_DATA

The Cryptographic Services runs under “Network Service” which would require Users to have read access.
I added BUILTIN\Users with read access to C and all worked again.


------------------------[SOLUTION 2]------------------------------


------------------------[SOLUTION 3]------------------------------


Was this article helpful?

Yes No

Category: Windows, Security, Windows Update, Server 2008 and 2008 R2

Last updated on May 14, 2010 with 5639 views