I recently encountered a machine where upgrading from KMDF 1.5 to 1.7 failed at device installation time. The log is below.
The user is absolutely an administrator of the machine. However, the user apparently doesn’t have SE_BACKUP_PRIVILEGE (I don’t know why). This leads to random installation errors (couldn’t install Streets and Trips, got some “error 1722” over and over) in other programs as well.
I had to create another user, make them a member of “Administrators” as well as “Backup Operators”, and then it worked.
[Wdf01007Inst.log]
0.078: ================================================================================
0.078: 2008/05/20 17:25:56.038 (local)
0.078: c:\31e56a437c27eeab24bb\update\update.exe (version 6.3.4.1)
0.094: Failed To Enable SE_BACKUP_PRIVILEGE
0.094: Setup encountered an error: You do not have permission to update Windows XP.
Please contact your system administrator.
0.094: You do not have permission to update Windows XP.
Please contact your system administrator.
0.094: Update.exe extended error code = 0xf004
0.063: ================================================================================
Chris:
Thank you so much for posting this. You solved a really irritating long standing problem (unrelated to KMDF) for me.
Thanks,
mm
xxxxx@gmail.com wrote:
I recently encountered a machine where upgrading from KMDF 1.5 to 1.7 failed at device installation time. The log is below.
The user is absolutely an administrator of the machine. However, the user apparently doesn’t have SE_BACKUP_PRIVILEGE (I don’t know why). This leads to random installation errors (couldn’t install Streets and Trips, got some “error 1722” over and over) in other programs as well.
I had to create another user, make them a member of “Administrators” as well as “Backup Operators”, and then it worked.
[Wdf01007Inst.log]
0.078: ================================================================================
0.078: 2008/05/20 17:25:56.038 (local)
0.078: c:\31e56a437c27eeab24bb\update\update.exe (version 6.3.4.1)
0.094: Failed To Enable SE_BACKUP_PRIVILEGE
0.094: Setup encountered an error: You do not have permission to update Windows XP.
Please contact your system administrator.
0.094: You do not have permission to update Windows XP.
Please contact your system administrator.
0.094: Update.exe extended error code = 0xf004
0.063: ================================================================================
MM wrote:
Thank you so much for posting this. You solved a really irritating long
standing problem (unrelated to KMDF) for me.
Was it the inability to disable system restore? Because I couldn’t do that either.
I wrote:
[Wdf01007Inst.log]
0.078: ======================
0.078: 2008/05/20 17:25:56.038 (local)
0.078: c:\31e56a437c27eeab24bb\update\update.exe (version 6.3.4.1)
0.094: Failed To Enable SE_BACKUP_PRIVILEGE 0.094: Setup encountered
an error: You do not have permission to update Windows XP.
Okay, so, … any comment from the powers-that-be? Is this to be expected?
Not expected, but not exactly a surprise either. We use the same update process used for QFEs and Service Packs, and I’m not surprised to find out that it wants backup privilege to backup previous files. What is most surprising is that it tries to enable the privilege for our stuff, but perhaps it needs it to update some global catalog stuff.
I’m glad there was at least a nice clear error message about it :). Thanks for the warning - I don’t think we can do anything about it for WDF 1.7, but maybe there’s a trick we can use for the next release to remove this requirement.
-p
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, May 22, 2008 7:32 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] WDF coinstaller 1.7 fails with “You do not have permission to update Windows XP”
I wrote:
[Wdf01007Inst.log]
0.078: ======================
0.078: 2008/05/20 17:25:56.038 (local)
0.078: c:\31e56a437c27eeab24bb\update\update.exe (version 6.3.4.1)
0.094: Failed To Enable SE_BACKUP_PRIVILEGE 0.094: Setup encountered
an error: You do not have permission to update Windows XP.
Okay, so, … any comment from the powers-that-be? Is this to be expected?
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Peter Wieland wrote:
Not expected, but not exactly a surprise either. We use the same
update process used for QFEs and Service Packs, and I’m not
surprised to find out that it wants backup privilege to backup previous
files.
As a workaround, would it be possible (assuming the user is Administrator) in the driver installer executable to add oneself to the Backup Operators group on the fly before preinstalling/updating drivers? Would this work / rough sketch of the code?
At 17:38 22/05/2008, xxxxx@gmail.com wrote:
Peter Wieland wrote:
> Not expected, but not exactly a surprise either. We use the same
> update process used for QFEs and Service Packs, and I’m not
> surprised to find out that it wants backup privilege to backup previous
> files.
As a workaround, would it be possible (assuming the user is
Administrator) in the driver installer executable to add oneself to
the Backup Operators group on the fly before preinstalling/updating
drivers? Would this work / rough sketch of the code?
If you’re administrator then it would be easier to just have your
installer give itself SeBackupPrivilege, it’s trivial to
do. Checkout sample code for AdjustTokenPrivileges();
Mark.
You can not add privileges with AdjustTokenPrivilege. You can only enable
privileges that are already in the token.
Adding oneself to the Backup Operators group will also not work unless you
log off and back on.
Bill Wandel
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Mark S. Edwards
Sent: Thursday, May 22, 2008 12:47 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] WDF coinstaller 1.7 fails with “You do not have
permission to update Windows XP”
At 17:38 22/05/2008, xxxxx@gmail.com wrote:
Peter Wieland wrote:
> Not expected, but not exactly a surprise either. We use the same
> update process used for QFEs and Service Packs, and I’m not
> surprised to find out that it wants backup privilege to backup
> previous files.
As a workaround, would it be possible (assuming the user is
Administrator) in the driver installer executable to add oneself to the
Backup Operators group on the fly before preinstalling/updating
drivers? Would this work / rough sketch of the code?
If you’re administrator then it would be easier to just have your installer
give itself SeBackupPrivilege, it’s trivial to do. Checkout sample code for
AdjustTokenPrivileges();
Mark.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
I don’t think having an installer take it upon itself to change the user’s permissions is really a great idea. You need to add an extra layer to the installer to make sure that when it crashes the system’s security settings are restored … it won’t be pretty and you’ll still get stymied when you find a machine where Adminstrator doesn’t have the privilege that allows one to assign privileges to accounts.
If you have your own installer UI then you could check for this privilege if the install fails and notify the user. We have to be “ui-less” in the coinstaller so that’s unfortunately not an option for us.
-p
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@gmail.com
Sent: Thursday, May 22, 2008 9:38 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] WDF coinstaller 1.7 fails with “You do not have permission to update Windows XP”
Peter Wieland wrote:
Not expected, but not exactly a surprise either. We use the same
update process used for QFEs and Service Packs, and I’m not
surprised to find out that it wants backup privilege to backup previous
files.
As a workaround, would it be possible (assuming the user is Administrator) in the driver installer executable to add oneself to the Backup Operators group on the fly before preinstalling/updating drivers? Would this work / rough sketch of the code?
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
I agree that you can’t add a privilege if it’s not already in the
token, but as Administrator the backup privilege is in the token, it
is merely disabled and needs it’s attributes changed to
SE_PRIVILEGE_ENABLED. I do this for code that needs to process snapshots.
Mark.
At 18:30 22/05/2008, you wrote:
You can not add privileges with AdjustTokenPrivilege. You can only enable
privileges that are already in the token.
Adding oneself to the Backup Operators group will also not work unless you
log off and back on.
Bill Wandel
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Mark S. Edwards
Sent: Thursday, May 22, 2008 12:47 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] WDF coinstaller 1.7 fails with “You do not have
permission to update Windows XP”
At 17:38 22/05/2008, xxxxx@gmail.com wrote:
>Peter Wieland wrote:
>
> > Not expected, but not exactly a surprise either. We use the same
> > update process used for QFEs and Service Packs, and I’m not
> > surprised to find out that it wants backup privilege to backup
> > previous files.
>
>As a workaround, would it be possible (assuming the user is
>Administrator) in the driver installer executable to add oneself to the
>Backup Operators group on the fly before preinstalling/updating
>drivers? Would this work / rough sketch of the code?
If you’re administrator then it would be easier to just have your installer
give itself SeBackupPrivilege, it’s trivial to do. Checkout sample code for
AdjustTokenPrivileges();
Mark.
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer
The original error message says the privilege can’t be enabled:
0.094: Failed To Enable SE_BACKUP_PRIVILEGE
So it probably wasn’t in the token. I’m not sure, why. Maybe the domain
administrator disabled it for users in administrator group.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark
S. Edwards
Sent: Thursday, May 22, 2008 8:05 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] WDF coinstaller 1.7 fails with “You do
not have permission to update Windows XP”
I agree that you can’t add a privilege if it’s not already in the
token, but as Administrator the backup privilege is in the token, it
is merely disabled and needs it’s attributes changed to
SE_PRIVILEGE_ENABLED. I do this for code that needs to
process snapshots.
Mark.
At 18:30 22/05/2008, you wrote:
>You can not add privileges with AdjustTokenPrivilege. You
can only enable
>privileges that are already in the token.
>Adding oneself to the Backup Operators group will also not
work unless you
>log off and back on.
>
>Bill Wandel
>
>-----Original Message-----
>From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]
>On Behalf Of Mark S. Edwards
>Sent: Thursday, May 22, 2008 12:47 PM
>To: Windows System Software Devs Interest List
>Subject: RE:[ntdev] WDF coinstaller 1.7 fails with “You do not have
>permission to update Windows XP”
>
>At 17:38 22/05/2008, xxxxx@gmail.com wrote:
> >Peter Wieland wrote:
> >
> > > Not expected, but not exactly a surprise either. We use the same
> > > update process used for QFEs and Service Packs, and I’m not
> > > surprised to find out that it wants backup privilege to backup
> > > previous files.
> >
> >As a workaround, would it be possible (assuming the user is
> >Administrator) in the driver installer executable to add
oneself to the
> >Backup Operators group on the fly before preinstalling/updating
> >drivers? Would this work / rough sketch of the code?
>
>If you’re administrator then it would be easier to just have
your installer
>give itself SeBackupPrivilege, it’s trivial to do. Checkout
sample code for
>AdjustTokenPrivileges();
>
>Mark.
>
>
>—
>NTDEV is sponsored by OSR
>
>For our schedule of WDF, WDM, debugging and other seminars visit:
>http://www.osr.com/seminars
>
>To unsubscribe, visit the List Server section of OSR Online at
>http://www.osronline.com/page.cfm?name=ListServer
>
>
>—
>NTDEV is sponsored by OSR
>
>For our schedule of WDF, WDM, debugging and other seminars visit:
>http://www.osr.com/seminars
>
>To unsubscribe, visit the List Server section of OSR Online at
>http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer
I believe playing with user privileges and groups is really bad idea.
User privileges are admin decisions and it isn’t installer job to change
them even if it has enough rights to do it. It should notify user which
should ask her administrator why the necessary privilege was disabled;
there might be a very good reason for it.
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Peter Wieland
Sent: Thursday, May 22, 2008 7:51 PM
To: Windows System Software Devs Interest List
Subject: RE: RE:[ntdev] WDF coinstaller 1.7 fails with “You
do not have permission to update Windows XP”
I don’t think having an installer take it upon itself to
change the user’s permissions is really a great idea. You
need to add an extra layer to the installer to make sure that
when it crashes the system’s security settings are restored
… it won’t be pretty and you’ll still get stymied when you
find a machine where Adminstrator doesn’t have the privilege
that allows one to assign privileges to accounts.
If you have your own installer UI then you could check for
this privilege if the install fails and notify the user. We
have to be “ui-less” in the coinstaller so that’s
unfortunately not an option for us.
-p
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Thursday, May 22, 2008 9:38 AM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] WDF coinstaller 1.7 fails with “You do
not have permission to update Windows XP”
Peter Wieland wrote:
> Not expected, but not exactly a surprise either. We use the same
> update process used for QFEs and Service Packs, and I’m not
> surprised to find out that it wants backup privilege to
backup previous
> files.
As a workaround, would it be possible (assuming the user is
Administrator) in the driver installer executable to add
oneself to the Backup Operators group on the fly before
preinstalling/updating drivers? Would this work / rough
sketch of the code?
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online
at http://www.osronline.com/page.cfm?name=ListServer
Michal Vodicka wrote:
I believe playing with user privileges and groups is really bad
idea. User privileges are admin decisions and it isn’t installer
job to change them even if it has enough rights to do it.
Ok, so why should KMDF drivers be put at a disadvantage in this situation? Administrator can normally do a device installation of even an unsigned WDM driver.
It should notify user which should ask her administrator why
the necessary privilege was disabled; there might be a very
good reason for it.
Maybe the domain admins didn’t want their entire installed WDF driver base being changed by upgrading the WDF version systemwide.
> -----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Thursday, May 22, 2008 11:01 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] WDF coinstaller 1.7 fails with “You do
not have permission to update Windows XP”
Ok, so why should KMDF drivers be put at a disadvantage in
this situation? Administrator can normally do a device
installation of even an unsigned WDM driver.
I don’t say there isn’t a problem. I just say the proposed solution is
wrong (was a network administrator in one of my previous lives :).
Maybe the domain admins didn’t want their entire installed
WDF driver base being changed by upgrading the WDF version
systemwide.
Maybe they wouldn’t do it if WDF drivers were statically linked 
Best regards,
Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]
Peter, personally, I loved that error message. It’s all I need to address a problem that had been irritating me for months, and
seems to be affecting a lot of other installations as well, and I’ve never seen it referenced anywhere else.
OT:
We must have really, really beat the hell out of whatever name the ‘static linking’ thread happened to go by, because it doesn’t
seem to be restarting here, which is good thing, but still surprising. I don’t the name of the thread, but I do recall it was the
one that made me consider the reality that in many cases on ntdev, if you removed the names and dates to protect the innocent, the
only person who posted something off topic on a wildly out of control thread is the person who started it, because it seems that
everyone had something else in mind, so obvious that it did even need to be said. Also, I spent a little time pondering why I can’t
ever recall this happening on either ntfsd or windbg. In the case of the latter, I think that it is largely explained by the fact
that unfortunately far too few (relatively speaking, based on who posts) participate in it, but it would seem like there are enough
people on ntfsd to get this sort of dynamic going. Maybe fs people are just better behaved, or maybe it’s because it’s probably the
hardest stuff out there, so they don’t have quite as much free time as the rest of us.
Cheers,
mm
Michal Vodicka wrote:
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
> xxxxx@gmail.com
> Sent: Thursday, May 22, 2008 11:01 PM
> To: Windows System Software Devs Interest List
> Subject: RE:[ntdev] WDF coinstaller 1.7 fails with “You do
> not have permission to update Windows XP”
>
> Ok, so why should KMDF drivers be put at a disadvantage in
> this situation? Administrator can normally do a device
> installation of even an unsigned WDM driver.
I don’t say there isn’t a problem. I just say the proposed solution is
wrong (was a network administrator in one of my previous lives :).
> Maybe the domain admins didn’t want their entire installed
> WDF driver base being changed by upgrading the WDF version
> systemwide.
>
> Maybe they wouldn’t do it if WDF drivers were statically linked
>
> Best regards,
>
> Michal Vodicka
> UPEK, Inc.
> [xxxxx@upek.com, http://www.upek.com]
>
>