Q255987: Service Pack Requires Logon with Local Administrative Rights
Article: Q255987
Product(s): Microsoft Windows NT
Version(s): winnt:4.0 SP4,4.0 SP5,4.0 SP6,4.0 SP6a
Operating System(s):
Keyword(s): kbenv kberrmsg kbsetup
Last Modified: 08-AUG-2001
-------------------------------------------------------------------------------
The information in this article applies to:
- Microsoft Windows NT Server versions 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
- Microsoft Windows NT Server, Enterprise Edition versions 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
- Microsoft Windows NT Workstation versions 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
-------------------------------------------------------------------------------
SYMPTOMS
========
The design of the Windows NT 4.0 Service Pack update process requires an
additional logon with local administrative credentials after Update.exe has
restarted the computer.
If a non-administrative user logs on directly after the Service Pack Setup
process is run, two Application events are logged for ProtectedStorage:
ProtectedStorage error: 5; OpenSCManager failed.
ProtectedStorage error: 203; Install Service failed.
These events are logged at every logon until a local administrator logs on.
CAUSE
=====
Local administrative permission are necessary to successfully process and delete
all registry values under the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
RunOnce values are processed with the current login credentials. A typical user
does not have sufficient permissions to successfully process the "4. 'Install
pstores.exe'='pstores.exe -install'" RunOnce entry, causing both of the events
listed above to be logged.
Also, a typical user by default has "Everyone=read" permission on the RunOnce
key, so the entries cannot be deleted.
Other Microsoft and third-party Setup procedures may be affected in a similar way
if they use the RunOnce or RunOnceEx keys to complete the Setup process during
next logon.
WORKAROUND
==========
Use either of the following methods:
- Have a user with local administrative rights log on to the computer.
- Use an administrative AutoAdminLogon and optionally disable the Mouclass and
Kbdclass driver to prevent user interruption.
This method involves certain issues. The password of the local administrator
is stored as plain text in the registry (plus the corresponding script file),
and a problem with disabled drivers can lead to an inaccessible system.
Furthermore, be aware of the information on the following article in the
Microsoft Knowledge Base:
Q159969 AutoLogon Fails If DontDisplayLastUserName Is Also Enabled
Because of these issues, Microsoft recommends using the first method.
Additional query words:
======================================================================
Keywords : kbenv kberrmsg kbsetup
Technology : kbWinNTsearch kbWinNTWsearch kbWinNTW400search kbWinNT400search kbWinNTW400sp5 kbWinNTW400sp4 kbWinNTSsearch kbWinNTSEntSearch kbWinNTSEnt400sp6 kbWinNTSEnt400sp5 kbWinNTSEnt400sp4 kbWinNTS400sp6 kbWinNTS400sp5 kbWinNTS400sp4 kbWinNTS400search kbWinNTW400sp6 kbWinNTSEnt400SP6a kbWinNTW400SP6a
Version : winnt:4.0 SP4,4.0 SP5,4.0 SP6,4.0 SP6a
Issue type : kbprb
=============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright Microsoft Corporation 1986-2002.