VSE Engineering and Microsoft have thoroughly investigated this issue.
The Access Protection feature of VirusScan Enterprise includes a registry filter driver that monitors registry Application programming interface (API) calls. The VSE filter performs an Access Check on the attempt by DISM.exe to delete a registry value. The security design of the Microsoft code denies the Access check. Note that the VSE code does not block the check, it simply defers to the operating system to ensure the process has sufficient privileges to perform the delete operation. When it does not, Windows returns ACCESS DENIED and the VSE filter returns the same.
DISM.exe would normally have the ability to delete the target registry value. It fails because the registry API security design prevents DISM.exe from passing its credentials when it makes the call to delete the registry value. Thus, when the VSE filter driver sees the request, it does not know what the credentials are, so it defers to the operating system, which then returns the ACCESS DENIED message. The VSE registry filter enforces the Access Check to avoid exploiting a vulnerability. In this case, the issue occurs with a VSE filter driver, but it could also happen with other third-party filters.
