Loading...

Knowledge Center

DISM.exe generates an Error: 5 or Access Denied when VSE 8.8 Access Protection is enabled
Technical Articles ID:   KB76867
Last Modified:  6/30/2016
Rated:

Environment

McAfee VirusScan Enterprise (VSE) 8.8 (with or without a patch)
Microsoft Windows Assessment and Deployment Kit (WADK) 8
Microsoft Deployment Image Servicing and Management (DISM)
Microsoft Deployment Toolkit (MDT) 2012
 

Summary

This article has been created to assist customers who encounter the issue described in the following Microsoft Technet post: 

http://social.technet.microsoft.com/Forums/en-US/mdt/thread/fbbc45f7-9d21-4e29-a154-c85486bef856

Problem

When an administrator tries to build a boot ISO image using either MDT or ImageX, the system displays an error when DISM.exe is used to add packages:

Processing 1 of 1 - Adding package WinPE-HTA-Package~31bf3856ad364e35~x86~~6.2.9200.16384
An error occurred - WinPE-HTA-Package Error: 0x80070005

Error: 5

Access is denied

System Change

Installed or upgraded to VSE 8.8 or installed a patch for VSE 8.8.

Cause

VSE Engineering and Microsoft have thoroughly investigated this issue.

The Access Protection feature of VirusScan Enterprise includes a registry filter driver that monitors registry Application programming interface (API) calls. The VSE filter performs an Access Check on the attempt by DISM.exe to delete a registry value. The security design of the Microsoft code denies the Access check. Note that the VSE code does not block the check, it simply defers to the operating system to ensure the process has sufficient privileges to perform the delete operation. When it does not, Windows returns ACCESS DENIED and the VSE filter returns the same.

DISM.exe would normally have the ability to delete the target registry value. It fails because the registry API security design prevents DISM.exe from passing its credentials when it makes the call to delete the registry value. Thus, when the VSE filter driver sees the request, it does not know what the credentials are, so it defers to the operating system, which then returns the ACCESS DENIED message. The VSE registry filter enforces the Access Check to avoid exploiting a vulnerability. In this case, the issue occurs with a VSE filter driver, but it could also happen with other third-party filters.

Solution

Microsoft is unable to address the two known issues in the registry API due to the complexity and ramifications to the operating system.

Working with Microsoft, a workaround was implemented in VSE 8.8 patch 5.

{GENRLS.EN_US}
{GENSPPA.EN_US}

Related Information

Access Protection is a security feature within VirusScan Enterprise that provides zero-day protection against unknown threats, and is critical for the protection of a computing environment.

Disclaimer

The content of this article originated in English. If there are differences between the English content and its translation, the English content is always the most accurate. Some of this content has been provided using Machine Translation translated by Microsoft.

Rate this document

Did this article resolve your issue?

Please provide any comments below

Languages:

This article is available in the following languages:

English United States
Japanese

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.