VSE Engineering and Microsoft have thoroughly investigated the issue.
The Access Protection feature of VSE includes a registry filter driver that monitors registry Application Programming Interface (API) calls. The VSE filter performs an
Access Check on the attempt by
DISM.exe to delete a registry value. The security design of the Microsoft code denies the Access check. The VSE code does not block the check, it simply defers to the operating system to make sure that the process has sufficient permissions to perform the delete operation. When it does not, Windows returns
ACCESS DENIED and the VSE filter returns the same.
Typically,
DISM.exe can delete the target registry value. It fails because the registry API security design prevents DISM.exe from passing its credentials when it makes the call to delete the registry value. So, when the VSE filter driver sees the request, it does not know the credentials. It defers to the operating system, which then returns the ACCESS DENIED message. The VSE registry filter enforces the
Access Check to avoid exploiting a vulnerability. In this case, the issue occurs with a VSE filter driver, but it could also happen with other third-party filters.
