Case of The ICACLS /RESET Destruction

Someone advised me their Windows 10 had become extremely unstable. Issues included Edge would open for a second then immediately close. In addition frequently they received the message “The Recycle Bin on C:\ is corrupted. Do you want to empty the Recycle Bin for this drive?”

image

Application event log errors included the following:

Log Name:      Application
Source:        Application Error
Date:          27/04/2017 5:58:02 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DESKTOP-RCS3NTQ
Description:
Faulting application name: MicrosoftEdge.exe, version: 11.0.15063.0, time stamp: 0x58ccbc85
Faulting module name: EMODEL.dll, version: 11.0.15063.0, time stamp: 0x00d0adc7
Exception code: 0xc0000409
Fault offset: 0x00000000000ea8ec
Faulting process id: 0x16dc
Faulting application start time: 0x01d2bf2bfec2d16d
Faulting application path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
Faulting module path: C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\EMODEL.dll
Report Id: ee61e1dc-0cf7-4f78-aab5-b261ad5f966c
Faulting package full name: Microsoft.MicrosoftEdge_40.15063.0.0_neutral__8wekyb3d8bbwe
Faulting package-relative application ID: MicrosoftEdge

Log Name:      Application
Source:        Microsoft-Windows-Immersive-Shell
Date:          27/04/2017 5:58:05 PM
Event ID:      5973
Task Category: (5973)
Level:         Error
Keywords:     
User:          DESKTOP-RCS3NTQ\chentiangemalc
Computer:      DESKTOP-RCS3NTQ
Description:
Activation of app Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge failed with error: The app didn’t start. See the Microsoft-Windows-TWinUI/Operational log for additional information.

In Windows Event Viewer under Applications and Service Logs –> Microsoft –> Apps we find Microsoft-Windows-TWinUI/Operational even log which had the following errors:

Log Name:      Microsoft-Windows-TWinUI/Operational
Source:        Microsoft-Windows-Immersive-Shell
Date:          27/04/2017 5:58:05 PM
Event ID:      5990
Task Category: (5961)
Level:         Error
Keywords:     
User:          DESKTOP-RCS3NTQ\chentiangemalc
Computer:      DESKTOP-RCS3NTQ
Description:
Activation via contract helper of the app Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge for the Windows.Launch contract failed with Server execution failed.

Log Name:      Microsoft-Windows-TWinUI/Operational
Source:        Microsoft-Windows-Immersive-Shell
Date:          27/04/2017 5:58:05 PM
Event ID:      5961
Task Category: (5961)
Level:         Error
Keywords:     
User:          DESKTOP-RCS3NTQ\chentiangemalc
Computer:      DESKTOP-RCS3NTQ
Description:
Activation of the app Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge for the Windows.Launch contract failed with error: The app didn’t start..

If in Event Viewer we select View –> Show Analytic and Debug Logs and enable the Microsoft-Windows-TWinUI/Diagnostic we get this event:

Log Name:      Microsoft-Windows-TWinUI/Diagnostic
Source:        Microsoft-Windows-Immersive-Shell
Date:          27/04/2017 6:21:23 PM
Event ID:      5965
Task Category: (5965)
Level:         Information
Keywords:     
User:          DESKTOP-RCS3NTQ\chentiangemalc
Computer:      DESKTOP-RCS3NTQ
Description:
The description for Event ID 5965 from source Microsoft-Windows-Immersive-Shell cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

AppId: Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
ContractId: Windows.Launch
HRESULT: 2148007941

The message id for the desired message could not be found

Decoding the HRESULT , using method shown here works out the equivalent Windows error message is “Access Denied”

Enabling user mode crash dumps with registry keys here results in a Edge crash dump file with the following stack:

0:007> kn
# Child-SP          RetAddr           Call Site
00 000000b4`a8efc8d8 00007ff9`6ea95ba1 ntdll!NtWaitForMultipleObjects+0x14
01 000000b4`a8efc8e0 00007ff9`6ea94e31 ntdll!WerpWaitForCrashReporting+0x6d
02 000000b4`a8efc940 00007ff9`6ea94867 ntdll!RtlReportExceptionHelper+0x269
03 000000b4`a8efceb0 00007ff9`60a21068 ntdll!RtlReportException+0x77
04 000000b4`a8efcf30 00007ff9`60a21312 MrmCoreR!Microsoft::Resources::FatalExceptionFilter+0x14
05 000000b4`a8efcf60 00007ff9`6eb26bd6 MrmCoreR!`Microsoft::Resources::ReportFatalException_MachineIssue_PathNotFound’::`1′::filt$0+0xe
06 000000b4`a8efcf90 00007ff9`6eb3ab9d ntdll!_C_specific_handler+0x96
07 000000b4`a8efd000 00007ff9`6ead9913 ntdll!RtlpExecuteHandlerForException+0xd
08 000000b4`a8efd030 00007ff9`6eadb629 ntdll!RtlDispatchException+0x373
09 000000b4`a8efd730 00007ff9`6b923c58 ntdll!RtlRaiseException+0x2d9
0a 000000b4`a8efdf90 00007ff9`60a212fc KERNELBASE!RaiseException+0x68
0b 000000b4`a8efe070 00007ff9`60a21130 MrmCoreR!Microsoft::Resources::ReportFatalException_MachineIssue_PathNotFound+0x34
0c 000000b4`a8efe0b0 00007ff9`609e6ac4 MrmCoreR!Microsoft::Resources::HandleFatalError+0xa4
0d 000000b4`a8efe0e0 00007ff9`609a0947 MrmCoreR!Microsoft::Resources::MetroAppClientProfile::GetMergeFolders+0x3e6e4
0e 000000b4`a8efe380 00007ff9`609a088e MrmCoreR!Microsoft::Resources::UnifiedResourceView::GetMergeFolderFromProfile+0x7f
0f 000000b4`a8efe3f0 00007ff9`609a234b MrmCoreR!Microsoft::Resources::UnifiedResourceView::GetAutoMergeSystemFolder+0x3e
10 000000b4`a8efe420 00007ff9`609a1e28 MrmCoreR!Microsoft::Resources::UnifiedResourceView::UnifiedViewFileInfo::AttemptAutoMerge+0x1a3
11 000000b4`a8efe7e0 00007ff9`609a0f10 MrmCoreR!Microsoft::Resources::UnifiedResourceView::UnifiedViewFileInfo::New+0xfc
12 000000b4`a8efe850 00007ff9`6099f561 MrmCoreR!Microsoft::Resources::UnifiedResourceView::LoadPriFiles+0x1d4
13 000000b4`a8efe920 00007ff9`6099f7da MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::LoadPriFiles+0xb5
14 000000b4`a8efe9c0 00007ff9`6099fa85 MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::LoadPriFile+0xba
15 000000b4`a8efeaa0 00007ff9`6099fc17 MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::InitializeWithProfile+0x149
16 000000b4`a8efeb50 00007ff9`609d9a20 MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::InitializeForCurrentApplication+0x2f
17 000000b4`a8efeb80 00007ff9`609a90a1 MrmCoreR!Microsoft::Resources::Runtime::CResourceManagerInternal::s_GetPackageDefaultResourceManagerInternal+0xd4
18 000000b4`a8efee10 00007ff9`609cee74 MrmCoreR!Windows::ApplicationModel::Resources::Core::CResourceManagerFactory::get_Current+0x111
19 000000b4`a8efee90 00007ff9`609ced46 MrmCoreR!Windows::ApplicationModel::Resources::Core::CResourceContextFactory::s_GetSingletonResourceManager+0x70
1a 000000b4`a8efeed0 00007ff9`609cf152 MrmCoreR!Windows::ApplicationModel::Resources::Core::CResourceContextFactory::GetForViewIndependentUse+0x36
1b 000000b4`a8efef20 00007ff9`609cf080 MrmCoreR!Windows::ApplicationModel::Resources::CResourceLoaderFactory::GetForViewIndependentUseWithName+0x92
1c 000000b4`a8efefa0 00007ff9`3d132e57 MrmCoreR!Windows::ApplicationModel::Resources::CResourceLoaderFactory::GetForViewIndependentUse+0x60
1d 000000b4`a8eff000 00007ff9`3d1099a7 eView!Windows::ApplicationModel::Resources::ResourceLoader::GetForViewIndependentUse+0x7b
1e 000000b4`a8eff070 00007ff9`3d10a8d5 eView!?InitializePlaceholderText@?Q__IAddressEditBoxViewModelPublicNonVirtuals@ViewModel@SpModel@@AddressEditBoxViewModel@23@UE$AAAXXZ+0x37
1f 000000b4`a8eff110 00007ff9`3d11e38a eView!SpModel::ViewModel::AddressEditBoxViewModel::AddressEditBoxViewModel+0x4d9
20 000000b4`a8eff1e0 00007ff9`3d11e68f eView!?get@?QAddressEditBox@__IBrowserViewModelPublicNonVirtuals@ViewModel@SpModel@@1BrowserViewModel@34@UE$AAAPE$AAVAddressEditBoxViewModel@34@XZ+0x9a
21 000000b4`a8eff220 00007ff9`3d11e7cd eView!SpModel::ViewModel::BrowserViewModel::Initialize+0x1d7
22 000000b4`a8eff270 00007ff9`3d163e4b eView!SpModel::ViewModel::BrowserViewModel::BrowserViewModel+0xd1
23 000000b4`a8eff2c0 00007ff9`3d164009 eView!?CreateInstance@?Q__IBrowserViewModelFactory@ViewModel@SpModel@@__BrowserViewModelActivationFactory@23@UE$AAAPE$AAVBrowserViewModel@23@W4FormFactor@3@I@Z+0x3b
24 000000b4`a8eff300 00007ff6`230ec7b0 eView!?__abi_SpModel_ViewModel___IBrowserViewModelFactory____abi___CreateInstance__1@?Q__IBrowserViewModelFactory@ViewModel@SpModel@@__BrowserViewModelActivationFactory@23@UE$AAAJW4FormFactor@3@IPEAPE$AAVBrowserViewModel@23@@Z+0x29
25 000000b4`a8eff340 00007ff6`2304b523 MicrosoftEdge!SpModel::ViewModel::BrowserViewModel::BrowserViewModel+0x88
26 000000b4`a8eff3c0 00007ff6`230eea9f MicrosoftEdge!SpartanXAML::App::App+0x6af
27 000000b4`a8eff5a0 00007ff6`230ed801 MicrosoftEdge!Platform::Details::__abi_FunctorCapture<<lambda_6b8fdf901351a57c212d2bb8baed4a63>,void,Windows::UI::Xaml::ApplicationInitializationCallbackParams ^ __ptr64>::Invoke+0x8f
28 000000b4`a8eff610 00007ff9`5fa9ee61 MicrosoftEdge!?__abi_Windows_UI_Xaml_ApplicationInitializationCallback___abi_IDelegate____abi_Invoke@?Q__abi_IDelegate@ApplicationInitializationCallback@Xaml@UI@Windows@@2345@UE$AAAJPE$AAVApplicationInitializationCallbackParams@345@@Z+0x31
29 000000b4`a8eff650 00007ff9`5fa9eb7c Windows_UI_Xaml!DirectUI::FrameworkApplication::MainASTAInitialize+0xa9 [d:\rs1\onecoreuap\windows\dxaml\xcp\dxaml\lib\frameworkapplication_partial.cpp @ 563]
2a 000000b4`a8eff690 00007ff9`69970495 Windows_UI_Xaml!DirectUI::FrameworkView::Initialize+0x6c [d:\rs1\onecoreuap\windows\dxaml\xcp\dxaml\lib\frameworkview_partial.cpp @ 53]
2b 000000b4`a8eff6d0 00007ff9`699be3a1 twinapi_appcore!Windows::ApplicationModel::Core::CoreApplicationView::CreateAndInitializeFrameworkView+0xa5
2c 000000b4`a8eff700 00007ff9`6bd45b62 twinapi_appcore!Microsoft::WRL::ComPtr<Windows::UI::Core::ICoreDispatcher>::operator=+0xed1
2d 000000b4`a8eff750 00007ff9`6e878364 SHCore!Microsoft::WRL::Details::RuntimeClass<Microsoft::WRL::Details::InterfaceList<CRandomAccessStreamBase,Microsoft::WRL::Details::InterfaceList<Windows::Storage::Streams::IRandomAccessStreamWithContentType,Microsoft::WRL::Details::InterfaceList<Windows::Storage::Streams::IContentTypeProvider,Microsoft::WRL::Details::InterfaceList<Microsoft::WRL::Implements<Microsoft::WRL::RuntimeClassFlags<3>,Microsoft::WRL::CloakedIid<IRandomAccessStreamMode>,Microsoft::WRL::CloakedIid<IRandomAccessStreamFileAccessMode>,Microsoft::WRL::CloakedIid<IObjectWithDeferredInvoke>,Microsoft::WRL::CloakedIid<IObjectWithFileHandle>,Microsoft::WRL::CloakedIid<IUnbufferedFileHandleProvider>,Microsoft::WRL::CloakedIid<IRandomAccessStreamPrivate>,Microsoft::WRL::CloakedIid<ITransactedModeOverride>,Microsoft::WRL::CloakedIid<CFTMCrossProcServer>,Microsoft::WRL::Details::Nil>,Microsoft::WRL::Details::Nil> > > >,Microsoft::WRL::RuntimeClassFlags<3>,1,1,0>::~RuntimeClass<Microsoft::WRL::Details::InterfaceList<CRandomAccessStreamBase,Microsoft::WRL::Details::InterfaceList<Windows::Storage::Streams::IRandomAccessStreamWithContentType,Microsoft::WRL::Details::InterfaceList<Windows::Storage::Streams::IContentTypeProvider,Microsoft::WRL::Details::InterfaceList<Microsoft::WRL::Implements<Microsoft::WRL::RuntimeClassFlags<3>,Microsoft::WRL::CloakedIid<IRandomAccessStreamMode>,Microsoft::WRL::CloakedIid<IRandomAccessStreamFileAccessMode>,Microsoft::WRL::CloakedIid<IObjectWithDeferredInvoke>,Microsoft::WRL::CloakedIid<IObjectWithFileHandle>,Microsoft::WRL::CloakedIid<IUnbufferedFileHandleProvider>,Microsoft::WRL::CloakedIid<IRandomAccessStreamPrivate>,Microsoft::WRL::CloakedIid<ITransactedModeOverride>,Microsoft::WRL::CloakedIid<CFTMCrossProcServer>,Microsoft::WRL::Details::Nil>,Microsoft::WRL::Details::Nil> > > >,Microsoft::WRL::RuntimeClassFlags<3>,1,1,0>+0x1ea
2e 000000b4`a8eff840 00007ff9`6eaf70d1 kernel32!BaseThreadInitThunk+0x14
2f 000000b4`a8eff870 00000000`00000000 ntdll!RtlUserThreadStart+0x21


Launching ProcMon with a filter to include:

  • Process Name Contains Edge
  • Result is ACCESS DENIED

We find on the broken machine a single ACCESS DENIED on path C:\Users\chentiangemalc\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC

image

However on a working launch of Edge there were many more ACCESS DENIED events

image

However the working machine did succeed on AC folder.

image

To check what’s different with permissions I checked the permissions on working vs broken machine with the following command:

icacls %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC

Working Broken

S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
DESKTOP-RTTN04O\chentiangemalc:(I)(OI)(CI)(F)
Mandatory Label\Low Mandatory Level:(OI)(CI)(NW)

S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194:(OI)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(I)(M)
NT AUTHORITY\Authenticated Users:(I)(OI)(CI)(IO)(M)

Mandatory Label\Low Mandatory Level:(OI)(CI)(NW)

From this we can see the user is now missing Full Control, that is present in the working session. On the broken machine granting user full control to the folder fixes the issue:

icacls %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC /grant %username%:F

Edge now launches without crashing.

The Recycle Bin issue is caused by same problem, C:\$Recycle.Bin\<User’s SID> has had the user’s FULL CONTROL permission removed from it.

What caused issue in the first place?

Speaking with support staff identified that someone had tried to fix an issue by implementing a fix popularly spread across the internets as a magic fix for all types of problems:

C:\>icacls * /T /Q /C /RESET

One can expect this user will have many more issues caused by file permission corruption…

Wonder what the default permissions are for a file in Windows? I’ve saved that information here: https://1drv.ms/u/s!AiFhB4fT6aiTgdwAFvFYC7hzeHg4oQ (4.33 MB ZIP file, containing 150 MB txt file)

About chentiangemalc

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Microsoft Edge, WinDbg, Windows 10 and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s