Patch Scan Failure - Error 5 Access Is Denied

Version 12

    Symptoms


    • Cannot scan a remote machine with Protect
    • Scanning a remote machine in Protect fails with the following error:  Error 5: Access is denied

     

    Resolution

     

    1- Do I have local admin rights for the target machine ?

     

    2- Is the remote registry service running ?

    To test the remote registry connection: From the console machine to the target machine -

    Open Regedit > File > Connect Network Registry , Open one of the hives and ensure you can read the actual Key - what is the result ?

     

    3- Does the local user account have full permissions to the remote registry as local administrator ?

    Open Regedit and go to:

    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurePipeServerswinreg

     

    4- Reboot both target and console machine - what is the result after a scan ?

     

    5- Can you complete a nslookup IP Address, NETBios Name, FQDN both forward and reverse for target and console. Ensure results are consistent.

     

    6- Is this the only machine you are getting this error ?

     

    7- Do you have credentials assigned to this machine in the machine group ?

     

    8- What credentials are set in the Machine Properties?  Go to the Machine View, right-click on the device and click "Machine Properties".  Verify that the correct credentials are listed there.

     

    9- Try disabling your anti-virus and firewall and seeing if it makes a difference to your error ?  If it does, re-check the port list to ensure all necessary ports are enabled.  Shavlik Protect Inbound and Outbound Port Requirements Explanations

     

    10- Is User Account Control Enabled on the Machine?

    For machines using Windows operating systems that employ the use of User Account Control (this includes Windows Vista or later and Windows Server 2008 or later), you must either:

     

    • Join the machines to a domain and then perform the scan using domain administrator credentials, or
    • If you are not using the built-in Administrator account on the remote machines (and using that account is NOT recommended), you must disable User Account Control (UAC) remote restrictions on the machines. To do this:
      1. Click Start, click Run, type regedit, and then press Enter.
      2. Locate and then click the following registry subkey:

                  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

     

                  If the LocalAccountTokenFilterPolicy registry entry does not exist, follow these steps:

        • On the Edit menu, point to New, and then click DWORD Value.b. Type LocalAccountTokenFilterPolicy and then press Enter.
        • Right-click LocalAccountTokenFilterPolicy and then click OK.
        • In the Value data box, type 1, and then click OK.
        • Exit Registry Editor.

                    For more details on disabling UAC remote restrictions, see http://support.microsoft.com/kb/95101

     


    Additional Information

     

    Be sure to have followed the pre-requisites guidelines :

    http://www.shavlik.com/uploadedFiles/Support/Online_Documentation/Shavlik_Protect_90/administration-guide.pdf

     


    Affected Product(s)

     

    Shavlik Protect 9.x