Written by Mike J McGuireOctober 14, 2013October 5, 2016

Restoring All Lost Hyper-V Permissions. Wipe Them Out… All Of Them.

I love Hyper-V. It’s awesome. Mind you I also love vSphere. To be honest, I think I just love virtualisation. Clearly I still love Star Wars.

I thought the above quote was particularly fitting given the symptoms requiring Hyper-V permissions to be restored occur generally after somebody has just wiped the existing permissions out. All of them in fact.

This issue did get me curious as to what the standard Hyper-V permission requirements are, so that its possible to restore these permissions – particularly after someone has moved the Hyper-V files and the permissions have not been retained. I’ve read quite a few articles on the internet describing how to restore permissions to an individual VM for the purpose of successfully starting the VM, but they stop short at actually repairing the installation. Even after these methods are used to correct an individual VM’s permissions, there are still issues with creating snapshots, even with creating new VMs. I’ve created a script to repair the permissions, and attached the link at the bottom of the article.

The symptoms are generally first noticeable after the files are moved and an attempt is made to start a VM. You quite often see errors such as ‘an attempt to initialize VM saved state failed’, or ‘general access denied error.’ I do love general errors, generic errors, unexpected errors, and of course unspecified errors, they’re so informative. It reminds me of all of those poorly written applications over the years on Windows that have returned an error code of 0, and then matched that code to the Windows system error messages. It’s always fun trying to diagnose an issue when you see ‘General Error 0: The command completed successfully.’ Although on reflection, these applications may not have been poorly written – perhaps the application was expecting a function call to fail, and when that function call inexplicably succeeded, the application felt the need to throw an error message indicating its displeasure with the result. But I digress….

I decided to create a new Hyper-V installation on Windows Server 2012 R2, then create a new VM with a snapshot/checkpoint allowing me to observe and document the default permissions.

I used the CACLS built in command line tool to display the permissions. ICACLS works too, but the display out of CACLS is slightly better.

CACLS V:\ /T

To explain the information coming back from the tool, here’s an example:

BUILTIN\Administrators:(OI)(CI)(ID)F

This line indicates an Access Control Entry (ACE) for the BUILTIN\Administrators group. The OI indicates that the ACE will be inherited by child objects (in this case files). The CI indicates that the ACE will be inherited by child containers (in this case directories). The ID indicates that the ACE was inherited from a parent object. If we had observed IO, that would have indicate that the ACE should only apply to child objects, and not the current object where the ACE exists. Finally, the F indicates the permission set of Full Control. As you’ll see below, some ACEs use a subset of the permissions, and those are listed as special access.

This first set of permissions is the base set without any VMs present. Some of the permissions to the Hyper-V folder have been inherited from the root directory V:\. As you’ll also see, there are some entries for the special Hyper-V security principals (the principals beginning with NT VIRTUAL MACHINE, similar to NT AUTHORITY). Additionally, most of the ACEs below have the ID flag, indicating they are inherited from the parent folder. The permissions are really only explicitly applied on the Hyper-V folder, and the Virtual Hard Disks folder (which in my case is nested under the base Hyper-V folder).

The Base Hyper-V Folder v:\Hyper-V CREATOR OWNER:(OI)(CI)(IO)F <- Explicit Permission (not inherited) NT VIRTUAL MACHINE\Virtual Machines:(special access:) - READ_CONTROL - SYNCHRONIZE - FILE_GENERIC_READ - FILE_READ_DATA - FILE_WRITE_DATA - FILE_APPEND_DATA - FILE_READ_EA - FILE_READ_ATTRIBUTES NT VIRTUAL MACHINE\Virtual Machines:(CI)(IO)(special access:) - GENERIC_READ - FILE_WRITE_DATA - FILE_APPEND_DATA NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F <- Inherited from V:\ BUILTIN\Administrators:(OI)(CI)(ID)F <- Inherited from V:\

The Snapshots/Checkpoints Folder v:\Hyper-V\Snapshots NT AUTHORITY\SYSTEM:(ID)F CREATOR OWNER:(OI)(CI)(IO)(ID)F NT VIRTUAL MACHINE\Virtual Machines:(ID)(special access:) - READ_CONTROL - SYNCHRONIZE - FILE_GENERIC_READ - FILE_READ_DATA - FILE_WRITE_DATA - FILE_APPEND_DATA - FILE_READ_EA - FILE_READ_ATTRIBUTES NT VIRTUAL MACHINE\Virtual Machines:(CI)(IO)(ID)(special access:) - GENERIC_READ - FILE_WRITE_DATA - FILE_APPEND_DATA NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Administrators:(OI)(CI)(ID)F

v:\Hyper-V\Virtual Hard Disks BUILTIN\Administrators:(ID)F CREATOR OWNER:(OI)(CI)(IO)(ID)F NT VIRTUAL MACHINE\Virtual Machines:(ID)(special access:) - READ_CONTROL - SYNCHRONIZE - FILE_GENERIC_READ - FILE_READ_DATA - FILE_WRITE_DATA - FILE_APPEND_DATA - FILE_READ_EA - FILE_READ_ATTRIBUTES NT VIRTUAL MACHINE\Virtual Machines:(CI)(IO)(ID)(special access:) - GENERIC_READ - FILE_WRITE_DATA - FILE_APPEND_DATA NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F BUILTIN\Administrators:(OI)(CI)(IO)(ID)F

v:\Hyper-V\Virtual Machines CREATOR OWNER:(OI)(CI)(IO)F NT VIRTUAL MACHINE\Virtual Machines:(special access:) <- Explicit Permission- READ_CONTROL - SYNCHRONIZE - FILE_GENERIC_READ - FILE_READ_DATA - FILE_WRITE_DATA - FILE_APPEND_DATA - FILE_READ_EA - FILE_READ_ATTRIBUTES NT VIRTUAL MACHINE\Virtual Machines:(CI)(IO)(special access:) <- Explicit Permission - GENERIC_READ - FILE_WRITE_DATA - FILE_APPEND_DATA NT AUTHORITY\SYSTEM:(ID)F CREATOR OWNER:(OI)(CI)(IO)(ID)F NT VIRTUAL MACHINE\Virtual Machines:(ID)(special access:) - READ_CONTROL - SYNCHRONIZE - FILE_GENERIC_READ - FILE_READ_DATA - FILE_WRITE_DATA - FILE_APPEND_DATA - FILE_READ_EA - FILE_READ_ATTRIBUTES NT VIRTUAL MACHINE\Virtual Machines:(CI)(IO)(ID)(special access:) - GENERIC_READ - FILE_WRITE_DATA - FILE_APPEND_DATA NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Administrators:(OI)(CI)(ID)F

The most interesting thing we’ve learnt here I believe is the NT VIRTUAL MACHINE\Virtual Machines group’s access to most of those folders. This is the group that needs access to the Virtual Hard Disks folder in order to create a new virtual hard disk, or to access the Virtual Machines folder in order to create new VMs.

This set of permissions below is for a single VM. As you’ll see here, the new VM’s ID is 53EE5757-C20E-41D6-9DE4-C3FE206D987B. Hyper-V actually creates a security principal representing each individual VM. This security principal is not based on the name of the VM, but rather the VM’s internal identifier (e.g. NT VIRTUAL MACHINE\53EE5757-C20E-41D6-9DE4-C3FE206D987B). At present, you can not use the normal file permission graphical properties page to grant these principals access to a file, but you can observe the permissions.

Each VM stores a configuration XML file in the Virtual Machines folder v:\Hyper-V\Virtual Machines\1A981CCB-6452-41E6-B771-2B0D8E69669F.xml NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F

A subfolder exists for each VM v:\Hyper-V\Virtual Machines\1A981CCB-6452-41E6-B771-2B0D8E69669F NT AUTHORITY\SYSTEM:(ID)F CREATOR OWNER:(OI)(CI)(IO)(ID)F NT VIRTUAL MACHINE\Virtual Machines:(ID)(special access:) - READ_CONTROL - SYNCHRONIZE - FILE_GENERIC_READ - FILE_READ_DATA - FILE_WRITE_DATA - FILE_APPEND_DATA - FILE_READ_EA - FILE_READ_ATTRIBUTES NT VIRTUAL MACHINE\Virtual Machines:(CI)(IO)(ID)(special access:) - GENERIC_READ - FILE_WRITE_DATA - FILE_APPEND_DATA NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Administrators:(OI)(CI)(ID)F

The virtual hard disk for the VM - this file name bears no resemblance to the VM ID v:\Hyper-V\Virtual Hard Disks\TestVM1 - Disk 0.vhdx NT VIRTUAL MACHINE\1A981CCB-6452-41E6-B771-2B0D8E69669F:(special access:) - READ_CONTROL - SYNCHRONIZE - FILE_GENERIC_READ - FILE_GENERIC_WRITE - FILE_READ_DATA - FILE_WRITE_DATA - FILE_APPEND_DATA - FILE_READ_EA - FILE_WRITE_EA - FILE_READ_ATTRIBUTES - FILE_WRITE_ATTRIBUTES BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F

The VM’s own security principal has explicit permissions to its virtual hard disk files. Interestingly enough though, the XML file itself is only accessible by NT AUTHORITY\SYSTEM, not the NT VIRTUAL MACHINES\Virtual Machines group. Mind you that file is only used by the Hyper-V Management service I presume to initially load the configuration.

This set of permissions below is for the additional files created for a snapshot/checkpoint. Each snapshot/checkpoint will have its own set of files. The ID of the snapshot/checkpoint is not the same as the ID for the VM. The linkage between them is achieved through the VM’s XML configuration file – it points to the IDs of the snapshots/checkpoints that exist, and they in turn point to the virtual hard disk for that snapshot/checkpoint.

The configuration file for this particular snapshot/checkpoint v:\Hyper-V\Snapshots\53EE5757-C20E-41D6-9DE4-C3FE206D987B.xml NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F

The folder for this particular snapshot/checkpoint v:\Hyper-V\Snapshots\53EE5757-C20E-41D6-9DE4-C3FE206D987B NT AUTHORITY\SYSTEM:(ID)F CREATOR OWNER:(OI)(CI)(IO)(ID)F NT VIRTUAL MACHINE\Virtual Machines:(ID)(special access:) - READ_CONTROL - SYNCHRONIZE - FILE_GENERIC_READ - FILE_READ_DATA - FILE_WRITE_DATA - FILE_APPEND_DATA - FILE_READ_EA - FILE_READ_ATTRIBUTES NT VIRTUAL MACHINE\Virtual Machines:(CI)(IO)(ID)(special access:) - GENERIC_READ - FILE_WRITE_DATA - FILE_APPEND_DATA NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Administrators:(OI)(CI)(ID)F

This file contains the difference between the snapshot/checkpoint disk and the original disk v:\Hyper-V\Virtual Hard Disks\TestVM1 - Disk 0_97D1FE92-B60E-4ED3-B584-D24D62866D2B.avhdx NT VIRTUAL MACHINE\1A981CCB-6452-41E6-B771-2B0D8E69669F:(special access:) - READ_CONTROL - SYNCHRONIZE - FILE_GENERIC_READ - FILE_GENERIC_WRITE - FILE_READ_DATA - FILE_WRITE_DATA - FILE_APPEND_DATA - FILE_READ_EA - FILE_WRITE_EA - FILE_READ_ATTRIBUTES - FILE_WRITE_ATTRIBUTES NT VIRTUAL MACHINE\1A981CCB-6452-41E6-B771-2B0D8E69669F:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F

So this is all very interesting I hear you say. Or perhaps I was saying that to myself. Either way, the primary purpose of this entry was to make it easier to restore these permissions in the event of IPL – inexplicable permission loss (I hope that’s not a thing). There are multiple methods to restore access (no doubt more than I have outlined below):

Export the current VMs. Remove the Hyper-V Role. Reboot. Install the Hyper-V Role. Import all of the VMs. It works, its clean, but export/imports are painfully slow and who wants to reinstall Hyper-V.
Use the ICACLS command line tool to restore individual permissions. This works very effectively, however laborious it might be.

The problem with simply putting a few ICACLS commands into a trusty batch file, is that you still need to determine which virtual hard disk belongs to each virtual machine. This is where a more complex script/application can come in handy, as they can read the XML file to determine the appropriate virtual hard disk and snapshot/checkpoint.

The code I have linked below is just a simple .VBS file (Visual Basic Script). It can be executed from the command line on Windows with the cscript executable. In an effort to keep it simple, I’ve simply created the script to generate a batch file with a list of all relevant ICACLS commands, which will correctly associate each virtual hard disk (snapshot/checkpoint or normal) with the appropriate security principal. You simply pass the full path of the Hyper-V folder to the script as a command line argument. It will then generate a batch file in the same folder with all of the appropriate ICACLS commands.

cscript RepairHyperV.Vbs V:\Hyper-V

Yes, I could have made the script super fancy, determining the appropriate Hyper-V path for itself etc, using an XML parser and applying the permissions automatically, but for the purpose of this exercise its just as easy to generate a batch file for the operator, demonstrating the appropriate ICACLS commands.

I’ve tested this on my Windows 2012 R2 Hyper-V server at home after stopping all of the VMs, and purposely removing all of the permissions. The batch file was created, I executed it, and all permissions were back to normal.

The script can be downloaded from here. You’ll need to change the extension back to .Vbs.

Hopefully this helps shed some light on the issue if you have this problem with Hyper-V.

~ Mike

16 thoughts on “Restoring All Lost Hyper-V Permissions. Wipe Them Out… All Of Them.”

bobleith says:

June 1, 2014 at 8:29 AM

Thanks for posting, was pulling my hair out after I replaced a drive and forgot to copy off the permissions with the hyper-v files – saved the day for me.

Reply
Mike J McGuire says:

June 1, 2014 at 11:22 AM

Awesome, glad it helped.

Reply
ypmict says:

June 24, 2014 at 12:08 PM

thank you very much sir… It helped me a lot…. my problem happened after I shared my VM folder, un share the folder also didn’t help.. thanks again…

Reply
Mike J McGuire says:

June 24, 2014 at 12:09 PM

Thanks for the feedback, I’m pleased it helped!

Reply
Lee says:

April 29, 2015 at 1:23 AM

THANK YOU SO MUCH! My permissions were all screwed up after messing with DFS and permissions getting changed. You saved me quite a bit of time!

Reply
Chris Hall says:

July 2, 2015 at 4:11 AM

Great post! I actually ran across this because I was having trouble configuring live migrations using Kerberos and constrained delegation, and finally narrowed the issue down to “bad” folder permissions on the target server.

NOTES:
I also referenced http://blog.tonywall.co/2012/04/how-to-restore-hidden-hyper-v-permissions/ for a quick way to apply the VM-specific permissions to the VM ID-named folders inside Hyper-V\Virtual Machines. These weren’t fixed by your script.

Correction from my environment (Server 2012): the configuration XML files in Hyper-V\Virtual Machines required the VM-specific ID permission entries as well in order to start the VM’s.

An additional issue that wasn’t noted on either post was the lock files inside Hyper-V\Virtual Machines\Locks needing the VM-specific ID permissions as well.

Reply
1. smknight says:
  
  January 24, 2018 at 3:09 PM
  
  Link is broken now, but I found this: https://codechief.wordpress.com/2012/04/13/how-to-restore-hidden-hyper-v-permissions/
  
  Although it is missing “IN” in the commands for some reason, and has curly quotes. Here is a fixed copy-pastable version (change path to virtual hard drive folder in the last line):
  
  FOR /F %I IN (‘DIR /A:D /B’) DO ICACLS %I /GRANT “NT VIRTUAL MACHINE\%I”:(OI)(CI)(F) /T
  FOR /F %I IN (‘DIR /A:D /B’) DO ICACLS %I.XML /GRANT “NT VIRTUAL MACHINE\%I”:(F) /T
  FOR /F %I IN (‘DIR /A:D /B’) DO ICACLS “T:\Hyper-V\HD” /GRANT “NT VIRTUAL MACHINE\%I”:(OI)(CI)(F) /T
  
  Reply
  1. Mike J McGuire says:
    
    January 24, 2018 at 3:31 PM
    
    Thanks, I think the link for the script in this article is still working, let me know if you’ve having issues with it.
Octavian says:

August 31, 2015 at 10:26 PM

Spot on! Thank you so much for posting this, after running the script and batch file, the VMs could start OK.

Reply
Andy says:

August 22, 2016 at 4:44 PM

started this manually, then went on TechNet. followed 2 powershell examples and couldn’t get it to function correctly.
found this. what a super simple approach.. by creating the batch file and running it, I could compare exactly what lines were causing issues. all 5 of my vms are up and running. one suggestion.. make it recursively search the replica folder.. I needed it to restore perms for some replicated vms that had been through a planned failover and were not in the main vm dir but the replica folder buried.. E:\vms\replica\vmnamehere\Hyper-V Replica. all I did was pass that path instead of the main path and it seemed to do the trick.

Reply
Praful says:

November 2, 2016 at 6:18 AM

Hi Mike

Thank you for taking the time to write this clear post. Virtualisation is magic – and I understand your passion about it 🙂

I changed permissions for all my folders – the permissions were far too liberal! This stopped my Hyper V VM working! I ran your script and the subsequently created .BAT file and it solved my problem. Phew!

Many thanks again

Praful

Reply
PeralStix says:

March 25, 2017 at 11:06 PM

i’ve been fighting permission issues with VMs on standalone host after I made the stupid mistake of install HV roles on standalone hosts before adding it to the domain. I’ve been beating my head against the wall trying to figure out the permission structure and REALLY didn’t want to reinstall OS! just ran the script here and the .bat file it generated to fix ACL/permissions on the HyperV folders/files. It seems to have worked! Hopefully it will fix the live migration issues I’ve had …the errors in migrating are so generic only stating “failed at source” but nothing logged in the event viewer to troubleshoot! Hope this works!

Reply
Pingback: Restoring broken Windows 2012 R2 Hyper-V directory permissions | SysadminSpot.com, Sysadmins, Server Administrators and IT Consultants
Willis Ho says:

February 7, 2019 at 7:22 AM

You are a genius – Helped to repair a SQL based VM and it was back to business!!!

Reply
Rusti says:

January 27, 2022 at 12:01 PM

Still helping us in 2022!!! Thanks for your skilled work!

Reply
1. Mike J McGuire says:
  
  January 27, 2022 at 12:46 PM
  
  Brilliant!
  
  Reply