NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)īUILTIN\Administrators:(I)(OI)(CI)(IO)(F)ĪPPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)ĪPPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE) In case that's not enough, for comparison, running icacls %systemroot%\system32\catroot2 on a healthy server gives this: C:\Windows\system32\catroot2 NT SERVICE\CryptSvc:(F)
Give the Trusted Installer account full control to the catroot2 folder and its children. permissions issue accessing a file under the catroot2 folder. The clue is in the ESENT error's text i.e. The open file operation will fail with error -1032 (0xfffffbf8). Text: Catalog Database (416) Catalog Database: An attempt to open the file 'C:\Windows\system32\CatRoot2\\catdb' for read / write access failed with system error 5 (0x00000005): 'Access is denied. Text: The Cryptographic Services service failed to initialize the Catalog Database. Looking at the Application log in the event viewer, we saw a number of errors: Source: CAPI2 I believe the key one was that TrustedInstaller didn't have full access. There were a number of differences between the permissions on that folder on a healthy server vs those on the migrated server. The root cause was permissions to the %SystemRoot%\System32\catroot2 folder. We had this issue on some virtual servers migrated from a 'cloud' provider back to our internal data center.
