0x80070005 Access Denied: Permissions Policies and Workarounds

Introduction

The Windows error 0x80070005 (“Access is denied”) appears when Windows or an app is blocked from reading, writing, or executing something it needs. It’s most common during Windows Update, Microsoft Store installs, Office activation, COM/DCOM automation, and when files or registry keys have the wrong permissions. Because “Access Denied” can mask both simple user-rights issues and deeper system policy/ACL problems, it’s critical to fix quickly. Left unresolved, it can prevent updates, break app installs, delay security patches, and create instability.

This guide goes beyond generic advice. You’ll get a structured, step-by-step approach to diagnose 0x80070005, fix permissions, reset affected components, and verify the system is stable. You’ll also learn advanced diagnostics (including Event Viewer, Process Monitor, and optional minidump analysis if a BSOD occurs alongside the error), plus prevention tips and when to seek professional help.

Understanding the Error

What 0x80070005 means (in plain language)

• 0x80070005 is an HRESULT that maps to E_ACCESSDENIED. Windows or an application attempted an operation but lacked the required permissions or was explicitly blocked by policy, security software, NTFS/registry ACLs, UAC, AppLocker/WDAC, Controlled Folder Access, or DCOM security settings.
• Think of it as a strict “you don’t have rights to do that” at the system level—not just a file-level read-only message.

Where you’ll see it

• Windows Update: “There were some problems installing updates” with code 0x80070005.
• Microsoft Store: App install/update fails with Access Denied.
• Office/Windows activation or licensing services: Service can’t write to protected keys or folders.
• App installs/uninstalls: MSI or appx operations blocked by ACLs or policy.
• Scripts/services/automation: COM/DCOM activation failure, scheduled tasks, or line-of-business apps running with insufficient rights.
• OneDrive or profile paths: Sync or file operations hit denied access.
• Backups/System Restore: VSS/restore fail due to permissions.

Why it’s critical to fix

• Blocks security updates and app updates.
• Can indicate corrupted permissions or over-restrictive security policies.
• May hide malware interference or damaged system components.

Quick Reference Table

Cause	Symptom	Recommended Fix
Windows Update component corruption or locked folders	Windows Update fails with 0x80070005	Reset Windows Update components (stop services, rename SoftwareDistribution/catroot2, restart services)
Microsoft Store cache/permissions issues	Store apps won’t install/update	Run wsreset; reset/reinstall Store with PowerShell; check WindowsApps/LocalCache
NTFS/registry ACL misconfiguration	Specific files/keys inaccessible	Restore ownership/ACLs with icacls/takeown; adjust registry permissions; use ProcMon to pinpoint
Controlled Folder Access or EDR/AV blocking	App can’t write to protected folders	Allow the app through Ransomware protection; temporarily disable or reconfigure AV/EDR
COM/DCOM security restrictions	Automation/Office/line-of-business apps fail	Adjust DCOM Default/Component permissions via Component Services; align service account rights
Group Policy/AppLocker/WDAC restrictions	App install/launch blocked	Review/adapt policies; check AppLocker/WDAC logs; test without restrictions
Licensing (SPPSVC) or machine keys folder ACL	Windows/Office activation errors	Fix MachineKeys folder permissions; ensure Software Protection service runs
Corrupted system files/component store	Multiple operations fail with access errors	Run SFC and DISM; consider in-place repair upgrade
User profile/OneDrive path permissions	Save/sync errors	Reset ACLs on profile/OneDrive; re-link account
Malware or tampering	Unexpected denies or service failure	Scan with Defender/EDR; remove threats; restore defaults

Common Causes

• Windows Update store corruption:
  • SoftwareDistribution or Catroot2 folders stuck or incorrectly permissioned.
• Microsoft Store cache or app package issues:
  • Corrupt Store cache; damaged appx deployment.
• NTFS permissions or ownership problems:
  • Incorrect ownership/ACL on app folders, profile directories, ProgramData, or temp paths.
• Registry permissions:
  • Keys under HKLM/HKCU blocked; broken inheritance.
• Security policies:
  • Controlled Folder Access, AppLocker/WDAC, Software Restriction Policies, or restrictive UAC settings.
• Third‑party antivirus/EDR:
  • Files or registry operations blocked, often without obvious prompts.
• COM/DCOM configuration:
  • Machine-wide or per-component Launch/Activation/Access permissions deny service or user accounts.
• Licensing/activation:
  • Software Protection (sppsvc) blocked from MachineKeys or tokens folders.
• User profile and OneDrive:
  • Profile folder ACL corruption; OneDrive directory permissions.
• System file/component corruption:
  • Broken servicing stack or component store causing “Access Denied” during servicing.
• Malware/tampering:
  • Malicious policy changes or ACL edits that block updates and installs.

Preliminary Checks

Boot into Safe Mode (Windows 10/11)

• If you can sign in:
  1. Settings > System > Recovery > Advanced startup > Restart now.
  2. Troubleshoot > Advanced options > Startup Settings > Restart.
  3. Press 4 for Safe Mode or 5 for Safe Mode with Networking.
• If Windows won’t boot normally:
  • From the sign-in screen: Hold Shift and click Power > Restart, then follow the path above.
• Command-line alternative (to set a one-time safe boot):
  • Open an elevated command prompt and run:
    bcdedit /set {current} safeboot minimal
  • Revert after troubleshooting:
    bcdedit /deletevalue {current} safeboot

Back up important data

• Copy critical files to an external drive or cloud storage before making major changes.
• Create a Restore Point: Control Panel > System > System Protection > Create.

Run basic health checks

• Check disk (fix errors on reboot):
  chkdsk C: /F
• System file checker:
  sfc /scannow
• Repair component store:
  DISM /Online /Cleanup-Image /RestoreHealth

If SFC/DISM report errors they cannot fix, plan for an in-place repair upgrade after other remedies.

Step-by-Step Troubleshooting

Important: Work from simplest to advanced. Re-test the operation that failed after each step.

1. Identify the context and log the exact error

• Note where 0x80070005 appears (Windows Update, Store, installer, Office activation, etc.).
• Open Event Viewer (eventvwr.msc):
  • Windows Logs > Application and System: Look for Error/Warning around the time of failure.
  • For Windows Update: Applications and Services Logs > Microsoft > Windows > WindowsUpdateClient > Operational.
  • For AppLocker/WDAC: Microsoft > Windows > AppLocker and CodeIntegrity logs.
• Capture event IDs, paths, registry keys, or component names mentioned.

2. Windows Update: Run the built-in troubleshooter

• Settings > System > Troubleshoot > Other troubleshooters > Windows Update > Run.
• Apply suggestions and retry updates.
• If still failing, continue to the reset steps below.

3. Reset Windows Update components
   Run these commands in an elevated Command Prompt:

net stop bits
net stop wuauserv
net stop appidsvc
net stop cryptsvc

rename %systemroot%\SoftwareDistribution SoftwareDistribution.old
rename %systemroot%\System32\catroot2 catroot2.old

net start cryptsvc
net start appidsvc
net start wuauserv
net start bits

• Reboot and try Windows Update again.
• If access denied persists, consider re-registering key Windows Update DLLs (optional) or proceed to SFC/DISM again.

4. Microsoft Store and appx deployments

• Reset Store cache:
  wsreset.exe
• Re-register Store (PowerShell as admin):
  Get-AppxPackage -AllUsers Microsoft.WindowsStore | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppxManifest.xml”}
• For app install issues, also re-register app deployment services:
  PowerShell (admin):
  Get-AppxPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppxManifest.xml”}
• Settings > Apps > Microsoft Store > Advanced options > Reset.
• Check that %LOCALAPPDATA%\Packages and %ProgramFiles%\WindowsApps have not been manually permissioned. Avoid force-changing WindowsApps ACLs; let the system manage them.

5. Check Controlled Folder Access and security software

• Windows Security > Virus & threat protection > Ransomware protection > Manage ransomware protection:
  • If Controlled folder access is On, click “Allow an app through Controlled folder access” and add the failing app/installer, or temporarily turn it Off to test.
• Temporarily disable third-party antivirus/EDR or use a “silent mode.” If uninstalling for testing, use the vendor’s clean-up tool, then test again.

6. Fix NTFS permissions for specific folders
   If Event Viewer or error messages point to a folder path:

• Verify ownership and inheritance (Right-click folder > Properties > Security > Advanced).
• From elevated Command Prompt, carefully reset ACLs on the affected path:

takeown /F “C:\Path\To\Folder” /R /D Y
icacls “C:\Path\To\Folder” /inheritance:e
icacls “C:\Path\To\Folder” /grant “%USERNAME%”:(OI)(CI)M /T

Notes:

• Use these commands only on the specific folder involved. Do not blindly reset system folders like C:\Windows or C:\Program Files.
• For Windows Update: prefer renaming SoftwareDistribution/catroot2 (step 3) rather than ACL changes.

7. Fix registry permissions (only for the implicated keys)

• If Event Viewer references a registry key with Access Denied:
  • regedit > navigate to the key > right-click > Permissions.
  • Ensure Administrators/System have appropriate permissions; restore inheritance if broken.
• Avoid mass registry permission resets. Change only the keys referenced by logs.

8. Office/Windows activation and MachineKeys folder permissions
   Activation often fails if the MachineKeys directory lacks proper ACLs:

• Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
• Ensure permissions:
  • Owner: SYSTEM
  • SYSTEM: Full control
  • Administrators: Full control
• To reset via command line (elevated):

icacls “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys” /inheritance:e
icacls “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys” /grant SYSTEM:(OI)(CI)F /T
icacls “C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys” /grant Administrators:(OI)(CI)F /T

• Make sure the Software Protection service (sppsvc) is Running (services.msc).
• For Office volume activation, also run:
  cscript “C:\Program Files\Microsoft Office\Office16\OSPP.VBS” /dstatus

9. COM/DCOM permissions for automation scenarios
   If a COM server or Office automation fails with 0x80070005:

• Open Component Services (dcomcnfg).
• Component Services > Computers > My Computer > Properties:
  • COM Security tab:
    • Edit Default Launch and Activation Permissions: add the service account/user with Local Launch/Activation (and Remote if needed).
    • Edit Default Access Permissions: add the account with Local Access (and Remote if needed).
• For a specific COM application:
  • Component Services > Computers > My Computer > DCOM Config > [Your Component] > Properties > Security tab:
    • Customize Launch and Activation Permissions and Access Permissions for the account running the app/service.
• Restart the service/app and test.

10. Group Policy, AppLocker, and WDAC

• Generate a Group Policy report to see effective policies:
  gpresult /h “%USERPROFILE%\Desktop\gpresult.html”
• Open the report and review Software Restriction, AppLocker, Device Guard/WDAC, and Windows Update policies.
• Check AppLocker logs:
  • Event Viewer > Applications and Services Logs > Microsoft > Windows > AppLocker (EXE and DLL/MSI and Script/Packaged app).
• If a policy is blocking the operation, temporarily set it to Audit or create an allow rule. For WDAC, test in audit mode if available.

11. User profile and OneDrive folder ACLs

• If saves or sync fail with 0x80070005:
  • Reset ACLs on your profile/OneDrive folders (elevated command prompt):

icacls “%USERPROFILE%” /inheritance:e
icacls “%USERPROFILE%” /grant “%USERNAME%”:(OI)(CI)F /T

• Sign out/in and retry sync.

12. Malware and tampering check

• Run a full scan with Microsoft Defender (or your EDR).
• Use Microsoft Safety Scanner (msert.exe) as a second opinion.
• If malware is found, remove it, re-run SFC/DISM, and recheck permissions.

13. Repair system files and servicing

• If you haven’t already, run:
  sfc /scannow
  DISM /Online /Cleanup-Image /RestoreHealth
• Reboot and test again.

14. Reset local security policy to defaults (last resort on standalone PCs)

• Caution: This resets many security settings to Windows defaults.
  secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose
• Reboot and retest. Re-apply only the policies you truly need.

15. In‑place repair upgrade (keeps apps and files)

• Download the Windows 10/11 ISO or use Media Creation Tool.
• Run setup.exe from within Windows, choose “Keep personal files and apps.”
• This refreshes system files, servicing stack, and many default permissions.

Minidump analysis (only if a BSOD accompanies 0x80070005)
While 0x80070005 is not a BSOD stop code, misconfigured drivers or system corruption can sometimes cause crashes alongside access issues.

• Ensure minidumps are enabled:
  • System Properties > Advanced > Startup and Recovery > Settings:
    • Write debugging information: Small memory dump (256 KB).
    • Dump file: %SystemRoot%\Minidump
• Find dumps: C:\Windows\Minidump
• Quick analysis with BlueScreenView:
  • Download NirSoft BlueScreenView, open the dump, note the driver or module highlighted.
• Deeper analysis with WinDbg (Microsoft Store: WinDbg Preview):
  • File > Open Dump File > !analyze -v
  • Identify the driver/module at fault and update/roll back/remove it accordingly.

Advanced Diagnostics

Use Event Viewer effectively

• Focus on the time of the failure and correlate across:
  • WindowsUpdateClient (update errors)
  • AppXDeployment-Server (Store/appx issues)
  • Service Control Manager (services failing to start)
  • MsiInstaller (installer failures)
  • AppLocker/CodeIntegrity (application control blocks)
• Double-click events to copy the path or registry key that failed.

Trace Access Denied with Process Monitor (ProcMon)

• Download from Microsoft Sysinternals.
• Run as Administrator.
• Filter > Filter…
  • Add: Result is ACCESS DENIED then Include.
  • Optional: Process Name is [your app/installer] then Include.
• Reproduce the problem. Look for the first Access Denied entries.
• The Path column shows the file/registry being blocked. Fix the ACLs or policy for that specific path.
• Tip: A single deny in a parent directory or registry key can cause cascading failures.

Driver Verifier (only if you suspect driver-related instability)

• Run as admin:
  verifier
• Create standard settings > Select all drivers except Microsoft > Finish > reboot.
• Use the PC; if a faulty driver causes BSODs, note the driver name in the crash.
• Important:
  • Driver Verifier stresses drivers; it can cause frequent BSODs if a driver is bad.
  • To turn off:
    verifier /reset
  • If Windows can’t boot, use Safe Mode to reset Verifier.

Audit object access (enterprise/forensics)

• Enable Audit Object Access (Advanced Audit Policy) and set auditing on the target file/registry key to catch which principal is denied.
• Review Security log for Event ID 4656/4663 with Accesses: DENIED.

Post-Fix Checklist

• Confirm the original operation now succeeds (Windows Update completes; app installs; activation works).
• Review Event Viewer: No new Access Denied errors related to the operation.
• Re-run SFC and DISM; both should report no integrity violations.
• If you changed policies (AppLocker/WDAC/Controlled Folder Access), ensure final settings are as strict as needed without blocking legitimate apps.
• Create a fresh Restore Point after successful repair.

When to Seek Professional Help

• Enterprise environment with complex GPO, WDAC/AppLocker, or domain-level changes needed.
• Widespread ACL corruption across system folders and registry hives.
• Persistent update failures after in‑place repair upgrade.
• Repeated activation failures even after MachineKeys and sppsvc checks.
• Suspected malware/EDR conflicts that require expert remediation.
• Critical systems where downtime risk is high and you need guaranteed recovery paths.

Prevention Tips

• Practice “least privilege”:
  • Daily account as Standard User; elevate only when needed.
• Keep Windows and drivers updated:
  • Regular Windows Update; vendor tools for chipset/storage/NIC updates.
• Maintain clean software deployments:
  • Prefer vendor-signed installers; avoid manual permission hacks on system folders.
• Backup regularly:
  • System image + file-level backups; test restore paths.
• Monitor with built-in tools:
  • Event Viewer for recurring Access Denied events.
  • Windows Security health; add apps to Controlled Folder Access allow list as needed.
• Document policy changes:
  • Track AppLocker/WDAC/GPO modifications; review quarterly.
• Avoid “registry cleaners” and generic “permission reset” tools that can break ACL inheritance.

Conclusion

The 0x80070005 “Access Denied” error is usually solvable once you pinpoint what’s being blocked: a folder, registry key, COM component, policy, or security control. Start with built-in troubleshooters, reset Windows Update or Store components if they’re involved, then use Event Viewer and Process Monitor to find the exact path or registry key that’s denied. Repair ACLs carefully, review Controlled Folder Access, AppLocker/WDAC, and antivirus/EDR, and run SFC/DISM to heal system files. When in doubt, an in‑place repair upgrade restores sanity without losing your apps or data. With a methodical approach, most 0x80070005 issues can be fixed quickly and permanently.

FAQ Section

What does 0x80070005 mean in Windows Update?

It means Windows Update lacked permissions to read/write files or registry keys it needs, or a policy/security tool blocked it. Resetting Windows Update components (renaming SoftwareDistribution and catroot2), running SFC/DISM, and checking security policies typically resolves it.

How do I fix 0x80070005 in the Microsoft Store?

Run wsreset, reset the Store app (Settings > Apps > Microsoft Store > Reset), and re-register app packages with PowerShell. Also verify Controlled Folder Access and antivirus are not blocking the installer or the app’s data folders.

Is 0x80070005 a virus?

No, it’s an “Access is denied” error code. However, malware can cause access denials by changing permissions or policies. Run full scans with Microsoft Defender and your EDR to rule out tampering.

Can I just take ownership of Windows folders to fix it?

Avoid broad ownership/ACL changes on system folders like C:\Windows or C:\Program Files. Fix only the specific path reported by logs. Use official resets (e.g., Windows Update reset) instead of mass permission changes.

What if none of the steps work?

Run SFC/DISM again, check ProcMon for Access Denied on a specific path, verify policies (AppLocker/WDAC/GPO), and consider an in‑place repair upgrade. If the issue persists, especially in a domain or with heavy policy use, consult professional support.

You’ve got this—work through the steps, use the logs to guide you, and you’ll get past “Access Denied” 0x80070005 with confidence.