Hyper-V Virtual Machine Failed to Start after Copying VHD

Mark Berry October 8, 2010

On Windows Server 2008 R2 running Hyper-V, I copied a VHD to an external drive using Windows Explorer. After compacting the drive, I copied the VHD back to its original location and tried to start the virtual machine. I got a long message telling me that the virtual machine failed to start due to an access denied error.

The Message

Here are the important bits of the message, along with the corresponding event IDs in the Hyper-V-Worker Admin event log:

‘VM01’ failed to start.

Microsoft Emulated IDE Controller (Instance ID {…}): failed to Power on with Error ‘General access denied error’ (0x80070005). [Event ID 12010]

IDE/ATAPI Account does not have sufficient privilege to open attachment ‘D:\Virtual Machines\VM01\Virtual Hard Disks\DRIVE01.VHD’. Error: ‘General access denied error’ (0x80070005). [Event ID 12290]

‘VM01 failed to start. (Virtual machine ID 6B78D45F5-71DF-4725-B4B2-E651800BE80EF) [Event ID 12030]

Okay, so I understand that it can’t access the VHD file. But what is the “IDE/ATAPI Account”? I see no such account in the list of available users and groups when I try to modify the VHD file’s permissions using the GUI. What I do see, when I examine the permissions of a working VHD, is what looks like a GUID as a user name with Read and Write permissions:

Hyper-V VHD Permissions GUI

Virtual Machine SID

It turns out that the virtual machine’s unique identifier (SID) actually needs direct access to the file. The details are in this Microsoft knowledge base article:

Hyper-V virtual machines may not start, and you receive an error: “‘General access denied error’ (0x80070005)”
http://support.microsoft.com/kb/2249906

Update the Permissions

The solution is to give the SID Full control of the VHD using the command line.

Tip: Rather than type (or mistype) the SID by hand, cut and paste it from the event log message or from the XML file name in the Virtual Machines folder.

The command:

icacls <Path of .vhd file> /grant "NT VIRTUAL MACHINE\<Virtual Machine SID>":F

Note that there is no space before the :F. For example:

icacls "D:\Virtual Machines\VM01\Virtual Hard Disks\DRIVE01.VHD" /grant "NT VIRTUAL MACHINE\6B78D45F5-71DF-4725-B4B2-E651800BE80EF":F

Once that permission has been added, you should be able to start the virtual machine.



5 Comments

  1. Hugo Grimes   |  October 16, 2010 at 4:04 am

    I’ve had similar problems and solved them just by reattaching the disk from the settings of the machine – that makes sure all the permissions are OK :)

  2. Mark Berry   |  October 16, 2010 at 8:20 am

    Thanks Hugo – that sounds like an even simpler solution!

  3. Jeroen Hems   |  March 23, 2011 at 3:46 pm

    It is simpler indeed, but it’s so much cooler to use the old-fashioned command line :)

    I just ran into this, and not only do I now know how to do it the easy way, but I also know a bit more of Hyper-V’s inner workings as well.

    Thanx for the info!

  4. James   |  December 30, 2011 at 9:36 am

    Thanks Hugo, that was an easy fix.

  5. Mark Berry   |  September 26, 2016 at 2:33 pm

    Just hit this again, now under Server 2012 R2 with .vhdx files. I couldn’t re-attach the drives from the UI because I had Saved the state rather than shutting down. “Some settings cannot be modified because the virtual machine was saved when this window was opened.” Command line to the rescue again! And really, it only takes about a minute ;).

Leave a Reply





*