On Windows Server 2008 R2 running Hyper-V, I copied a VHD to an external drive using Windows Explorer. After compacting the drive, I copied the VHD back to its original location and tried to start the virtual machine. I got a long message telling me that the virtual machine failed to start due to an access denied error.
The Message
Here are the important bits of the message, along with the corresponding event IDs in the Hyper-V-Worker Admin event log:
‘VM01’ failed to start.
Microsoft Emulated IDE Controller (Instance ID {…}): failed to Power on with Error ‘General access denied error’ (0x80070005). [Event ID 12010]
IDE/ATAPI Account does not have sufficient privilege to open attachment ‘D:\Virtual Machines\VM01\Virtual Hard Disks\DRIVE01.VHD’. Error: ‘General access denied error’ (0x80070005). [Event ID 12290]
‘VM01 failed to start. (Virtual machine ID 6B78D45F5-71DF-4725-B4B2-E651800BE80EF) [Event ID 12030]
Okay, so I understand that it can’t access the VHD file. But what is the “IDE/ATAPI Account”? I see no such account in the list of available users and groups when I try to modify the VHD file’s permissions using the GUI. What I do see, when I examine the permissions of a working VHD, is what looks like a GUID as a user name with Read and Write permissions:
Virtual Machine SID
It turns out that the virtual machine’s unique identifier (SID) actually needs direct access to the file. The details are in this Microsoft knowledge base article:
Hyper-V virtual machines may not start, and you receive an error: “‘General access denied error’ (0x80070005)”
http://support.microsoft.com/kb/2249906
Update the Permissions
The solution is to give the SID Full control of the VHD using the command line.
Tip: Rather than type (or mistype) the SID by hand, cut and paste it from the event log message or from the XML file name in the Virtual Machines folder.
The command:
icacls <Path of .vhd file> /grant "NT VIRTUAL MACHINE\<Virtual Machine SID>":F
Note that there is no space before the :F. For example:
icacls "D:\Virtual Machines\VM01\Virtual Hard Disks\DRIVE01.VHD" /grant "NT VIRTUAL MACHINE\6B78D45F5-71DF-4725-B4B2-E651800BE80EF":F
Once that permission has been added, you should be able to start the virtual machine.
I’ve had similar problems and solved them just by reattaching the disk from the settings of the machine – that makes sure all the permissions are OK :)
Thanks Hugo – that sounds like an even simpler solution!
It is simpler indeed, but it’s so much cooler to use the old-fashioned command line :)
I just ran into this, and not only do I now know how to do it the easy way, but I also know a bit more of Hyper-V’s inner workings as well.
Thanx for the info!
Thanks Hugo, that was an easy fix.
Just hit this again, now under Server 2012 R2 with .vhdx files. I couldn’t re-attach the drives from the UI because I had Saved the state rather than shutting down. “Some settings cannot be modified because the virtual machine was saved when this window was opened.” Command line to the rescue again! And really, it only takes about a minute ;).
No luck for me;
‘Invalid parameter “NT VIRTUAL MACHINE\”‘
Maxim, did you include the full virtual machine ID, with no space after the backslash, as shown in the example?
icacls "D:\Virtual Machines\VM01\Virtual Hard Disks\DRIVE01.VHD" /grant "NT VIRTUAL MACHINE\6B78D45F5-71DF-4725-B4B2-E651800BE80EF":FIf that doesn’t work, did you try attaching the VHD from the GUI as suggested in Hugo Grimes’ comment above?
Invalid parameter
Muhammad, did you see my comment above on April 4, 2018? If you want to use a command line, there can be no spaces after the “\”.
For an even simpler solution, follow Hugo Grimes’ advice in comment he made October 16, 2010.
despite the permissions I have on the disk, still no luck with Windows 2019, build 17763.1282
c:\Users\Public\Documents\Hyper-V\Virtual hard disks>icacls New.vhdx
New.vhdx S-1-15-3-1024-2268835264-3721307629-241982045-173645152-1490879176-104643441-2915960892-1612460704:(R,W)
NT VIRTUAL MACHINE\096C6956-D093-4E33-AE82-20A715F1E6CC:(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Hyper-V Administrators:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
Successfully processed 1 files; Failed processing 0 files
==================================
I’m getting the error, Permision Denied/Access Denied
PS C:\Users\Administrator> start-vm -Name new
start-vm : ‘New’ failed to start. (Virtual machine ID 096C6956-D093-4E33-AE82-20A715F1E6CC)
At line:1 char:1
+ start-vm -Name new
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (:) [Start-VM], VirtualizationException
+ FullyQualifiedErrorId : AccessDenied,Microsoft.HyperV.PowerShell.Commands.StartVM
@Hussain, that looks like a different error from the one I reported at the top of this post, which specifically mentions access denied on the VHD. Maybe there is more detail in the event log?
With newer versions like 2019, you need also to add the VMid to the ACL’s.
See: https://docs.microsoft.com/en-us/troubleshoot/windows-server/virtualization/hyper-v-virtual-machine-not-start-0x80070005
Try to run the command in a cmd console window, not a powershell one
icacls “TERMINAL SERVER.VHD” /grant “NT VIRTUAL MACHINE\345A9837-8E16-4923-ADEB-ACC871063D18”:(F)
Re-attaching the disk also works.