This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Access denied for Sophos related processes

Disclaimer: Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

Microsoft's Process Monitor tool (or other similar tools) reports many access denied messages for Sophos-related processes.

Applies to the following Sophos products and versions:

  • Sophos Endpoint Security and Control

Use Backup and Restore

Restore the computer to a working state. Follow the steps in the Microsoft article https://support.microsoft.com/en-us/windows/backup-and-restore-in-windows-10-352091d2-bb9d-3ea3-ed18-52ef2b88cbef.

Use SubInACL

The script below uses the Microsoft utility SubInACL to force the Administrators group and local SYSTEM account on three hives of the registry and the system folder on disk. Both are granted full control permission.

Warning:

  • Make a full backup of the computer before using the script.
  • Back up the registry. Corruption of the registry may leave the computer in a non-bootable state, and assistance from Microsoft may be required to correct the issue.
  • The script only adds permissions to the keys that are expected. The script does not remove any permissions.
  1. Download and install SubInACL
  2. Create a file named reset.cmd in C:\Program Files\Windows Resource Kits\Tools.
  3. Edit the file reset.cmd with the following content:

    subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=administrators=f
    subinacl /subkeyreg HKEY_CURRENT_USER /grant=administrators=f
    subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=administrators=f
    subinacl /subdirectories %SystemDrive% /grant=administrators=f
    subinacl /subkeyreg HKEY_LOCAL_MACHINE /grant=system=f
    subinacl /subkeyreg HKEY_CURRENT_USER /grant=system=f
    subinacl /subkeyreg HKEY_CLASSES_ROOT /grant=system=f
    subinacl /subdirectories %SystemDrive% /grant=system=f


  4. Open Run.
  5. Type the command "C:\Program Files\Windows Resource Kits\Tools\reset.cmd".
  6. Click OK.

The permissions will be reset after a few minutes. Errors will pop up about keys that the script can't change, which is normal behavior. It’s recommended to run the script twice, with a restart in between, before continuing to troubleshoot.

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.