LoadUserProfile returning value 1314 (ERROR_PRIVILEGE_NOT_HELD) RRS feed

  • Question

  • Hi,
        We have an installer here that in one of its custom actions does an ImpersonateUser call to encrypt certain user data.
    The sequence of calls we do for the same is LogonUser(), DuplicateToken(), LoadUserProfile() and then ImpersonateLoggedOnUser(). The code is age old and has been working fine till now on XP, Vista and W2k3 machines. It was tested against Win2k8 machines also and was working all well.

    We now have stumbled onto one machine where in the LoadUserProfile call is failind with a return code of 1314, "A required privilege is not held by the client." I am not able to figure out why this is happening. Could you please help me debug this issue? Any tips on what information or access permissions I should be looking out for?

    Info: I am executing the service as a domain user, but an admin on the system. Info on where to find what permissions/access rights are assigned to a user account and how to modify them would also be very useful.

    PS: I could paste the exact method calls if required.

    Thanks in advance.
    • Edited by SharathP - MSFT Tuesday, June 2, 2009 7:34 PM wrong error code, corrected it
    Tuesday, June 2, 2009 7:33 PM

All replies

  • What sort of custom action is this?  Immediate, or deferred, non-impersonated? (assuming this is an MSI)

    In any case, see MSDN for LoadUserProfile:
    The calling process must have the SE_RESTORE_NAME and SE_BACKUP_NAME privileges. For more information, see Running with Special Privileges.

    My guess is that's the problem.  You can confirm by attaching a debugger to the installation, breaking on LoadUserProfile, and then running Process Explorer (available from microsoft.com for free).  Locate the process in question in Process Explorer, right click, properties, and somewhere in one of these panes you should see a list of privileges the process has.

    Tuesday, June 2, 2009 7:43 PM
  • Hi David,
        Your guess was perfectly right. Giving the SeBackupPrivilege to the MsiServer service, restarting it and trying the install solved the problem.

    So now my question is: Why does it happen on some systems and why not on others? I have a dev machine where in the poduct installs with no hassles. In both cases I am the admin, OS is Win 2K8 and Windows Installer version is 4.5.* . (Info: we build our MSI for schema 300, meaning Windows Installer 3.0, but this means it would  also run on all greater versions.)

    I did check on my local machines (both Vista and Win2k8) and saw that MsiServer does not have these privileges, but the LoadUserProfile call succeeds here and fails on that particular system. We now have one more customer reporting the same issue, with the same error message and the logs revealing LoadUserProfile failing with 1314.

    As per this Windows Installer Blog article, they seem to ve fixed this issue in Windows Installer 4.5, but I dont see it working that way.

    Thanks for the help David.
    Wednesday, June 3, 2009 2:22 PM
  • Have you looked at the stack on the LoadUserProfile call?

    Wednesday, June 3, 2009 8:37 PM