Microsoft KB Archive/910338

= Error message when you visit the Windows Update Web site or the Microsoft Update Web site: &quot;0x800A0046&quot; =

Article ID: 910338

Article Last Modified on 2/7/2006

-

APPLIES TO


 * Microsoft Update
 * Microsoft Windows Update

-





SYMPTOMS
When you visit the Microsoft Windows Update Web site or the Microsoft Update Web site, the Web site may appear to stop responding. Additionally, you may receive the following error message:

0x800A0046

One of the following entries may be logged in the %windir%\Windowsupdate.log file: Date Time    3096    c1c COMAPI  WARNING: Unable to listen to self-update/shutdown event (hr=0X80070005) Date   Time    3096    c1c COMAPI  WARNING: Unable to establish connection to the service. (hr=80070005)



CAUSE
This issue occurs if one or more of the following conditions are true:
 * The DCOM configuration is incorrect.
 * Your user account is a member of the Guests group.
 * The security descriptor in the Automatic Updates service is incorrect.
 * The local security policy is incorrect.



RESOLUTION
To resolve this issue, follow these steps on client computers.

Step 1: Verify DCOM security
 Click Start, click Run, type Dcomcnfg, and then click OK. Expand Component Services, and then expand Computers. Right-click My Computer, and then click Properties. Click the COM Security tab. Under Access Permissions, click Edit Default. Verify that the following accounts are listed:

On Microsoft Windows XP-based and Microsoft Windows Server 2003-based clients

On Microsoft Windows 2000-based clients </li> If any one of these accounts is missing in the Access Permission box, follow these steps: <ol style="list-style-type: lower-alpha;"> Click Add, click Advanced, and then click Locations.</li> In the Locations box, click the  , and then click OK.</li> Click Find Now.</li> Press CTRL, click the required account names, and then click OK two times.</li> In the Group or User names box, click an account that you added, click Local Access in the Permissions for  box, and then click to select the check box in the Allow column.</li> Repeat step 7e for all the accounts that you just added, and then click OK.</li></ol> </li></ol>

Step 2: Verify DCOM default properties

 * 1) Click the Default Properties tab.
 * 2) Verify that the following configuration:
 * 3) * The Enable Distributed COM on this computer check box is selected.
 * 4) * In the Default Authentication level box, Connect is selected.
 * 5) * In the Default Impersonation level box, Identify is selected.
 * 6) Make any required changes, and then click OK.
 * 7) Restart the computer.

Step 3: Verify that your user account is not a member of the Guests group
Note This step applies only to computers that are running Windows Server 2003, Windows XP Professional, or Windows 2000 and that are not joined to a domain.
 * 1) Click Start, click Settings, and then click Control Panel.
 * 2) Double-click Administrative Tools.
 * 3) Expand Computer Management, and then expand Local Users and Groups.
 * 4) Click Users.
 * 5) In the right-pane, double-click the account that you used to log on to the computer.
 * 6) Click the Member Of tab.
 * 7) Click Guests, click Remove, and then click OK.

Step 4: Verify the security descriptor in the Automatic Updates service
On Windows Server 2003-based and Windows XP-based clients <ol> Click Start, click Run, type cmd, and then click OK.</li> At the command prompt, type the following command, and then press ENTER to reset the security descriptor:

Sc sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

Note In a domain environment, this security setting may be configured by a Group Policy object. If the issue is only temporarily resolved after you type this command, a Group Policy object is probably configured. The domain administrator must modify Group Policy to include the correct security settings.</li></ol>

On Windows 2000-based clients <ol> Download the Subinacl utility. To do this, visit the following Microsoft Web site:

http://www.microsoft.com/downloads/details.aspx?FamilyID=e8ba3e56-d8fe-4a91-93cf-ed6985e3927b&amp;amp;DisplayLang=en

</li> Double-click the downloaded file, and then follow instructions in the Windows Resource Kit Tools Setup Wizard. By default, the Subinacl utility is installed in the following directory:

C:\Program Files\Windows Resource Kits\Tools

</li> Click Start, click Run, type cmd, and then click OK.</li> At the command prompt, type cd C:\Program Files\Windows Resource Kits\Tools to move to the directory where the Subinacl utility was installed.</li> Type the following command, and then press ENTER:

Subinacl /service wuauserv /sddl=D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)

Note In a domain environment, this security setting may be configured by a Group Policy object. If the issue is only temporarily resolved after you type this command, a Group Policy object is probably configured. The domain administrator must modify Group Policy to include the correct security settings.</li></ol>

Step 5: Verify the local security policy
Notes <ul> This step applies only to Windows Server 2003-based, Windows XP Professional-based, or Windows 2000-based computers.</li> <li>If your user account belongs to a domain, this security setting may be configured by a Group policy object that is located on the network. Contact the network administrator, or see the following Microsoft Knowledge Base article for more information:

810739 White Paper: Troubleshooting Group Policy in Windows 2000

</li></ul>

<ol> <li>Click Start, click Run, type gpedit.msc, and then click OK.</li> <li>Expand Computer Configuration, expand Windows Settings, expand Security Settings, and then expand Local Policies.</li> <li>Click User Rights Assignment.</li> <li>In the right-pane, double-click Impersonate a client after Authentication.</li> <li>Verify that the Service and Administrators accounts are included.</li> <li>If the Service account or the Administrators account is missing, follow these steps to add the account: <ol style="list-style-type: lower-alpha;"> <li>Click Add User or Group, click Advanced, and then click Locations.</li> <li>In the Locations box, click  , and then click OK.</li> <li>Click Find Now.</li> <li>Press CTRL, click the required account names, and then click OK three times.</li></ol> </li> <li>Restart the computer.</li></ol>

Step 6: Enable user data persistence in Microsoft Internet Explorer

 * 1) Open Internet Explorer.
 * 2) On the Tools menu, click Internet Options.
 * 3) Click the Security tab, and then click Internet.
 * 4) Click Custom Level.
 * 5) In the Settings dialog box, scroll to the Miscellaneous section.
 * 6) Under Userdata persistence, click Enable.
 * 7) Click OK two times.

<div class="references_section">