Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Access to the path 'C:\ProgramData\chocolatey\config' is denied (after clean install + restart) #1048

Closed
ohadschn opened this issue Nov 12, 2016 · 57 comments

Comments

@ohadschn
Copy link

Environment

Win10 64 bit (1607 build 14393.447)
UAC settings: default (notify me only when apps try to make changes to my computer)

What You Are Seeing?

From a non-elevated cmd shell:

C:\> choco install keepass-keepasshttp
This is try 1/3. Retrying after 300 milliseconds.
 Error converted to warning:
 Access to the path 'C:\ProgramData\chocolatey\config' is denied.
This is try 2/3. Retrying after 400 milliseconds.
 Error converted to warning:
 Access to the path 'C:\ProgramData\chocolatey\config' is denied.
Maximum tries of 3 reached. Throwing error.
Cannot create directory "C:\ProgramData\chocolatey\config". Error was: ...

This is not surprising seeing as when I try to create that folder manually, I am greeted with an OS admin access confirmation dialog. If I run the same command from an elevated prompt, everything works.

How Did You Get This To Happen? (Steps to Reproduce)

Installed Chocolatey from an elevated powershell windows, per the recommendation in https://chocolatey.org/docs/installation. Restarted the computer and executed the choco install command above.

Output Log (debug + verbose)

This is try 1/3. Retrying after 300 milliseconds.
 Error converted to warning:
 Access to the path 'C:\ProgramData\chocolatey\config' is denied.
This is try 2/3. Retrying after 400 milliseconds.
 Error converted to warning:
 Access to the path 'C:\ProgramData\chocolatey\config' is denied.
Maximum tries of 3 reached. Throwing error.
Cannot create directory "C:\ProgramData\chocolatey\config". Error was:
System.UnauthorizedAccessException: Access to the path 'C:\ProgramData\chocolatey\config' is denied.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)
   at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)
   at chocolatey.infrastructure.filesystem.DotNetFileSystem.<>c__DisplayClass60.<create_directory>b__5f()
   at chocolatey.infrastructure.tolerance.FaultTolerance.<>c__DisplayClass1.<retry>b__0()
   at chocolatey.infrastructure.tolerance.FaultTolerance.retry[T](Int32 numberOfTries, Func`1 function, Int32 waitDurationMilliseconds, Int32 increaseRetryByMilliseconds, Boolean isSilent)
   at chocolatey.infrastructure.filesystem.DotNetFileSystem.create_directory(String directoryPath)
   at chocolatey.infrastructure.filesystem.DotNetFileSystem.create_directory_if_not_exists(String directoryPath, Boolean ignoreError)
Chocolatey had an error occur:
System.UnauthorizedAccessException: Access to the path 'C:\ProgramData\chocolatey\config' is denied.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.Directory.InternalCreateDirectory(String fullPath, String path, Object dirSecurityObj, Boolean checkHost)
   at System.IO.Directory.InternalCreateDirectoryHelper(String path, Boolean checkHost)
   at chocolatey.infrastructure.filesystem.DotNetFileSystem.<>c__DisplayClass60.<create_directory>b__5f()
   at chocolatey.infrastructure.tolerance.FaultTolerance.<>c__DisplayClass1.<retry>b__0()
   at chocolatey.infrastructure.tolerance.FaultTolerance.retry[T](Int32 numberOfTries, Func`1 function, Int32 waitDurationMilliseconds, Int32 increaseRetryByMilliseconds, Boolean isSilent)
   at chocolatey.infrastructure.filesystem.DotNetFileSystem.create_directory(String directoryPath)
   at chocolatey.infrastructure.filesystem.DotNetFileSystem.create_directory_if_not_exists(String directoryPath, Boolean ignoreError)
   at chocolatey.infrastructure.extractors.AssemblyFileExtractor.extract_text_file_from_assembly(IFileSystem fileSystem, IAssembly assembly, String manifestLocation, String filePath, Boolean overwriteExisting)
   at chocolatey.infrastructure.app.builders.ConfigurationBuilder.get_config_file_settings(IFileSystem fileSystem, IXmlService xmlService)
   at chocolatey.infrastructure.app.builders.ConfigurationBuilder.set_up_configuration(IList`1 args, ChocolateyConfiguration config, Container container, ChocolateyLicense license, Action`1 notifyWarnLoggingAction)
   at chocolatey.console.Program.Main(String[] args)
@ferventcoder
Copy link
Member

@ohadschn Is this one I asked you to split off from a different issue?

@ohadschn
Copy link
Author

I don't think so, the only other choco discussion I've ever participated in was the tab completion issue..

@ferventcoder
Copy link
Member

I ask because you installed Chocolatey to the default location, which is locked down to administrators only.

@ohadschn
Copy link
Author

ohadschn commented Nov 15, 2016

I just did what the installation page said, namely run this from an elevated PS window:
iwr https://chocolatey.org/install.ps1 -UseBasicParsing | iex

Are you saying that this result is expected, and that I should always run choco install from elevated prompts?

@ferventcoder
Copy link
Member

The result is expected, and if you install to the default install location, you should always run choco from an elevated prompt.

#1054 is set up to handle this messaging.

@ohadschn
Copy link
Author

Ah, I see. Perhaps that could be mentioned in the installation page as well?

@ferventcoder
Copy link
Member

I could almost swear it is, maybe not in all of the sections it should be mentioned in.

Right now, mentioned here in number 1 - https://chocolatey.org/install#non-administrative-install
Mentioned in 1 and 2 here - https://chocolatey.org/security#overall

@ferventcoder
Copy link
Member

But perhaps put some considerations up prior to the install text so that folks will have had at least the opportunity to scroll past it, even if they don't read it the first time.

@ohadschn
Copy link
Author

ohadschn commented Nov 15, 2016

Apologies, I never reached those sections, and even if I did I'd stop right after the line that said "This option should be a last resort and is considered to be an advanced scenario" :)

It would be nice if this were mentioned in the vanilla basic installation text (you already have two notes there, maybe add a third), just my 2 cents..

@ferventcoder
Copy link
Member

👍 agreed. That's why a suggestion to mention it sooner.

@ericnewton76
Copy link

npm install -g doesnt have this issue, requiring running from elevated prompts all the time

Why not adopt their policy?

@ferventcoder
Copy link
Member

We are looking at something we can do here. Chocolatey doesn't require admin rights outside of the default installation directory (unless the program being installed requires it).

@ericnewton76
Copy link

My install was just like the OP, where I followed the installation instructions and ran from an elevated prompt.

I believe it installed to its default folder, the ProgramData folder right? (I find it odd that it does require elevated priviledges in the first place when installed there)

Good to know it's being considered

@obfuscurity
Copy link

I also experienced this just now.

@ferventcoder
Copy link
Member

So I'm testing this now for using highestAvailable permissions.

@mihaimetal
Copy link

C:\PROGRAMS\Far3>chocolatey
This is try 1/3. Retrying after 300 milliseconds.
 Error converted to warning:
 Access to the path 'C:\ProgramData\chocolatey\config' is denied.
This is try 2/3. Retrying after 400 milliseconds.
 Error converted to warning:
 Access to the path 'C:\ProgramData\chocolatey\config' is denied.
Maximum tries of 3 reached. Throwing error.
Cannot create directory "C:\ProgramData\chocolatey\config". Error was:
System.UnauthorizedAccessException: Access to the path 'C:\ProgramData\chocolatey\config' is denied.

@air
Copy link

air commented Mar 10, 2017

Same bad experience here. When I follow https://chocolatey.org/install I see how simple it is and I feel great - a one-line install! I expect choco to work in my next cmd shell, and instead it falls on the floor.

A quick fix needed right now: after Installing Chocolatey add this short section:

Running Chocolatey
Since choco is an admin tool, it must be run from an admin shell. If you run from an unelevated shell, you'll see an access denied error.

@ferventcoder
Copy link
Member

A quick fix needed right now

I like this. Not a quick fix per say, but that is how Chocolatey works.

@lslayer
Copy link

lslayer commented Mar 15, 2017

Here is simplest workaround:
Give full access rights for yourmachine\Users to folder ‪C:\ProgramData\Chocolatey

@hasanzadegan
Copy link

Hi this seems the problem created because access writes,
give full access to ‪C:\ProgramData\Chocolatey for current user

it is work

@air
Copy link

air commented Mar 25, 2017

quick fix

If the website was in the repo I'd make a PR now.

@ferventcoder
Copy link
Member

@air the website does have a repo, but docs are in a different location.

However, I think you are going to see with 0.10.4 this is unnecessary. It won't run by default unless you are running under elevated context. And we've made some changes to how that file gets written.

@Dnnsmoyo
Copy link

Dnnsmoyo commented Aug 9, 2017

Run cmd as administrator and try again.

@prateekro
Copy link

Thanks @lslayer Works like a charm on giving full control for the folder for the current user.

@kierun
Copy link

kierun commented Oct 3, 2017

I followed the install instruction and fell foul of this as well…

@dipnlik
Copy link

dipnlik commented Dec 29, 2017

Just had this issue. The install page already has an "Additional Considerations" section. This should definitely include something along the lines of @air 's suggestion.

@sproleee
Copy link

You have to run cmd as administrator, so just right click cmd and run as administrator. Run the command again and it should work.

@nikspatel007
Copy link

I was trying it in Powershell and running powershell as Administrator worked me.

@samhocevar
Copy link

I understand how installing packages requires elevated privileges, but this error also pops up with choco search or even choco -h which are, in terms of observable behaviour, harmless read-only operations. This is inconsistent with all the package managers I am familiar with.

@ferventcoder
Copy link
Member

@samhocevar you only have to run choco as admin one time to get config set. Then you can go back to non-admin for search and other items.

@PiotrGen
Copy link

I was able to reasonable resolve it.

Appearently chocolatey tries to write data to this location:

C:\ProgramData\chocolatey

I was able to change it's security by extending read & excute rights to full controll for all users - I am only user so no security issue. Make sure to check inherit option box.

PS. Please keep in mind that I was previously trying multiple options which didnt work. I have disabled eventually UAC, and still raised my cmd as admin. It didnt work, I have changed directory access rights to full control and than command

choco install minikube --force

was successful. Not sure if all steps required, I think full controll over choclatey dir should be enough.

@sharpninja
Copy link

sharpninja commented Jul 13, 2020 via email

@techwebdev
Copy link

You need to run Windows PowerShell as admin access

@ericnewton76
Copy link

I'm with @sharpninja ... like npm, choco should default to a per user installation as --global and add the all users option as --allusers which would then have the appropriate "administrator" warnings and checks

@christianh814
Copy link

What's strange is that I'm running into this issue as admin

PS C:\ProgramData\chocolatey> whoami 
whoami 
ec2amaz-r8culvn\administrator
PS C:\ProgramData\chocolatey> C:\ProgramData\chocolatey\choco.exe -y install git
C:\ProgramData\chocolatey\choco.exe -y install git
Chocolatey v0.10.15
This is try 1/3. Retrying after 300 milliseconds.
 Error converted to warning:
 Access to the path 'C:\ProgramData\chocolatey\choco.exe.old' is denied.
This is try 2/3. Retrying after 400 milliseconds.
 Error converted to warning:
 Access to the path 'C:\ProgramData\chocolatey\choco.exe.old' is denied.
Maximum tries of 3 reached. Throwing error.

@codeperfectplus
Copy link

It may be due to an antivirus issue.

@sankhaz
Copy link

sankhaz commented May 16, 2021

just Run as administrator

@samhocevar
Copy link

just Run as administrator

It makes no sense to require a privileged account for read-only queries to a non-secret database. Things like this encourage bad user habits.

@vexx32
Copy link
Member

vexx32 commented May 16, 2021

As I understand it, most things in C:\ProgramData require administrative access. Making an exception to that rule may have security concerns associated with it.

@samhocevar
Copy link

As I understand it, most things in C:\ProgramData require administrative access. Making an exception to that rule may have security concerns associated with it.

Where does that understanding come from? According to Microsoft, that location is explicitly for applications to store data for standard users, because it does not require elevated permissions.

@vexx32
Copy link
Member

vexx32 commented May 16, 2021

Guess I must have been thinking of something else / got the wrong impression from somewhere. Thanks for the doc! 💖

@corbob
Copy link
Member

corbob commented May 17, 2021

If I were to guess, Chocolatey being in ProgramData is a result of the original development put it in there at a time where normal users could install with Chocolatey. That was deemed (rightly so) a security concern, and in an effort to not break existing installs, the permissions on the folder were adjusted to only allow Administrators to write to it.

If I understand the overall problem being described here, and why admin is needed the first time: Chocolatey is attempting to read the config that doesn't exist. If the config doesn't exist then it will attempt to write the default config in its place. When you're not running as administrator this is a problem.

A potential solution: Perhaps the install.ps1 script could run a choco -v after it's done installing, and that should (in theory) create the config file and eliminate the error when non-admins try to run non-admin commands.

@sharpninja
Copy link

As I understand it, most things in C:\ProgramData require administrative access. Making an exception to that rule may have security concerns associated with it.

Where does that understanding come from? According to Microsoft, that location is explicitly for applications to store data for standard users, because it does not require elevated permissions.

It most certainly requires elevated privileges to write there, but not to read there. Non admin write privileges should only be assumed to be available in the user profile folder and it's children.

@nascentt
Copy link

As this issue was opened 5 years ago, there's a lot of bad and outdated information here. Yet the issue persists.

Firstly it's important to note that the non-admnistrative install guide is very outdated, and is essentially useless. It recommends setting the chocolatey install path to C:\programdata. however, this has been the default install location since 0.9.8.24 so the guide is useless.
0.9.8.24 was released Thursday, July 3, 2014 (2 years before this issue was logged) so telling users to follow the non-administrative install guide is very misleading, and it should be removed from the guide.
The only other info it offers is to only install portable software from the repo. This is especially useless to C4B customers with chocolatey-agent that's supposed to solve the issue of using chocolatey as a standard user.

Secondly, there are people suggesting to change the C:\programdata\chocolatey permissions to be modifiable by all users. This is a security risk and allows anyone or modify processes that execute as admin. and will leave people vulnerable to a privilege escalation attack.

Errors writing to C:\programdata\chocolatey are still common to this day using chocolatey a standard user. This is especially frustrating if you pay for c4b and use chocolatey-agent as a solution to not providing all users administrative privileges.

At current state, Chocolatey can only be reliably used by administrators (unless you plan to only install portablized software), and the only thing in this thread (modifying access rights to C:\programdata\chocoaltey) that somewhat helps, is a security risk.

@komiljonovshohjahon
Copy link

I fixed just by running my preferred console as Amdinstrator!
Hope this helps.

@pauby
Copy link
Member

pauby commented Nov 1, 2021

After going through this issue it's clear there are a couple of issues that we look at fixing in the docs:

The original issue has been resolved by running in an administrator context.

@pauby pauby closed this as completed Nov 1, 2021
@nascentt
Copy link

nascentt commented Nov 6, 2021

I don't really understand why this was closed. Nothing's been fixed.
This error continues to occur with the latest version of chocolatey.

"resolved by running in an administrator context" is not a suitable solution for us C4B customers that pay money to be able to use chocolatey without administrator accounts.

@TheCakeIsNaOH
Copy link
Member

@nascentt Perhaps I am misunderstanding, but you are talking about running choco in administrative context by a normal user via the background service provided by Chocolatey Agent? And when running in this way, you are getting access denied error?

@steviecoaster
Copy link
Contributor

steviecoaster commented Nov 8, 2021

You need to run choco as an admin at least once for operations like creating a package to work such that the default templates can be written the first time. After that things like choco new --file will be able to read those templates and not complain.

If you're using choco in the enterprise, we've locked the C:\ProgramData\chocolatey folder down to folks in the administrators group of the machine to have read/write permissions. This is because things like the lib folder (which chocolatey uses to track what packages it is managing), and the .chocolatey folder (which is where things like registry snapshots and remembered arguments for uninstalls/upgrades live) can have bad consequences to the accuracy of what chocolatey thinks is on the machine if anyone could go in and "play" with things and not know what they are doing.

If you have non-administrative users that need to be able to install/upgrade/uninstall software, this is where the Chocolatey Agent comes into play. By installing the chocolatey-agent package from the licensed feed, or your own feed if you have internalized it, non-admin users of a machine will be able to leverage choco without seeing any errors, because we shift the actual invocation of things to an agent user, which is placed into the Administrators group on the machine in which it is installed. You can control using the background service by setting choco feature enable --name='useBackgroundService', and if you want to set the agent to be invoked for all users, even administrators you can explicitly say choco feature disable --name='useBackgroundServiceWithNonAdministratorsOnly'.

Further to this, there is a backgroundServiceAllowedCommands config item with a default value of install,upgrade, such that non-admin users only have the ability to run those two commands, and any other command will result in an error. Note that this is not additive, so when setting this value in the config you must specify each command you wish for non-admin users to be able to run. E.g.: `choco config set backgroundServiceAllowedCommands "install,upgrade,uninstall,pin".

In addition to that configuration you also have the ability to limit Uninstalls to only those that a non-admin user has performed themselves. What I mean by this is that if Bob, who is a non-admin in Engineering, uses choco to install the DWGTrueView application from Chocolatey, he has the ability to remove that application via choco. However, if you as the admin installed that application's package on his system, he would not have the ability to remove it, as he is not the one that installed the package.

We take security pretty seriously here at Chocolatey, so hopefully I've explained why you're seeing these errors, and understand the steps to take to mitigate seeing those errors in the enterprise.

@ghost
Copy link

ghost commented Nov 11, 2021

I had the same issues with Powershell. I used the CMD with admin rights and was able to install the choco and related tools.

@Ismailharik
Copy link

I had the same error
image
the solution is to open cmd as admin

@chocolatey chocolatey locked as resolved and limited conversation to collaborators Sep 27, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests