Hyper-V General Access Denied

I recently made a change to a VM that I wanted to roll back but I didn’t have a snapshot.  So I turned the VM off, renamed the old vhd, and copied a recent backup from another machine.  When I went to start the VM I was greeted with an access denied and the following event in the Hyper-V event log:

‘Win7Seqx86’: IDE/ATAPI Account does not have sufficient privilege to open attachment ‘H:\VM\Win7Seqx86\Win7Seqx86.vhd’. Error: ‘General access denied error’ (0x80070005). (Virtual machine ID ECA0BD63-76CE-4C5E-96AB-44F0D635CBB3)


Okay, so it’s a permissions issue.  Poking around the permissions on the files revealed that a specific account with Read/Write permissions was missing:

NT VIRTUAL MACHINE\ECA0BD63-76CE-4C5E-96AB-44F0D635CBB3

Uhm, yeah.  Using Windows Explorer I couldn’t get the name to resolve.  The solution in this case is icacls.exe. (Cacls.exe is deprecated, icacls.exe is the successor).  It should be in your system32 directory:

icacls Win7Seqx86.vhd /grant “nt virtual machine\ECA0BD63-76CE-4C5E-96AB-44F0D635CBB3:(r,w)”

Problem solved. The double-quotes are needed so it sees the entire account name as one string parameter.

Obviously the account name is a GUID so it is should be unique for each virtual machine.  Copy if from the event log or use icacls to get the exact string:

icacls Win7Seqx86.vhd


NT VIRTUAL MACHINE\ECA0BD63-76CE-4C5E-96AB-44F0D635CBB3:(R,W)

Hyper-V uses per-VM accounts for security isolation, much like the Network Service account.

Cheers