I recently made a change to a VM that I wanted to roll back but I didn’t have a snapshot. So I turned the VM off, renamed the old vhd, and copied a recent backup from another machine. When I went to start the VM I was greeted with an access denied and the following event in the Hyper-V event log:
‘Win7Seqx86’: IDE/ATAPI Account does not have sufficient privilege to open attachment ‘H:\VM\Win7Seqx86\Win7Seqx86.vhd’. Error: ‘General access denied error’ (0x80070005). (Virtual machine ID ECA0BD63-76CE-4C5E-96AB-44F0D635CBB3)
Okay, so it’s a permissions issue. Poking around the permissions on the files revealed that a specific account with Read/Write permissions was missing:
NT VIRTUAL MACHINE\ECA0BD63-76CE-4C5E-96AB-44F0D635CBB3
Uhm, yeah. Using Windows Explorer I couldn’t get the name to resolve. The solution in this case is icacls.exe. (Cacls.exe is deprecated, icacls.exe is the successor). It should be in your system32 directory:
icacls Win7Seqx86.vhd /grant “nt virtual machine\ECA0BD63-76CE-4C5E-96AB-44F0D635CBB3:(r,w)”
Problem solved. The double-quotes are needed so it sees the entire account name as one string parameter.
Obviously the account name is a GUID so it is should be unique for each virtual machine. Copy if from the event log or use icacls to get the exact string:
icacls Win7Seqx86.vhd
…
NT VIRTUAL MACHINE\ECA0BD63-76CE-4C5E-96AB-44F0D635CBB3:(R,W)
…
Hyper-V uses per-VM accounts for security isolation, much like the Network Service account.
Cheers