Windows Subsystem for Linux: Error 0x80070005 (Access Denied)

So you’re trying to automate Windows Subsystem for Linux.

(i’m sorry) – it goes without saying that this is super beta software. expect pain and rough edges. if you have alternatives, explore them until this is a more well-cooked shippable thingy.

Maybe things are going well though. You’ve got a script that can execute under a user to actually get it instantiated via

lxrun /install /y

 and it succeeds!

Now you have another problem though. You can’t just log in via SSH or PowerShell Remoting and invoke


… boo! You get returned 0x80070005 unless you’re totally interactive on the local Desktop with a local user.

That’s not cool though, we want to reach these things remotely and invoke things in an automation-friendly way. As it turns out, there are a couple of things preventing you from achieving this. Primarily:

  • Local launch and activation permissions on the Linux Subsystem / LXSS (as it’s referenced internally) DCOM configuration object.
  • Registry permissions which prevent you from modifying the above.

Let’s start with the registry permissions which are required to touch the items of the first bullet.

  1. Open

     as an Administrator

  2. Traverse into:
    2. Right-click on


    3. Open Permissions > Advanced > Change link to modify Owner
      1. Change to “Administrators”, check “Replace owner on subcontainers and objects”
      2. Give “Full Control” to Administrators group
  3. Go back and dig into:
    1. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\
    2. Complete the same steps as above, instead modifying this folder:
      1. {e82567ae-2ea4-4dbc-bc68-8b0a0526d8d5}

Now for the DCOM configuration, open Component Services from the start menu.

  1. Expand into Component Services > Computers > My Computer > DCOM Config, and set list view as shown in the screenshot:
  2. No, this list is not searchable. You can quickly jump down the index if you have fast fingers and can start typing the GUID that corresponds to the AppID we want to change, 

    . Right click and open Properties, at which point you should be able to “Edit” the Launch and Activation Permissions. If these are gray, you need to go back to the earlier steps and ensure you followed them properly. This is what those permissions adjustments allow us to do.

  3. “Add” Administrators to the security ACL table, and select Local Launch and Local Activation for this group. I opted for Administrators rather than a specific user so that scripting this it can be agnostic of any specific user configuration, and also retain some form of secure design by only allowing those who are already in the Administrators group to be able to touch these perms, and also invoke the LXSS components. This is important because there are serious security implications when inside the LXSS environment where most permissions don’t apply and you can break stuff really fast.
  4. Done!


Now that you’ve completed these steps, you should immediately be able to use Windows Subsystem for Linux in places previously not accessible, such as Win32-OpenSSH.

There’s a good chance your edits could be reverted if an update occurs that touches or otherwise lays down new configuration on top of what you previously modified. It’s a good idea to script this and perhaps run it through Ansible or a scheduled task (yuck) periodically. I’ve done some work to discover the PowerShell necessary to modify these ACLs, and will update this post soon or perhaps create a new one when it’s ready.

For now, you can find that bleeding edge hackery in my Gists.



19 thoughts on “Windows Subsystem for Linux: Error 0x80070005 (Access Denied)

  1. Comments welcome on improvement, typos, or wishlist stuff. I’ll either do a write-up on installing and configuring Win32-OpenSSH in an automated way to complete the whole loop next, or on the advanced ACL configuration stuff.

    Also yeah the in-line code is totally broken and looks like dookie. Need a new theme or something.

  2. Tried checking your gists for the Powershell necessary to accomplish the ACL mods but didn’t find it. Mind adding a gist for it?

  3. Hey thanks for posting, having exactly this issue.

    Able to modify the permissions as described.

    Was still receiving the error until realized that the ssh account must also be added to ‘Administrators’ group. 🙂

    Including for anyone else who forgot the most obvious part of this capable workaround.

    Thanks again.

  4. Great post, really helped me out. I wonder if you know a way to automate the install of the new Windows-Store WSL distributions? It doesn’t seem to have a /y switch and I wasn’t able to get past the creation of the user.

  5. I can open BASH now, from the OpenSSH server beta on windows 10.

    However now, instead of 80070005, I get the Bash prompt and no echo when I type. Nothing seems to respond, I have to ‘X’ out of the window.

    1. Is that using the OpenSSH-Win64 project to get sshd, or something else? Just curious if it uses the same tech as what I put together.

      1. Hi,

        I have the same problem as D after applying your fix; bash executes without error, but then it doesn’t respond and I need to Ctrl+C to exit.

        I’m using OpenSSH-Win64 and Debian distro which just released on the MS Store last week.

  6. Been having same error trying to “Launch” new Linux from Store.
    Tried this fix but still same error occurs with launch.
    If I run the Launch as “elevated” I should be able to get around this but was hoping with this fix that wouldn’t be the case anymore.
    Anything else I can try?

    1. Hey Chris,

      The instructions I listed are for what they now call the “legacy” deployment, and not the UWP/Windows Store distributions. I don’t trust windows store apps to be functional 😐

  7. Since your instructions don’t work for installations of Linux from the store, do you know if there’s a way to do a legacy deployment? I tried typing “lxrun /install” and one of the first things it said was “Downloading from the Windows Store…”

    1. The lxrun tool is a little misleading. Downloading from the windows store is normally expected output from this. I was referring to the incompatibility with the new distribution method which is through the UI of the Windows Store app.

Leave a Reply

Your email address will not be published. Required fields are marked *