AdGuardHome Windows edge version [Unknown error: Access is denied. (0x80070005)]

[pekkle-hksar]

NOTE: For most relevant workaround see the comment.

Prerequisites

• I have checked the Wiki and Discussions and found no answer

• I have searched other issues and found no duplicates

• I want to report a bug and not ask a question or ask for help

• I have set up AdGuard Home correctly and configured clients to use it. (Use the Discussions for help with installing and configuring clients.)

Platform (OS and CPU architecture)

Windows, AMD64 (aka x86_64)

Installation

GitHub releases or script from README

Setup

On one machine

AdGuard Home version

v0.108.0-a.977+1d2026bf

Action

run "AdGuardHome.exe" in command prompt with admin right

Expected result

start AdGuardHome properly

Actual result

Error message shown "Unknown error: Access is denied. (0x80070005)"

Additional information and/or screenshots

seems latest edge release in Windows is having problem
I fallback the previous version by remove the whole folder, and unzip the previous edge version (Version:
v0.108.0-a.975+e529d29e), AdGuardHome could start properly

[bestpika]

I discovered that the latest edge version modifies the access rights of the entire folder, which is the main cause of this issue.

This is the permission for a regular folder.

These are the folder permissions after the update is complete.

[pekkle-hksar]

Yes, it changed everything in the folder. Even I grant access right again, it did but work. I need to grant access right, delete the whole folder, and setup the old version again. Luckily, I have backup the yaml file, otherwise I will have to setup everything from the very beginning. 在 2024年11月3日週日 13:55，観月唯 ***@***.***> 寫道：

…

I discovered that the latest edge version modifies the access rights of the entire folder, which is the main cause of this issue. — Reply to this email directly, view it on GitHub <#7400 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABSG6NBQ7RAC6IABK4YWB43Z6W3D5AVCNFSM6AAAAABRCMEMMSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJTGMYDONRTGI> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[bestpika]

I found that this issue is significantly related to #7314. Moreover, based on the current folder permissions, the service should not be able to start normally after rebooting because the SYSTEM permissions have been removed.

[simpleandstupid]

It happened on my device as well.

[EugeneOne1]

@pekkle-hksar, hello and apologies for the delayed response. It's definitely related to the issue @bestpika mentioned, and we've already pushed the new edge release, that should avoid this behavior. Could you please try updating to it? Note that it indeed changes the permissions of the files in the working directory due to security concerns. I strongly recommend that you to backup the directory before updating AdGuard Home.

AFAIK, the problem only appears after an update, so I believe it could be fixed by giving full access rights to AdGuardHome.exe to the Administrators group (the owner). In fact, AdGuard Home expects to be run by an administrator user with its rights, so any other scenario is now considered unsafe.

[bestpika]

@EugeneOne1 The problem still exists, and there is an issue with the permission design.

1. The SYSTEM should have full permissions.
2. You should not assign permissions to a specific user, but rather to the Administrators group.

[StoneOfStones]

When starting service it now says access denied.
Windows 11

[EugeneOne1]

@bestpika, how do you install the AdGuard Home service? Are you using PowerShell running with Administrator privileges? If so, could you please show the result of the following command:

([Security.Principal.WindowsPrincipal]
    [Security.Principal.WindowsIdentity]::GetCurrent()
).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

If not, could you please provide a detailed description of the process? Also, which security identifier corresponds to the "SYSTEM"? If it is listed in this resource?

@StoneOfStones, what permissions are assigned to the file AdGuardHome.exe?

[Eyeborgs]

После обновления на v0.107.54 у меня была тоже ошибка с доступом и служба не могла работать и мне пришлось самому по стандарту все учетные записи добавлять и в каждом убирать эти галочки которые на фото.

After the update to v0.107.54, I also encountered an access error, and the service could not function. I had to manually add all the accounts according to the standard and uncheck those boxes in each one, as shown in the photo.

[StoneOfStones]

@StoneOfStones, what permissions are assigned to the file AdGuardHome.exe?

@EugeneOne1 don't know.

I fix it with:

1. Renamed the folder to AdGuardHomeOld.
2. Create new folder and named it AdGuardHome, it creates folder with default permissions.
3. Copied contents of the AdGuardHomeOld to AdGuardHome.
4. Downloaded version v0.107.53 and extracted exe to AdGuardHome.
5. Changed permissions to files/folders of AdGuardHome with this instruction except step 6, if option 7 is not present click Change permissions.
6. Started service as usual and it is now fixed.

Don't want to update to a new version just to break it again

[c15412]

If not, could you please provide a detailed description of the process? Also, which security identifier corresponds to the "SYSTEM"? If it is listed in this resource?

Services on a windows system run with SYSTEM permissions, so SYSTEM permissions must be kept

[pekkle-hksar]

@pekkle-hksar, hello and apologies for the delayed response. It's definitely related to the issue @bestpika mentioned, and we've already pushed the new edge release, that should avoid this behavior. Could you please try updating to it? Note that it indeed changes the permissions of the files in the working directory due to security concerns. I strongly recommend that you to backup the directory before updating AdGuard Home.

AFAIK, the problem only appears after an update, so I believe it could be fixed by giving full access rights to AdGuardHome.exe to the Administrators group (the owner). In fact, AdGuard Home expects to be run by an administrator user with its rights, so any other scenario is now considered unsafe.

same as others, it's not working... after updated to the new version, it will be access denied.
it's because of wrong permissions settings of adguardhome.exe and the data folder, too.

[avatartw]

which security identifier corresponds to the "SYSTEM"? If it is listed in this resource?

SECURITY_LOCAL_SYSTEM_RID
String value: S-1-5-18

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers
SID: S-1-5-18
Display name: System (or LocalSystem)
An identity that's used locally by the operating system and by services that are configured to sign in as LocalSystem. System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token. When a process that's running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.

WELL_KNOWN_SID_TYPE enumeration
WinLocalSystemSid = 22

[wrt97vedm2bpm5cefa2po4t]

I have the same problem. It is really frustrating. 😣

[EugeneOne1]

Hello again everyone! Unfortunately we can't reproduce the problem on our test machines. I suspect it's due to differences in the behaviour of different versions of Windows. Could you all please provide some common information:

• Which version of Windows you are using, e.g. Windows 10 Pro version 22H2 19045.5011 (Windows Feature Experience Pack 1000.19060.1000.0); it's usually located under Start → Settings → System → About.
• How exactly was AdGuard Home installed as a service? Did you use a custom API (.\AdGuardHome -s install)?
• What command-line tool are you using and what privileges does it have?

As a temporary workaround for anyone facing this problem, the @Eyeborgs's comment should prevent any further permission issues. It will generate a security warning in the log on every reboot and update, but that's not critical.

[simpleandstupid]

Hello again everyone! Unfortunately we can't reproduce the problem on our test machines. I suspect it's due to differences in the behaviour of different versions of Windows. Could you all please provide some common information:大家好再次！不幸的是，我们无法在我们的测试机器上重现这个问题。我怀疑这是由于不同版本Windows的行为差异造成的。请大家提供一些共同信息：

* Which version of Windows you are using, e.g. Windows 10 Pro version 22H2 19045.5011 (Windows Feature Experience Pack 1000.19060.1000.0); it's usually located under _Start_ → _Settings_ → _System_ → _About_.您正在使用哪个版本的Windows，例如Windows 10 Pro版本22 H2 19045.5011（Windows功能体验包1000.19060.1000.0）;它通常位于“开始”'''设置'系统'下。

* How exactly was AdGuard Home installed as a service?  Did you use a custom API (`.\AdGuardHome -s install`)?AdGuard Home到底是如何作为服务安装的？您是否使用了自定义API（）？

* What command-line tool are you using and what privileges does it have?您正在使用什么命令行工具？它拥有什么特权？

As a temporary workaround for anyone facing this problem, the @Eyeborgs's comment should prevent any further permission issues. It will generate a security warning in the log on every reboot and update, but that's not critical.作为任何面临此问题的人的临时解决方案，的评论应该防止任何进一步的许可问题。每次重新启动和更新时，它都会在日志中生成安全警告，但这并不重要。

版本 Windows 11 家庭中文版
版本号 24H2
安装日期 ‎2024/‎10/‎31
操作系统版本 26100.2161
体验 Windows Feature Experience Pack 1000.26100.32.0

我使用.\AdGuardHome -s install安装服务。命令行工具为Powershell（Windows Terminal），无论是直接启动还是“以管理员身份运行”行为一致（Access is denied.）。

[silenceleaf]

My OS version is windows server 2025. Even in the latest release, after execute AdGuard Home, the folder permission is reset to "none". I guess, server 2025 has same behavior with Windows 11 24H2

[88keyz]

My temp workaround is to start AdGuardHome with the following batch file instead of starting it as a Windows service.

Change both instances of C:\Path\to\AdGuardHome to your AGH install path and then save the batch file to your Start-up folder (%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup).

It works by adding a short delay after starting the AdGuardHome executable and then resetting the folder permissions to NTFS defaults.

@set @_cmd=1 /*
@echo off
setlocal EnableExtensions
title AdGuardHome

whoami /groups | findstr "S-1-16-12288" >nul && goto :admin
if "%~1"=="RunAsAdmin" goto :error

echo Requesting privileges elevation for managing the AdGuardHome service . . .
cscript /nologo /e:javascript "%~f0" || goto :error
exit /b

:error
echo.
echo Error: Administrator privileges elevation failed,
echo        please manually run this script as administrator.
echo.
goto :end

:admin
pushd "C:\Path\to\AdGuardHome"
AdGuardHome.exe -s start
ping /n 5 /w 10000 localhost >nul
icacls "C:\Path\to\AdGuardHome" /reset /T /C /L
popd
echo.
echo Thank you for using AdGuardHome!

:end
`exit` /b */

// JScript, restart batch script as administrator
var objShell = WScript.CreateObject('Shell.Application');
var ComSpec = WScript.CreateObject('WScript.Shell').ExpandEnvironmentStrings('%ComSpec%');
objShell.ShellExecute(ComSpec, '/c ""' + WScript.ScriptFullName + '" RunAsAdmin"', '', 'runas', 1);

[pekkle-hksar]

I'm running Windows 11 canary build + AdGuardHome Edge build. AGH is running as service. Using command prompt or terminal or power shell with admin right also got the same access denied error. 在 2024年11月11日週一 22:43，Eugene ***@***.***> 寫道：

…

Hello again everyone! Unfortunately we can't reproduce the problem on our test machines. I suspect it's due to differences in the behaviour of different versions of Windows. Could you all please provide some common information: - Which version of Windows you are using, e.g. Windows 10 Pro version 22H2 19045.5011 (Windows Feature Experience Pack 1000.19060.1000.0); it's usually located under *Start* → *Settings* → *System* → *About*. - How exactly was AdGuard Home installed as a service? Did you use a custom API (.\AdGuardHome -s install)? - What command-line tool are you using and what privileges does it have? As a temporary workaround for anyone facing this problem, the @Eyeborgs <https://github.com/Eyeborgs>'s comment <#7400 (comment)> should prevent any further permission issues. It will generate a security warning in the log on every reboot and update, but that's not critical. — Reply to this email directly, view it on GitHub <#7400 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABSG6NC2EWJM3DZM54HGGO32AC7BVAVCNFSM6AAAAABRCMEMMSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINRYGM2DIMJWGM> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[micceo]

Temporary solution until AdGuard stops mocking around with permissions.
Create a local user account which is not member of the Administrator group, that is a normal user. Uncheck that the user needs to change password, and check Password never exp and Can't change password.
Change the login account for AdGuard service to use this (you get a popup that the account has been granted Login as service)
Change the permission on the folder so the Authenticated Users or Users have Change (not Full).

Edit: This is a nice way of increasing the security too, because AdGuard is no longer running with SYSTEM (lots of permission) instead with normal user permissions.

[THEBOSS619]

Same problems, same issues for both Edge & Beta. I'm back using edge/beta version before all this permissions issues happened. Here's the file if anyone interested before the day of all this permissions issues happened.
AdGuardHome.zip

The version on the zip file are this....

[ImmortalD]

Actually, this is generally not done on Windows. This kind of practice is more suitable for Linux. Therefore, is it possible to disable this permission check on Windows?

[M0n7y5]

This issue currently broke internet connections on all windows machines where I installed AGH as service.
Some workaround would be nice.

[Uj947nXmRqV2nRaWshKtHzTvckUUpD]

This issue currently broke internet connections on all windows machines where I installed AGH as service. Some workaround would be nice.

yes.. what a mess.. what i did was to completely remove it and reinstall the latest beta from github. works fine now without having to mess with permissions. you can either backup the yaml config file and restore it or just set it up from scratch which is faster

[junyan-zhang]

This issue currently broke internet connections on all windows machines where I installed AGH as service. Some workaround would be nice.

yes.. what a mess.. what i did was to completely remove it and reinstall the latest beta from github. works fine now without having to mess with permissions. you can either backup the yaml config file and restore it or just set it up from scratch which is faster

did you try restart? It will fail to restart I think

[simpleandstupid]

This issue currently broke internet connections on all windows machines where I installed AGH as service. Some workaround would be nice.

yes.. what a mess.. what i did was to completely remove it and reinstall the latest beta from github. works fine now without having to mess with permissions. you can either backup the yaml config file and restore it or just set it up from scratch which is faster

did you try restart? It will fail to restart I think

The latest edge version is problematic, but the beta version is normal. What he should mean is that it will be normal after going back to the beta version.

[1aTa]

Beta v0.108.0-b.60 doesn't resolve the issue.

You have to change file and folder permissions every time AGH is restarted to workaround the problem.

[Uj947nXmRqV2nRaWshKtHzTvckUUpD]

did you reinstall from scratch? for me only by reinstalling from.svratch, worked

[1aTa]

I did yeah, but I used a copy of my existing yaml configuration file.

Are you saying there's something in the configuration which is causing the broken permissions to be applied at startup of the latest beta?

[Uj947nXmRqV2nRaWshKtHzTvckUUpD]

the configuration yaml also had missing permissions in my case (as a matter of fact the whole installation folder and its contents have). you may copy paste the yaml content to restore it to your installation after granting yourself access to the file (you should be able to open the yaml file in an editor)

[1aTa]

Yep I did that and the beta behaved in exactly the same way as the stable with the broken file and folder permissions applied at startup.

[M0n7y5]

I can confirm too that latest beta in fact did not fix anything.

[pekkle-hksar]

To avoid the problem, I've back to stable release already. 在 2024年11月18日週一 18:07，M0N7Y5 ***@***.***> 寫道：

…

I can confirm too that latest beta in fact did not fix anything. — Reply to this email directly, view it on GitHub <#7400 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABSG6NCADGACMGQE5L7PCM32BG34TAVCNFSM6AAAAABRCMEMMSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOBSGUYTANRVGU> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[EugeneOne1]

Hello again everyone! We apologise for not releasing a fix for this issue for a long time and are currently working on it. As far as we can see, the most common problem is the "access denied" error due to insufficient permissions. The main workaround at the moment is to manually reset the permissions via the file properties. For each file in the working directory, do the following:

• Go to "Properties" → "Security" → "Advanced".
• If the file is owned by the "Administrator" account, give this account "Full Access". If the file is owned by another account, e.g. "SYSTEM", give it "Full access".
  Note that AdGuard Home uses the permissions of the configuration file to determine whether they should be changed, so if the permissions have changed after startup, it's possible that this particular version of Windows (the Services subsystem) expects a different owner for the file, which should also be changed.

We'd really appreciate any detailed feedback on this workaround. If it works or if the error has changed.

Downgrading to v0.107.53 (v0.108.0-b.58) should help anyway, so those currently considered stable for Windows users.

[junyan-zhang]

Hello again everyone! We apologise for not releasing a fix for this issue for a long time and are currently working on it. As far as we can see, the most common problem is the "access denied" error due to insufficient permissions. The main workaround at the moment is to manually reset the permissions via the file properties. For each file in the working directory, do the following:

• Go to "Properties" → "Security" → "Advanced".
• If the file is owned by the "Administrator" account, give this account "Full Access". If the file is owned by another account, e.g. "SYSTEM", give it "Full access".
  Note that AdGuard Home uses the permissions of the configuration file to determine whether they should be changed, so if the permissions have changed after startup, it's possible that this particular version of Windows (the Services subsystem) expects a different owner for the file, which should also be changed.

We'd really appreciate any detailed feedback on this workaround. If it works or if the error has changed.

Is this mean, until further fix been issued, it is not recommended to run AdGuard Home as a "Windows Service"?

[EugeneOne1]

@junyan-zhang, well, it's indeed true, because the Service subsystem seems to use some opaque permissions logic, as opposed to straightforward PowerShell with Administrator rights.

[Eyeborgs]

A stable urgent update is needed that disables permission changes in the Windows system as it was before. However, for those who want changes, an option to add a launch parameter should be included, for example, "./AdGuardHome -s install --privilege"
It's just that the situation is such that I have helped many friends, as I described here: comment, because without assistance, their AdGuardHome would simply stop working as a service, and I consider this a serious matter

[okastl]

A stable urgent update is needed that disables permission changes in the Windows system as it was before.

I agree. I don't like the idea of an application changing folder permissions and ownership without my consent.

[xiao-mantou]

I am on the stable release, and I got the same issue.

[EugeneOne1]

Hello again everyone. We're still working on a better solution to the original security issue, but we've just released the edge build which adds a command line option to disable the whole permission checking feature. Here is how to use it:

• Make a backup of the working directory.
• If you already have AdGuard Home installed as a service, it should be uninstalled:

  .\AdGuardHome -s uninstall

• Then update the binary to the latest edge. If you're using the edge channel, you can use the command line update:

  .\AdGuardHome --update

• Re-install AdGuard Home as a service with the `--no-permcheck' option specified:

  .\AdGuardHome -s install --no-permcheck

Any feedback is still welcome. Note that it's not yet in beta channel. We'll release a fixed version as soon as possible.

[Eyeborgs]

@EugeneOne1
That's certainly good, but I would prefer that permcheck is not applied by default.
For those who want to use permcheck, they can add the option .\AdGuardHome -s install --permcheck.

[okastl]

@EugeneOne1 That's certainly good, but I would prefer that permcheck is not applied by default. For those who want to use permcheck, they can add the option .\AdGuardHome -s install --permcheck.

100% agree

[1aTa]

Also agree with this.

[pekkle-hksar]

Agree. It's to minimize the problem to current users using the standard command to install service. New feature that may caused problem would be better an opt-in feature rather than turn on by default. 在 2024年11月23日週六 02:47，Roman ***@***.***> 寫道：

…

@EugeneOne1 <https://github.com/EugeneOne1> That's certainly good, but I would prefer that permcheck is not applied by default. For those who want to use permcheck, they can add the option .\AdGuardHome -s install --permcheck. — Reply to this email directly, view it on GitHub <#7400 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABSG6NHZ33GGLD2Z65GH6GT2B533PAVCNFSM6AAAAABRCMEMMSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOJUGUZDGMRSGI> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[xiao-mantou]

Hello again everyone! We apologise for not releasing a fix for this issue for a long time and are currently working on it. As far as we can see, the most common problem is the "access denied" error due to insufficient permissions. The main workaround at the moment is to manually reset the permissions via the file properties. For each file in the working directory, do the following:

• Go to "Properties" → "Security" → "Advanced".
• If the file is owned by the "Administrator" account, give this account "Full Access". If the file is owned by another account, e.g. "SYSTEM", give it "Full access".
  Note that AdGuard Home uses the permissions of the configuration file to determine whether they should be changed, so if the permissions have changed after startup, it's possible that this particular version of Windows (the Services subsystem) expects a different owner for the file, which should also be changed.

We'd really appreciate any detailed feedback on this workaround. If it works or if the error has changed.

Is this mean, until further fix been issued, it is not recommended to run AdGuard Home as a "Windows Service"?

Wow, in stable release, it's happening even when it's not running as service. I just tried the edge biuld, seems fine with --no-permcheck.