If you overwrite or otherwise reset permissions in a Microsoft Hyper-V folder you will lose hidden permissions granted to logical virtual machine accounts named “NT VIRTUAL MACHINE\<VM GUID>”. This will cause all virtual machines to fail when started with access denied messages, even if SYSTEM has full access to the directory structure.
Unlike the special accounts created for other application services such as IIS application pools (e.g. IIS_APPPOOL\<Site Name>” the VM accounts are not configurable in the permissions dialogs, even if you type them in directly without trying to find them. So the only way to restore the permissions is to use a low-level ACL editor command such as ICACLS.
However that can be quite complex because you may have many virtual machines and working directly with GUIDs is difficult. So here are a couple of commands which will automatically enumerate and reset permissions to get your Hyper-V machines able to run again quickly:
- Open a command prompt run as administrator.
- CD “<Hyper-V VM Path>” e.g. CD “C:\Hyper-V\Virtual Machines”
- FOR /F %I (‘DIR /A:D /B’) DO ICACLS %I /GRANT “NT VIRTUAL MACHINE\%I”:(OI)(CI)(F) /T
- FOR /F %I (‘DIR /A:D /B’) DO ICACLS %I.XML /GRANT “NT VIRTUAL MACHINE\%I”:(F) /T
- FOR /F %I (‘DIR /A:D /B’) DO ICACLS “<Virtual Hard Disks Path>” /GRANT “NT VIRTUAL MACHINE\%I”:(OI)(CI)(F) /T
e.g. FOR /F %I (‘DIR /A:D /B’) DO ICACLS “..\Virtual Hard Disks” /GRANT “NT VIRTUAL MACHINE\%I”:(OI)(CI)(F)
- Exit command prompt and start your VMs with the Hyper-V manager.
Although it’s good to see increased security and the use of logical VM identities as with IIS, there needs to be more support in the Hyper-V manager to apply these permissions via the GUI. For the average user it just looks like Hyper-V became unable to run any virtual machines. They also need to be clearly visible and searchable in the standard permissions GUIs of Windows Explorer.