Hyper-V Could Not Initialize – Could Not Create or Access Saved State File

As part of my relaxing holiday, I spent a fair bit of time upgrading the hardware in my lab and installing Windows Server 2012 R2 onto all of my Hyper-V hosts.  I then went through and pruned out some old test VMs and made sure the ones I had left were still relevant.

After I did the upgrade to 2012 R2 and powered on some machines that had been dormant for a few months, actually quite a few months (years in some cases), I got some errors when powering some machines on.

Update 30-4-2014: Added clarification that icacls.exe should be executed in cmd prompt session and not PowerShell.

The KB has article Hyper-V virtual machine may not start, and you receive a “‘General access denied error’ (0x80070005)” error message covers the scenario of missing permissions to .vhd files.  I saw a similar thing but with the .vsv and .bin files.  On a side note you may or may not see the pre-created .bin file with newer Hyper-V versions.  Back to the issue, what was going on?

The symptoms that I observed were that:

  • The VM would import successfully
  • Powering on would result in an error  – could not create or access saved state file
  • Error 3080 was logged into the Hyper-V Worker event log

An example of the error is shown below:

PS C:\> Start-VM Typhoon

Start-VM : 'Typhoon' could not initialize. (Virtual machine ID 5BEF5A39-069D-4887-8688-8D80A505A88C)
'Typhoon' could not create or access saved state file E:\Configs\Typhoon\Typhoon\Virtual
Machines\5BEF5A39-069D-4887-8688-8D80A505A88C\5BEF5A39-069D-4887-8688-8D80A505A88C.vsv. (Virtual machine ID 5BEF5A39-069D-4887-8688-8D80A505A88C)
You do not have permission to perform the operation. Contact your administrator if you believe you should have permission to perform this operation.
At line:1 char:1
+ Start-VM Typhoon
+ ~~~~~~~~~~~~~~~~
     + CategoryInfo          : PermissionDenied: (Microsoft.HyperV.PowerShell.VMTask:VMTask) [Start-VM], Virtualization
     + FullyQualifiedErrorId : AccessDenied,Microsoft.HyperV.PowerShell.Commands.StartVMCommand

Hyper-V Could Not Create Or Access Saved State File EventID 3080

Fortunately this was quick to fix, along the same line as the aforementioned KB.

Service SID

Before we dive in and correct the issue one thing worth mentioning is around the underlying Windows feature that Hyper-V uses –  per service  security identifier (SID).  Windows Server 2008 introduced the concept of the service SID to further strengthen windows services and to provide even more granularity when applying permissions.  You can read more about them on the askperf blog.   The service SID for a Hyper-V VM is made up of two parts.  The identifier  NT VIRTUAL MACHINE and then the GUID of the VM.   For example:

NT VIRTUAL MACHINE\5BEF5A39-069D-4887-8688-8D80A505A88C

This is the security context that is used to access the various files that make up the VM.  The VM Worker Process will leverage this to work with the files.  To see this we can open up task manager and on the details tab see the GUID listed in the user name field:

Windows Server 2012 R2 Task Manager Showing Service SID


Granting Permissions To The Service SID

We will use ICacls.exe to add the service SID ACE entry to the .bin and .vsv files.

We need to know the service SID, so take the GUID of the VM and add that to “NT VIRTUAL MACHINE\”  — note that there is a back slashbetween the two.  This in essence becomes the user name that will be granted the permissions:

Example:  NT VIRTUAL MACHINE\5BEF5A39-069D-4887-8688-8D80A505A88C

Based off the error message we know that we need to add permissions to the .bin and .vsv files.   The syntax used was:

ICacls.exe 5BEF5A39-069D-4887-8688-8D80A505A88C.bin /grant "NT VIRTUAL MACHINE\5BEF5A39-069D-4887-8688-8D80A505A88C":(F)

ICacls.exe 5BEF5A39-069D-4887-8688-8D80A505A88C.vsv /grant "NT VIRTUAL MACHINE\5BEF5A39-069D-4887-8688-8D80A505A88C":(F)

Note that the above lines will wrap, and that they are a sample.  You will need to adjust to match your GUID, it will be different!  That’s the whole point of a GUID!

If the permissions are correctly set then it will say that each file was successfully processed as per the below:

Granting Permissions To VM Security ID

Granting Permissions To VM Security ID

One the NTFS permissions have been changed, power on the VM and you should be good to go!

On a parting note, Ben Armstrong has a post detailing the layout of a VM and the purpose of each file.  Well worth subscribing to his RSS feed!



Added 30-4-2014.  Added this section to point out that the above screen captures are in essence cmd prompt windows. 

If you try and run icacls.exe in a PowerShell session then you will probably get this error:

F : The term 'F' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:146
+ … AC970011E8F5":(F)
+                    ~
    + CategoryInfo          : ObjectNotFound: (F:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

icacls Error - The term 'F' is not recognized as the name of a cmdlet, function, script file, or operable program

To illustrate this, let’s fire up a standard PowerShell window, and then change it to a cmd prompt.  “This is PowerShell” is written to the screen to prove that initially this is PowerShell.  We then switch to cmd prompt and use ECHO to write the next message to the screen. 

Differences In PowerShell and CMD Prompt

Note that the prompt indicator changes from  “PS C:\Users>” to “C:\users>”.  To illustrate this the above screenshot has the two prompts highlighted, note the difference….




Technorati Tags:
Comments (22)

  1. Dan says:

    Hi, I am having a problem with the ICacls.exe command you mention, I have grabbed the GUID of my VM and modified the command I run, However The error I get is “The term ‘F’ is not recognized as the name of a cmdlet….”

    After running just “ICacls.exe /?” I see that “F” is an option of the command and should give full access “F – full access”


    Any help would be appreciated
    Great Post!!

  2. Can you paste your full command into here please Dan?


  3. Urs says:

    Hi, We have the same problem now and used the following command:
    PS C:ClusterStorageVolume141PUS03Virtual Machines603992A3-F642-41C6-92CC-343021CFDA50> icacls.exe 603992A3-F642-41C
    6-92CC-343021CFDA50.bin /grant “NT VIRTUAL MACHINE603992A3-F642-41C6-92CC-343021CFDA50”:(F)

    F : The term ‘F’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the
    spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:119
    + … 343021CFDA50″:(F)
    + ~
    + CategoryInfo : ObjectNotFound: (F:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

  4. matchedriver404 says:

    thank u’

  5. Also curious why there are a few folks running into this right now.

    What build of Windows is this? 2012 R2 with the update?


  6. Urs says:

    We use Windows 2012 Datacenter
    Our solution was to create manually a new VM and added the existing discs.

  7. Sergio Orellana says:

    Remove parenthesis, just use “:F”

  8. Sergio Orellana says:

    You can also try: http://support.microsoft.com/kb/2927313/en

    None works for me. I still trying.

  9. Just tried on my 8.1 laptop.

    D:VMsWorkshops2010-HA-1.3CLIENT1Virtual Hard Disks>icacls.exe CLIENT1.vhd /Grant “NT VIRTUAL MACHINED94A8659-8C48-4516-B4B9-AC970011E8F5”:(F)

    processed file: CLIENT1.vhd
    Successfully processed 1 files; Failed processing 0 files

    That went through first time.

    I changed to the directory where the file is, and then ran icacls.exe from there so I don’t have to work about the path.

    This is running in an elevated command prompt.

    What exactly are you doing/running?


  10. Ok – looks like I figured this out. You are running this in a PowerShell session. Run this in a command prompt session.

    If you look closely at the images above, they are not PowerShell sessions. They are cmd prompts. Look very closely at the prompt. That will tell you……

    I’ll add a note to the post on this.


  11. Grateful1 says:

    Rhoderick, thanks so much for taking time to document your finding!

    In the second Icalcs.exe line of your Example: NT VIRTUAL MACHINE5BEF5A39-069D-4887-8688-8D80A505A88C, the file name should be .vsv, just as your subsequent screen shot shows.

  12. oops – thanks for that!

    I’ll go and fix that up.


  13. Ron Prague says:

    Thanks for this, the only oddity that I had was the .bin and .vsv files didn’t exist at all, so I had to run the iCacls.exe command on the directory the files should be created in and everything came up roses.

  14. Ron – was the VM powered off? In 2008 R2 that was always created when the VM was powered on to allow for saved state. Can tweak that in newer versions – Ben has some details here:



  15. Gurpreet Singh says:

    Awesome!!! was really helpful!!

    Gurpreet Singh

  16. Richard W says:

    When I try to grant permissions to the NT Virtual Machine I get an "Invalid Parameter" error relating to the username. Any suggestions please?

  17. Rod Cooper says:

    Tried all this, still got the issue

  18. Some Guy says:

    God bless you! ICACLS must be run from cmd, not from powershell!!! How did i miss that?

    Anyway, great job, Rhoderick. Thx!

  19. Richard Ozenbaugh says:

    I used the script below to update the SID permissions on all my VM files when another admin reset all permissions to the root Virt Machine folder:

    $vms = Get-VM
    foreach ($vm in $vms) {

    $guid = ($vm.VMId.ToString()).ToUpper()
    $name = $vm.Name

    # do the disks first
    $disks = Get-VMHardDiskDrive –VMName $name
    foreach ($disk in $disks) {
    $vhdx = $disk.Path
    dir $vhdx
    $cmd = "icacls –% `"$vhdx`" /grant `"NT VIRTUAL MACHINE$guid`":(F) /T"
    Invoke-Expression $cmd

    # now lets do the GUID named folders and files
    $guidfiles = Get-ChildItem -Path ‘D:Virtual Machines’ -Recurse -Filter "$guid*.*"
    foreach ($guidfile in $guidfiles) {
    $path = $guidfile.FullName
    $cmd = "icacls –% `"$path`" /grant `"NT VIRTUAL MACHINE$guid`":(F) /T"
    Invoke-Expression $cmd

  20. Ryan says:

    very helpful comment by Ron Prague, if the files do not exist, run the command on the folder itself –

    example: ICacls.exe "D:Hyper-VVirtual Machines5BEF5A39-069D-4887-8688-8D80A505A88C" /grant "NT VIRTUAL MACHINE5BEF5A39-069D-4887-8688-8D80A505A88C":F

  21. Michael Rytoft Hansen says:

    I had the excact same problems. The same message and the 3080 event in the Hyper-V log.
    All virtual machines on a host couldn’t initialize. Tried to run icacls.exe on all vhdx, bin and vsv files for a VM with no luck, the machine could still not initialize.

    I then tried to remove the OS disk from the VM and applied the change, and then immediately added the vhdx (OS disk) file back again and applied the change to the same VM without running icacls.exe on the files.
    And now the VM could start without any issues.

  22. GON5 says:

    Really helpful, thanks. @Ron Prague – I had the same oddity and using *.* inside the directory worked for me.

    This problem happened after deploying one VM from the library to a host. Two VMs appeared in VMM but only one in Hyper-V. VMM couldn’t clear it, so I powered up one in VMM, tried to delete the other ‘ghost’ VM. My thinking was that if the correct one is powered
    on, VMM couldn’t delete it by mistake. But it powered the VM off then deleted all files. Fortunately, I had taken a copy and when I re-registered it, I think I chose the wrong option for the unique ID. I should have made it a fresh unique ID.