Symptom: Edge failed to start and browse any webpage, it always showed: "That's odd... something stopped working, so this page can't load." The detailed error message was: Unable to create content process", error code was: 0x8027025b. The root cause was: "ALL RESTRICTED APPLICATION PACKAGES" permission was missing on system folder:
C:\Windows\System32 and "S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681" permission was missing on
HKEY_LOCAL_MACHINE\Software. This article will show you how to fix this issue by adding back the right permissions.
From a process monitor log, we can see multiple Edge content processes (MicrosoftEdgeCP.exe) exited right after being launched.
Take one MicrosoftEdgeCP.exe for example. We found that the process exited right after some "ACCESS DENIED" errors on accessing DLL files under
After comparing the file permissions between a working machine and a problematic machine, we can see that "ALL RESTRICTED APPLICATION PACKAGES" was missing on
Add permission for ALL RESTRICTED APPLICATION PACKAGES
ALL RESTRICTED APPLICATION PACKAGES is a special system group that is used for UWP apps and is not allowed to be added through GUI. We should be able to add it by adding the required entry for permissions for S-1-15-2-2 (where S-1-15-2-2 is the SID of the "ALL RESTRICTED APPLICATION PACKAGES" account) manually using security template.
Open MMC, add Snap-in: Security Template. Expand the security template, right click the path and choose New Template.
Give it whatever name you want, in my case: "fix-edge".
Expand fix-edge, right click File System, click Add File..., choose directory C:\Windows\System32, keep default settings and click OK, in next Add Object dialog, keep default settings and click OK.
Right click fix-edge, click Save.
Go to the template path, you should see the configuration file: fix-edge.inf. Edit it in notepad.
In [File Security] section, append the security descriptor with the following text:
(A;;0x1200a9;;;S-1-15-2-2)(A;OICI;0x1200a9;;;S-1-15-2-2), ensure the entry is added within the quotation marks as highlighted below:
Save the file. Add another Snap-in in MMC: Security Configuration and Analysis. Right click it and choose Open Database.
Input fix-edge, click Open, import template: fix-edge.inf.
Right click Security Configuration and Analysis again, choose Configure Computer Now...
Keep default settings for the error log file path and wait until it completes.
Now we can see that the permission for "ALL RESTRICTED APPLICATION PACKAGES" is correctly set on
Fix registry permission for S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681
In my case, Edge still failed to start after adding back the permission for
ALL RESTRICTED APPLICATION PACKAGES. By capturing the process monitor log again, this time Edge content process did not encounter an "ACCESS DENIED" error on loading the DLLs under
C:\Windows\System32, but exited right after "ACCESS DENIED" errors on accessing registry keys under
After comparing the registry key permission on
HKLM\Software, we found that the permission for
S-1-15-3-1024-1065365936-1281604716-3511738428-1654721687-432734479-3232135806-4053264122-3456934681 was missing on the
HKLM\Software of the problematic machine. However, on
HKLM level, we did find the permission was correctly set.
Therefore, we just need go to the Advanced Security Setting page for
HKLM\Software, click the Enable inheritance button and click OK to apply the setting. Wait for a while as it needs some time to apply the permission to all sub keys.
After that, Edge came back to work.