Find out what does change the settings for User Account Control all the time

0

The settings of the UAC get changed by some app/program/process. As a result I can't open Edge, calculator, Windows store or any other Metro style app. If I try to open it I get

xxx can't be opened with the Built-in Administrator account

One time I saw the notification that I have to restart my PC so that the changes of the UAC can take affect. So that was the point where some app/program/process made a change. I found the following (possible related) entries in the event log:

The computer 'Administrator (built-in)' preference item in the 'Administrator rename and guest account {C2FB86B3-A1FD-494C-CA29-X309579E9ZCE}' Group Policy object did not apply because it failed with error code '0x80070524 The specified account already exists'. This error was suppressed.

Another interesting log is this

The Group Policy settings for the user were processed successfully. New settings from 20 Group Policy objects were detected and applied.

At this time EnableLUA is disabled, but I can open all Metro style apps (Edge, calculator, ...). After a restart this isn't the case anymore. Now the setting EnableLUA is working as expected.

My workaround is to set the UAC to any level, click OK and restart. Then I can open my programs again. Now I want to find out the app/program/process which is responsible for changing the UAC settings.

Working settings:

FilterAdministratorToken: 1
EnableUIADesktopToggle: 0
ConsentPromptBehaviorAdmin: 5
ConsentPromptBehaviorUser: 3
EnableInstallerDetection: 0
ValidateAdminCodeSignatures: 0
EnableSecureUIAPaths: 1
EnableLUA: 1
PromptOnSecureDesktop: 1
EnableVirtualization: 1

Non working settings:

FilterAdministratorToken: 1
EnableUIADesktopToggle: 0
ConsentPromptBehaviorAdmin: 0
ConsentPromptBehaviorUser: 3
EnableInstallerDetection: 0
ValidateAdminCodeSignatures: 0
EnableSecureUIAPaths: 1
EnableLUA: 0
PromptOnSecureDesktop: 1
EnableVirtualization: 1

testing

Posted 2016-04-08T11:17:16.977

Reputation: 641

1Have you checked the event log? – Raystafarian – 2016-04-08T11:45:18.833

Not yet. I have updated now my question with some more info. – testing – 2016-04-08T11:58:34.870

It would be very useful if you found the english analog of error messages. – Euri Pinhollow – 2016-05-02T08:30:09.603

@EuriPinhollow: I tried to translate it. See my updated question. – testing – 2016-05-02T08:50:54.677

group policy sets your UAC level. I guess it's disabled in group policy. UAC level can only be set at PC restart, so the error should only occur, when you restart your PC – SimonS – 2016-05-02T08:54:58.277

@SimonS: Thanks for your info. I also have the assumption that there is a wrong group policy setting. Do you know which one is responsible for this? The error occurs during operation and then I have no Admin rights anymore. My workaround is to set the UAC level and make a restart. What is also interesting is, that it only happens sometimes. You don't know when it will happen. – testing – 2016-05-02T08:58:55.013

Answers

1

The error messages of your eventlog point to a GPO which gets applied and sets your UAC level.

Check your GPO in Computer Configuration\Security Settings\Local Policies\Security Options check all the settings which are described in this link: https://technet.microsoft.com/en-us/library/dd835564%28v=ws.10%29.aspx

you can see the default option for each setting on the site, compare this to you GPO. I guess Behavior of the elevation prompt for standard users alias ConsentPromptBehaviorUser is set to "Automatically deny elevation requests" which would only make sense if you're not administrator on your machine.

or Run all administrators in Admin Approval Mode alias EnableLUA is disabled. this is most of the time the case when you can't open any windows app like calculator, because since windows 10, Microsoft wants you to have UAC enabled, to use these apps.

Edit: Since we found out that EnableLUA is disabled, we can say that's where your error occurs. Most of the time, the administrator disables UAC because he/she sees it as unnecessary, doesn't want to deploy it to Win7 and Win8.1, or doesn't really know what UAC does (so better disable it, right ;-)?). it's a must have for windows 10. So I would create a GPO which targets only windows 10 PCs with the following WMI Filter: select * from Win32_OperatingSystem where Version like "10.%" keep in mind that the whole GPO with this Filter only gets deployed to windows 10.

SimonS

Posted 2016-04-08T11:17:16.977

Reputation: 4 566

ConsentPromptBehaviorUser is set to "Prompt for credentials". EnableLUA is disabled. FilterAdministratorToken is enabled. EnableInstallerDetection is disabled. PromptOnSecureDesktop is enabled. EnableVirtualization is enabled. EnableUIADesktopToggle is disabled. ConsentPromptBehaviorAdmin is "Elevate without prompting". EnableSecureUIAPaths is enabled. ValidateAdminCodeSignatures is disabled. – testing – 2016-05-02T09:50:43.880

when EnableLua is disabled, you can't use windows store apps on Windows 10, so that is your problem I think. See my Edit. – SimonS – 2016-05-02T10:13:08.983

Thanks Simon for your help. I'll give the information to my sysadmin. What I find interesting is that there are additional rules, which overwrites the local policies. Currently EnableLUA is disabled, but I can open calculator and so on. So currently I don't have the problem, but it will appear in the future. Is the occurrence of the problem related to the time, when the sysadmin does an update to the GPO? Or how could this be possible? – testing – 2016-05-02T11:10:55.493

@testing hmm that's quite impossible :). if you use this command in (elevated) powershell: get-itemproperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -name enablelua does it return EnableLua : 0 or EnableLua : 1? Can you use edge? GroupPolicy is always stronger than local policies, that's why it gets overwritten. Parts of the Goup Policy also gets pushed to your machine while you're logged in, not only on startup. – SimonS – 2016-05-02T11:16:45.850

Edge is working fine. Your command returns EnableLUA : 0. As I said earlier this only working now. A few days later and this can change anytime. But I have to admit that the problem didn't occur the last days. I can only tell when it happens again. Don't know how this is related to system restarts (which I don't do often) or changes to programs (e.g. I updated to VS2015 Update 2 recently). Perhaps the problem was gone through an update, but I can't say this for sure. I'll have to observe this longer ... – testing – 2016-05-02T11:24:55.530

@testing very strange. I can't tell you why your metro apps work without enableLua. maybe your Sysadmin made a registry hack or something to make it running. if you know the cause, i'd be happy if you could tell me :) – SimonS – 2016-05-02T11:32:10.003

If I know the reason, I'll let you know. Thanks for your help! – testing – 2016-05-02T11:33:49.073

Asked: 2016-04-08T11:17:16.977

Viewed: 975 times

Active: 2016-05-03T08:54:56.863