Windows 7 UAC elevation problem -- seems to "auto-deny" most application installers?

R

RedShark

[H]ard|Gawd
Joined
Aug 8, 2003
Messages
1,939
Platform: Windows 7 x64 Ultimate.

I've observed that applications that normally would require UAC elevation don't display it. The application then fails with an error because of insufficient privilege. For example, if I download an installer, and run it on another system, Windows shows the standard UAC prompt asking for permission to run it at elevated privilege. On my system, some setting has become screwed up, and the prompt is not shown. Moreover, it seems to "auto-deny" the request, and the application then fails with a permission error.

Now, if I elevate the application manually, by right-clicking, and selecting "Run as administrator..." it works fine. But on a properly configured system, I don't have to do that -- the application asks itself.

As a specific example, all Firefox updates now fail automatically, because the UAC prompt never appears, and it defaults to "auto-deny." If I download the Firefox installer and run it manually (with admin privileges) it works fine. Other installers are similar -- the problem is not Firefox-specific.

So: what setting could cause this behavior and how do I correct it? Some details:
- I have a standard Windows 7 "full user" account with admin privileges.
- UAC is set to the default option in Control Panel
- It used to work as expected, but some setting has become screwed up.
- I know that a format/reinstall would fix this but I don't want to do that right now.
- Doing things that require UAC elevation, like changing the UAC setting itself, work fine -- the problem largely affects applications designed to auto-elevate when they first run, like installers.
- I could just disable UAC but would rather not.
 
From the run dialog, open secpol.msc. Expand Security Settings, Local Policies and Security Options. On the list to the right, scroll all the way to the bottom and review the User Access Control Policies.

Pay special attention to:
* Detect Application Installations and prompt for elevation
* Only elevate UIAccess applications that are installed in secure locations
* Behavior of the Elevation prompt for standard users
* Behavior of the Elevation prompt for Adminsitratrs in Admin Approval Mode
 
Thanks for your prompt response. Here are the settings:
uac.png


This all looks fine to me, unfortunately.

As an experiment, I just downloaded Firefox 20 setup. When I run it normally, it extracts the files immediately without a prompt, and then exits, presumably because of an error. I have to use "Run as administrator" in order for it to run properly. When elevated, the install proceeds fine. With this example, I have a simple repeatable test case.

Do you see anything wrong with these policy settings? Thanks again for your feedback.
 
Sounds to me like some malware screwed up some settings.

If I was seeing behaviour like that, I would just go ahead and wipe the computer.
 
Try disabling UAC then reboot. Run the application by double clicking. Then re-enable it and reboot again.
 
you may also try changing those UAC settings to something else, apply, then change back to the setting they are at now, apply.

While not particularly common, and not with this specific issue, we have had numerous machines where the user could not modify the IE Trusted Sites list.
It's not a GPO.
Look in the local group policies, and everything was set to "Not Configured"
Found the "Site to Zone" setting, set to disabled, apply, change back to Not Configured, apply, and then the user would be able to modify the list.
As if the setting got changed in the registry, but the change didn't get reflected within the local group policy MMC snap-in.
 
Thanks for all the suggestions, when I have some time I'll try them. I could also try safe mode I guess and see if that does anything.

I don't think it's malware. I just ran the latest Spybot with no hits, and I've never seen any other suspicious behavior, network activity etc. It would not surprise me if it was caused by some buggy piece of software though.
 
mattsaccount said:
Do you see anything wrong with these policy settings? Thanks again for your feedback.
Click to expand...

The policies look fine.

Have you made any changes to UAC at all? Possibly trying to turn it off and not succeeding?

What type of a user are you? The actual administrator, a user in the Administrators group, a non-administrator?

Is your machine joined to a domain or in a workgroup?
 
No, I've not intentionally changed anything. I've never tried disabling it on this machine. I just set UAC to the "maximum" level:
uac2.png


It did prompt me when I attempted to make that change, so UAC certainly works in some instances. The change also "stuck" in the sense that exiting the UAC configuration window and re-loading it still showed the same selection ("Always notify"). Even with "Always notify" enabled, the Firefox setup doesn't prompt for elevation.

I'm just a normal user in the administrators group I believe -- whatever you get with a standard Windows 7 install. The machine is part of a Workgroup, but not a domain. It's my home machine so I can do whatever I want with it.
 
Here's another troubleshooting result:

I have a backup account on this machine that's also in the administrator group -- it should be "equivalent" to my main one in terms of privileges. That account is as "clean" as possible in the sense that I almost never use it. I've kept it precisely to deal with user profile crap. Well, the prompt does display on that account, so whatever is screwed up is specific to my main account. Hopefully that helps narrow things down.
 
It sounds like something is stopping your machine (profile) from entering secure desktop mode. When you expect the prompt, try alt-tabbing and "looking" for it. See if it's popping up, but maybe not grabbing focus...
 
Shoot, I just screwed around for 20 minutes. I tried:
- Safe mode first. It didn't occur to me that in safe mode, UAC is disabled anyway, so the Firefox installer did not prompt but continued correctly.
- I then disabled all programs that start when my main account logs in and rebooted. This didn't work either, so it seems unlikely to be caused by a piece of running software.

I tried the suggestion of using alt-tab, but the elevation request window never appears anywhere. It's not simply on another monitor or anything -- it does not exist. Argh. I will try the disable/re-enable idea now.

Edited to add:
- I tried disabling UAC via the Windows 7 GUI. Rebooted - ran Firefox setup. Worked fine as expected.
- Re-enabled UAC. Rebooted. Firefox did not prompt for elevation and did not allow me to install.

I disabled all non-Microsoft services as well as all "auto run" crap. So all this was in a very "clean" environment. I'm not sure what else to try at this point other than make a new user account, but if anyone has suggestions I'd be happy to hear them :)
 
Last edited:
I too have the same issue. Some installers prompt for UAC but others just execute and give an error or close in the background due to "access denied".

I've read if the filename has "install" or "update" in the name windows will heuristically prompt elevate. I've tried changing the filename but it doesn't work.

As an example:
"npp.6.1.3.Installer.exe" will prompt with UAC
"setpoint6.61.15_smart.exe" will not, even if I change the filename to "setpoint6.61.15_smart_Install.exe"

I've sniffed the activity with Process Monitor and the installer runs, but without permission.

I have the same settings as mattacount so windows should prompt elevate if it detects an installer.

I've never had problems with malware and my system comes up clean.

I can always run as admin. But the annoyance comes with flash. Every month or so flash will try to update itself on reboot. But since windows doesn't prompt elevate on install the installer always fails. It autoruns, so there is no way to "run as admin".
 
FWIW, after all this time, I've still not formatted. I do plan to upgrade to Windows 8.1 within the next six months. Since I originally posted this question, the problem has never gone away. I've just lived with it :p It's quite irritating though as vsny mentioned -- there are several circumstances in which I find this issue particularly irritating.

If anyone new is reading this and has any other suggestions of things to try, I'm all ears.
 
As a searcher of an answer for the same question, I've stumbled upon this question through Google. After doing some investigation with Procmon (SysInternals suite from Microsoft), I've noticed something was blocking me from accessing the temp folder (the one in AppData\Local). After giving myself some permissions, I was able to install software properly again. This time without explicit elevation. I hope this helps; it worked for me at least. Good luck. =)

PS. eventhough Windows 7 is specifically mentioned in the topic, I was using Windows 8 pro.
 
This is great -- I'm nearly certain the problem is now corrected. I applied the fix you suggested. Thanks a lot for your reply!
 
I wanted to write back because I found permissions continued to revert themselves. I would set them, and then repeatedly, at some unclear time, they would be changed without my knowledge. At that point, I would again experience the issues originally described.

Using the built-in Windows "Security Audit" feature, I followed the instructions here:
http://superuser.com/questions/560675/how-to-monitor-folder-permission-changes

These techniques allow me to monitor the folder to see exactly which process is effecting the change in security permissions. Using this, I captured dozens of entries like this:

Permissions on an object were changed.

Code: 
Subject:
	Security ID:		<blah>
	Account Name:		<blah>
	Account Domain:		<blah>
	Logon ID:		<blah>

Object:
	Object Server:	Security
	Object Type:	File
	Object Name:	C:\Users\blah\AppData\Local\Temp\... <all files in temp dir>
	Handle ID:	0x3e4

Process:
	Process ID:	0x29d4
	Process Name:	C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrobat.exe

Permissions Change:
	Original Security Descriptor:	D:AI(A;ID;0x1201df;;;WD)(A;ID;FA;;;S-1-5-21-3481615609-584660373-1832188970-1000)(A;ID;FA;;;BA)
	New Security Descriptor:	D:ARAI(A;ID;FA;;;BA)(A;ID;0x1201df;;;WD)

A quick Google confirmed this behavior:
http://forums.adobe.com/message/5033519

So, Acrobat has a bug that's evidently still unfixed. How irritating. Now I need to figure out how to lock out Acrobat and prevent it from making these changes, heh.
 
Nice! The permission issue for me is fixed too. I haven't seen the problem return (I did it ~5 seconds ago) and I haven't run the audit. But I run acrobat 11 too. So it's probably that acrobat is source of the problem.

For me the permissions were set to Admin and "Everyone" and for "everyone" they were not full. Instead of giving "everyone" full permission I added my username to the list with full access and removed "everyone". Mattsaccount - is that what you did too?

Also Mattsaccount - you said you don't get explicit elevation. Don't you get the UAC prompt now? I do.
 
After fixing permissions on the temp folder and dealing with Acrobat, the problems all went away. I now get UAC elevation prompts for software installers just as expected.
 
You must log in or register to reply here.
Back
Top