Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: UAC security question

28 Feb 2014   #1
andrew129260

Windows 10 Pro
 
 
UAC security question

Hello all, I have an interesting issue.

So I prefer to have my uac set to the highest setting: Which is always notify.

I noticed that sometimes when I check the setting, it will be at the default (not off) Level 2, notify when programs make changes to this pc on secure desktop.

So I set it to the highest, click ok and reboot. Its still set to the highest setting and I go on my way. I check it several days(weeks even) later and UAC is on the default setting again.

So I am curious, UAC at the highest setting is supposed to prompt whenever UAC settings are about to be changed, but this is not happening. It does when I initiate it, but not otherwise apparently.

I know what your thinking, and I am absolutely sure its not malware. I don't know if its a older program I have that's doing it or what. Still, it should not be able to.

So questions:

1.) What could be causing this?

2.) Is there a way in group policy I could disable the uac setting screen so it could not be changed? Or lock it down to the always notify option?

I have searched the net and have not found any information on this.

Thank you.

1st image is what I want,

2nd image is what happens after a few weeks.

Event viewer shows nothing.




Attached Thumbnails
UAC security question-uac-i-prefer.png   UAC security question-uac-changes-randomly.png  
My System SpecsSystem Spec
.
28 Feb 2014   #2
Brink

64-bit Windows 10 Pro
 
 

Hello Andrew,

Interesting. Is this all happening in the same user account?

One possibility is a Windows Update resetting it back to default.
My System SpecsSystem Spec
28 Feb 2014   #3
derekimo

Microsoft Community Contributor Award Recipient

 
 

Not sure why it's doing that, maybe this will help with what you want though,

How do I change the behavior of User Account Control by using Group Policy?
My System SpecsSystem Spec
.

28 Feb 2014   #4
andrew129260

Windows 10 Pro
 
 

Quote   Quote: Originally Posted by Brink View Post
Hello Andrew,

Interesting. Is this all happening in the same user account?

One possibility is a Windows Update resetting it back to default.
Yes it is, thanks for the response. My fiance has her standard user account on this machine, I run as admin. I am almost always doing admin things, (which is why I want uac set to the highest since I run as admin all the time.) I have some group policy objects applied to her. But nothing involving uac.

Quote   Quote: Originally Posted by derekimo View Post
Not sure why it's doing that, maybe this will help with what you want though,

How do I change the behavior of User Account Control by using Group Policy?
Thanks derekimo, I saw that but unfortunately it doesn't seem like any of the options there are what I need. It does not seem like there is any way to grey out the entire uac settings box. Or force to the specific always on. There is a force on, but I believe thats for the default setting and I see no way to specify to always notify.

I have the following software running on startup if this helps:

Teamviewer
Panda cloud AV
Malwarebytes pro

Thats it.


I am trying to remember if/when this started occurring. One of the reasons I notice it is because I go into task scheduler and services and management console a lot, so when my uac settings are set to always notify, uac prompts me. At the default it doesn't.

SFC is good.

I am starting to wonder if this started happening after I created her standard account....but at the time same time I thought it was before that.....

The good news is uac is not being turned off, but its just odd.
My System SpecsSystem Spec
28 Feb 2014   #5
King Arthur

Windows 7 Ultimate x64 SP1
 
 

Have you checked the Event Viewer logs to see if Windows is documenting anything regarding the UAC setting changes? Windows is usually good on keeping track of system-wide changes.
My System SpecsSystem Spec
28 Feb 2014   #6
UsernameIssues

W7 Pro SP1 64bit
 
 

This might help to ferret out the offending app...
...or maybe not :-(

Let's start with the standard UAC states (e.g. states that can be set by the UAC slider).

Using the numbers found in the Data column for the registry Value Names of interest, we get the following pattern. (edit: to be clear, I'm not suggesting that people change the UAC levels via the regedit. The screenshots of the registry via regedit were originally intended as info needed to modify the AutoIt script mentioned later on. The script can change the UAC back to some desired level, but it requires admin rights to do that - so that function was removed. The link just below this edit shows how best to change the UAC notification levels.)

User Account Control - UAC - Change Notification Settings


Always Notify is "211"
UAC security question-1-always.png


Default is "511"
UAC security question-2-default.png


Secure Desktop OFF is "510"
UAC security question-3-secure-desktop-off.png


Never Notify is "000"
UAC security question-4-never.png




The UAC slider is a live monitor of some changes, but you probably do not want to leave that open all of the time. Plus, you will not know when the change happened unless you are sitting right there when it changes. This AutoIt script should help with that. The script only reads the registry info. It does not make any changes.



I used regedit to simulate whatever app is making this change to the UAC. Whatever app it is, it should require elevated privileges to be able to write to that area of the registry..

Hopefully, the "Time of change" in the title of the AutoIt message box is self explanatory. Maybe the message box will be all that you need to see to know exactly what app caused the change. If you were away from the computer when the change happened, then the message box should be waiting for you when you get back - even if the computer went to sleep.

If need be, armed with the "Time of change", you can look thru the Windows Event logs and/or you can run LastActivityView - View the latest computer activity in Windows operating system and look back to the events near the "Time of change". (The download link is near the bottom of that webpage.)

I show how to compile the script in the first video, but you do not need to do that. I would suggest putting that AU3 text file directly in the All users startup folder.



You will need to install AutoIt to be able to make use of the text version of the script.

If you don't want to install AutoIt, then use the compiled version that is attached to this post. (Virustotal scan for the compiled version). Two of those hits are because I compressed the EXE with UPX.

You might notice in the first video that the first line of the script mentions an older version of AutoIt. I went ahead and tested the script with the newer version - so I removed that comment line from the script. The compiled version attached to this post was made using the older version of AutoIt for reasons that I'll not bore you with.

I'll understand if you don't want to use the script at all - compiled or as text.


I doubt that it is an infection, but you can never know (source):
Quote:
Nick Harbour's team completed the DEFCON race in just over six hours; the fastest team managed completion in about two-and-a-half-hours. Nick Harbour's team came out on top when the viruses were tested and all 10 of his modified viruses eluded virus detection.


Attached Files
File Type: zip uac monitor.zip (281.2 KB, 9 views)
My System SpecsSystem Spec
28 Feb 2014   #7
Golden
Microsoft MVP

Windows 7 Ult. x64
 
 

Quote   Quote: Originally Posted by Brink View Post
One possibility is a Windows Update resetting it back to default.
I would have said it is Windows Update too.....have you been able to check that?
My System SpecsSystem Spec
28 Feb 2014   #8
andrew129260

Windows 10 Pro
 
 

Wow, thanks to everyone!

I appreciate all the help here, especially user name issues thank you so much! I will start monitoring it with this and will see what happens. Thanks again!
My System SpecsSystem Spec
28 Feb 2014   #9
UsernameIssues

W7 Pro SP1 64bit
 
 

You are welcome.

I just realized that the first four screenshot are not needed in my post above. I originally wrote the script in a way that will set the UAC back to whatever you wanted. Those first 4 screenshots were part of my info on how to edit the script to have it automatically change the UAC back to the desired level.

...then I read where you have a non-admin user on this computer. Having the script set the UAC means that it must run with elevated privileges. So I abandoned that part of the script and stuck with the core function of monitoring.

Let's hope that the script helps to find the offending app. My UAC stays at the highest level without any problem.
My System SpecsSystem Spec
28 Feb 2014   #10
andrew129260

Windows 10 Pro
 
 

Quote   Quote: Originally Posted by UsernameIssues View Post
......Let's hope that the script helps to find the offending app. My UAC stays at the highest level without any problem.

The fact that a program is able to do this without me being notified is what concerns me, it feels like a security hole..

And thanks for the registry info. I am sure others as well as myself enjoyed it.

Quote   Quote: Originally Posted by Golden View Post
Quote   Quote: Originally Posted by Brink View Post
One possibility is a Windows Update resetting it back to default.
I would have said it is Windows Update too.....have you been able to check that?
Yes I have checked, and I have not noticed it happening after that. But that's just it, I am not sure when its happening. Thanks to username issues script, that should hopefully pin the cause of it.
My System SpecsSystem Spec
Reply

 UAC security question




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Security question
Can I please have some advice on this bit of software. Is it good or bad Etc??:tip: many thanks. HitmanPro.Alert CryptoGuard - SurfRight
System Security
Security Question
I am trying to devise a layered security approach for my PC. I wrote in about this a while back but some of the programs were messing with my PC so I uninstalled them. I recently found ZoneAlarm Free Antivirus + Firewall. I currently have Trend Micro Titanium Maximum Security 2013 installed. I like...
System Security
Security question
I am running a Win 7 64 ( updated ) router for firewall, 7 fw, LUA, MSE, Malwrebytes free, Hitman pro free, Sandboxie free delete contents upon closing , and use Chrome for my browser. I only use this computer for surfing, and was wondering how likely it would be to get hacked or infected other...
System Security
Security Question
This question is not actually Win7 related, but there is expert knowledge on this forum. I would really appreciate your input. (It may be Win7 related, because I may have to do a reinstall) Today I received a Yahoo IM from someone I did not know. As I was attempting to have my...
System Security
security question
ive been using windows 7 for a while now. just wana know how to protect my inentity on the net?? every time i go to icq or any chat every one knows wat country im form and wat internet service i use and what os i use . how do i hide my self from ppl like that??? its becomming anoying now.
System Security
Question About Security Software.......
I know this may be a dumb question but ive always wanted to ask this. I mean....can the Kaspersky Password Manager be trusted???? I mean...when you put ALL you sensitive info in there....i mean...wont the people who work for Kaspersky or the people who made the program see all your passwords and...
Software


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 01:59.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App