UAC Locked out machine - @teamviewer !

[rihtt]

Hello guys, So I am in a bit trouble.
I left a windows 7 machine on my job before the weekend in a big deal of hurry, with a teamviewer-portable session active so that I could continue my work frome home...



Current status: teamviewer session active but locked out@UACS dialogbox


http://i63.tinypic.com/otiwis.png

Information and background
The machine is a new out-of-box-state windows7 -x64.
Because outdated IE and such it was no time for installing new browser and transfer programs to it local.
I just plugged in my usb-pendrive that has the Portable Teamviewer - and decided to do the rest from home and have the machine ready monday morning.



1th UAC Dialogs
So today I connected with my business-teamviewer with the credentials to the machine and connected without problem.

Very soon I found out that this has some anyoing UAC popup when I am trying install some applications.
No problem.The default time-out is 2 minutes (hardcoded and not possible to change?)

The remote screen just freezes for two minutes and then comes back, So I figured out the UAC
will be my enemy from now on


2th UAC vs Me
So I searched online and found that you could run the command prompt at the machine and
enter an ADD_REG custom REG DWORD... to disable this UAC popup. But I figured out that not even my command prompt will work because of the very same UAC will not allow me to run it to begin with...


This is the problem in this very now - Current locked out by a UAC settings!
The window will not change, and it looks the same way even when connecting to the same teamviewer ID from another computer.
And it wont time-out after 2 minutes , it probably demands local human action



I am still in a teamviewer session with the machine.

I cant switch side (target machine has to old version)
and teamviewer remote-update doesnt work...
I cant send CTRL-ALT-DEL
I cant send shutdown commands and such.
I have access to other windows-machines in the same LAN.


But I had no such luck yet, using the PsExec from another windows-machine in the network
but it cant access the machine either because of the requirements of that tool


*hidden share has to be enabled \\machine\c$
*printserver has to be enabled



I can however, transfer files with teamviewer! So what do do? Lets figure out some way to make this machine listen to me again!

 

[Barman58]

You need to unlock the UAC to gain access

It should be the simple task of entering the password

If you do not know the password then you need to get someone who does to unlock it for you

The only other way is to visit the site with the password and unlock from there

 

[rihtt]

There was no password

but as you say the only thing that works is a human input at the site local




I just had a college that could exit the pop-up that said "allow changes to computer"...
and send him home 15 minutes ago.



And now I have access again.





But I am still on my one now

...avoid this from happen again.
I created a custom QuickSupport module (teamviewer) and placed in autostart location.
I will also find my old VNC_bat module so i can access by LAN if this happens again.


I also continuted with the permission-problem

I could not set this:

C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v 

EnableLUA /t REG_DWORD /d 0 /f

= Access is denied


And I cant go to regedit by GUI because after 2 minutes lock-out it closes.

 

[Barman58]

Only thing I can think of is a Runas by a User that has admin rights

Runas /User Domain/User /Env "C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v"
This should ask for the user password so the domain & user should have admin or higher rights on the remote system

You could even try System as the user

Not done anything like this for a few years so check my syntax

 

[TechnoMage2016]

Rihtt,

It's just because of BS like that, that I disable UAC on every one of my 10 PC's.

On a new install one day, I had a customer ask me, when UAC reared its ugly head, "do I have to put up with that BS every time I want to do something?" I said "NO" and promptly disabled UAC.

I don't know for sure just where it would be required, but for a single owner, home computer, it's only a real PITA! Life with Windows is just so much easier with UAC totally disabled.

You can do that by hand, from your keyboard, when UAC opens up, or by running a little script. I've done both.

Cheers Mate!
TechnoMage

 

[Alejandro85]

Quick and dirty answer. There are two possible solutions that don't compromise security (even more).
Keep TeamViewer "portable" and run it as administrator. This has to be done locally by an human being, not remotely though TeamViewer itself.
Another solution is to use an "installable" edition of TeamViewer that autostarts with your system.
Each one lets to connect like before and also allows to respond to UAC and use elevated programs normally, as you would locally.

Now the long answer, why this happen and why that's the solution?
The problem lies within UAC itself. What you're seeing is a consequence of the protection mechanisms built into Windows, precisely the UAC's component UIPI that manages integrity levels. UIPI, when UAC is enabled, enforces that programs can only communicate with other programs when those have the same or lower "integrity level", but results in "access denied" errors when trying to talk to one with a higher one. And that makes sense, you don't want unelevated programs to tamper elevated ones and subverting them to their purposes, that's one of the greatest security adventages of UAC

How does that relate to TeamViewer? TeamViewer is just one more program that follows the same rules as everything else. To do its job, it interacts with the rest of the system and with other running programs. The relevant bit of info is that, like all other software (non-elevated) it runs at medium integrity level. When an UAC popup appears, the popup itself runs at high integrity level (on the "consent.exe" process), thus making any unelevated program unable to tamper with it, including TeamViewer. While this is a security features, this time it backfires, as TeamViewer begins to fail to communicate, hence it freezes totally until the popup eventually times out and dissapears.
A similar situation appears if you have an already elevated program and try to use it with TeamViewer, the remote desktop will freeze! But this times it'll never go away like an UAC prompt.

So, the solution is to give TeamViewer itself enough privileges to handle those windows, giving it high integrity level does the trick, which is achieved by running as administrator. An extra quirck appears when using a non-portable edition. Those install a service running with system permissions, which have an higher-than-high integrity level, hence it can manipulate the entire system. In those cases, TeamViewer communicates with its service and the service does the job, eliminating the need to elevate the program (at the cost of having a program installed).