Windows Explored

Just yesterday while taking a tour of my kids Standard User account on one of my Windows 7 system’s, I noticed I was unable to right-click a program and elevate it. The follow error was returned: “This program is blocked by group policy. For more information, contact your system administrator.”

That was odd because previously (and I don’t remember when) I had no trouble elevating processes. Normally, one can go into gpedit.msc and modify the security policy that enforces this and set it back to the default, which is to allow the “Run as administrator” option from the context menu. The only problem here is that this is Windows 7 Home Premium, which does not ship with group policy management features. Instead, you need to know the registry keys, types, and values and add or modify them directly.

Luckily, Microsoft put together an Excel worksheet that contains the group policy administrative templates and security settings and where they are set in the Windows registry. You can find it here: WindowsServer2008R2andWindows7GroupPolicySettings. The setting I was interested in was ConsentPromptBehaviorUser, which can be found in HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System.

The default value should be 3. The actual value was set to 0, which denies any request in the standard account to elevate an application. I am almost certain that this DWORD value was changed to 0 by some malware that made itself onto the system. The idea would be that some utilities, e.g. Process Explorer, Process Monitor, Autoruns, etc, would be blocked. Additionally, without the ability to run the Windows Task Manager elevated, the user would only be able to view user processes only and not be able to examine system processes or service, not be able to stop services, and not be able to launch the resource monitor. Also, without the ability to elevate regedit, changes could not be made to registry to manually clean it. In order to correct, you would need to logon to the system with an Admin account and then modify the registry, which by itself is no real challenge. But, when confronted with all the ways malware will try to hijack the OS, this is another barrier that needs to be dealt with before complete removal is achieved.