What does a UAC admin prompt with no accounts listed mean?

Discussion in 'Windows Vista Security' started by Keith Patrick, Mar 26, 2007.

  1. I've been stuck on this issue all weekend, have calls into MS tech support,
    etc, because basically I'm locked out of any admin tasks. The problem I'm
    having is that the UAC prompt that says I need to enter an admin password to
    continue doesn't actually list any accounts. This happened after I reverted
    my regular account from admin to standard (there still is a built-in
    Administrator account listed in Computer Management).
    So as a result, I can't do any administrator activities (like turning off
    UAC or reinstalling the OS)...and because Vista disables my MS (Natural
    4000) keyboard during startup, I cannot enter Safe Mode, either.

    So I've given up trying to find a way around UAC. Now I'm focusing on
    getting an admin account to show up the UAC list. Anyone know how to do
    this? It does look like the Administrator account is disabled, but why would
    Vista allow this to lock out admins, since it wouldn't allow the last admin
    account to be deleted, but that's what's effectively happened.


    BTW: I've also tried to write a .Net client to impersonate the
    administrator, but when it's worked, it still lists my user as being the
    non-admin, even though it won't show an error.
     
    Keith Patrick, Mar 26, 2007
    #1
    1. Advertisements

  2. Keith

    You need to get into Safe Mode, which should allow you to use the built-in
    admin account, since it is the only admin
    account on the system. Get a standard keyboard, if you don't have one handy,
    buy a cheap one. You can get them for well under ten dollars. Plug it into
    the PS port and try to get into safe mode.

    Once you are in there, create a password for the built-in admin account. I
    would also create another admin account with a password to be used in case
    you need it.
     
    Ronnie Vernon MVP, Mar 26, 2007
    #2
    1. Advertisements

  3. After talking with several people at Microsoft tech support, it means that I
    removed my non-built-in admin via the MMC, which, unlike the User Account
    applet, does not stop you if there are no other active, non-hidden admins.
    Tech support said that it *should* see this and fall back to some admin
    account, but I've got a Media Center Extender account (my 360 requested that
    it be created, and for some reason, it needs to be an administrator) which
    is not available to the Welcome screen but UAC doesn't check for the hidden
    aspect; only the disabled aspect.

    What they're telling me that so far the only answer is to perform a system
    restore, but since I didnt' reboot after this change for 2 weeks, I would
    lose a substantial amount of work.

    So this begs the question: when is MS ever going to update the MMC snap-in?
    If they could do it and have it pushed out on Windows Update in the next few
    hours, that'd be sweeeeellllllllllll.
     
    Keith Patrick, Mar 26, 2007
    #3
  4. Keith Patrick

    Tom Guest

    I have a couple of questions / suggestions.
    (1) Can you use a bootable disk (USB, etc.) to get into the system?
    (2) Do you know which file or files are missing and where they belong? If
    not, can you find out?
    (3) Worst case, do you have a second computer that you can install (add) the
    hard drive as a second one.
    Then you could use the operating system from the other computer to look at
    the contents of the hard drive that has the problems. Then you can fix the
    files or perhaps with a flashdrive you could copy the files (your
    substantial amount of work) to it and then to another computer.
    Tom
     
    Tom, Mar 27, 2007
    #4
  5. It's not any file that's messed up. The issue is twofold: first, MMC allows
    (as it did in XP) you to reduce the number of admins to 1 (the built-in).
    However, in Vista, the admin account is disabled, which leads to a problem
    that didn't show up in XP. While this is something the user is doing, for
    one Windows UI to protect the user while the other does not is an
    inconsistency. I might believe that this is by design except I don't see
    anything outside a filestamp to indicate that the user snap-in has been
    touched since Win2000 whereas the rest of Vista got the "user-friendly"
    treatment.
    The 2nd issue - the bigger one - is that while Safe Mode may normally enable
    the built-in admin account to prevent this from occurring, it will not
    enable it if there is already an enabled admin account - ANY enabled admin
    account - is on the machine. In my case, I have a Media Center Extender
    admin account ("Mcx1") that is enabled but is not visible on the Welcome
    Screen; Safe Mode should disregard this type of account because a user
    cannot interact with it. Add a second check in Safe Mode - that the enabled
    admin account also be visible on the Welcome Screen - the problem should be
    reasonably reversable in contrast to what tech support is saying now. (they
    will not even ship me a Vista DVD in spite of the fact that I purchased it
    from Microsoft Live Marketplace...tech support expects all Vista users to
    have a burnable DVD drive. Seriously, I told the guy no less than 5 times in
    a row that I didn't have a burner, and he'd keep telling me that "we" need
    to burn a DVD. after 3 times of telling him that "we" don't have a burner, I
    started yelling it at the guy. To his credit, he didn't hang up (and they're
    still not worse than the absolute worst - Best Buy), but I was literally at
    hour 6 of tech support calls with Microsoft by that point.
     
    Keith Patrick, Mar 27, 2007
    #5
  6. There's a loophole in the Safe Mode method that was found out while on the
    phone to someone at Microsoft (some escalated level of support who wound up
    solving things). Basically, because I have an Xbox 360, it has a hidden
    admin account on the Vista machine (the 360 is a MC extender). When Safe
    Mode boots up, it sees that there is an enabled admin account on the machine
    and therefore does not enable the built-in Administrator.

    The solutions are basically a reinstall or (because my machine did not have
    any system restore points...not even Vista's initial install) in my case, I
    sent in my SAM file to Microsoft, who were able to remove the MCE admin
    account, I went back into WinRE and replaced my SAM with that one. The only
    downside is that I have to reconnect my 360 to my machine, but that is a
    very trivial downside considering the alternatives.
     
    Keith Patrick, Mar 27, 2007
    #6
  7. On Tue, 27 Mar 2007 02:07:46 -0500, "Keith Patrick"

    Thanks for explaining what I see as a BUG in Vista...
    Looks like a "assed < fully" implimentation bug...
    Ouch. Er... get a DVD writer ;-)

    Now that Vista ships on DVD and DVD writers are ubiquitous and cheap,
    there's only one reason to delay getting a DVD writer (IMO, new PCs
    should ship with DVD writers, period).

    That reason is current DVD writers still ship with Nero Express 6,
    which is STILL not Vista-ready.

    If anyone knows a DVD writer brand (other than Sony) that ships with
    Vista-ready bundleware, doooo let me know pleeease!

    Here's a possible way to get into Safe Mode in Vista... but <ahem" you
    prolly need admin-rights Regedit :-/

    Safe Mode Cmd Only is internally referred to as "Safe Mode Alternate
    Shell". Settings that control Safe Mode reside in...

    HKLM\System\ControlSet???\SafeBoot

    ....or similar (this is from memory, and my memory would fail
    MemTest86). Most of this is protected against casual editing and
    programmatic changes, with one notable exception; the Alternate Shell
    value, which can be set to point to something other than Cmd, or
    invalidated altogether by pointing it to something that doesn't exist.

    If invalidated, then Safe Cmd will boot using Windows Explorer as
    shell, in what appears to be a "system account" context (i.e. files
    written to "desktop" appear in AllUsers desktop).


    Vista has a mOS at least, unlike XP; the Vista DVD (er...) will boot
    into a maintenance command prompt that is akin to (if not exactly
    identical to) WinPE or WinRE.

    The flipside is that XP-based Bart will not see Vista's registry hives
    via RunScanner.

    The downside is that Vista's mOS toolset lacks an equivalent to
    Paraglider's RunScanner plugin for Bart, so you'd have to manually
    load the HD installation's hives to RegEdit to edit them.

    Still - it's worth a try. What a really crappy bug, tho - reminds me
    of "unsupported" (unsupportable) "Previous Version of MS-DOS" in Win95
    SR2, where the system would offer this via the UI, boot into it
    successfully (assuming no MS-DOS vs. FAT32 issues) but then be utterly
    unable to return to Win95 or Win95 DOS mode thereafter.


    Tech Support: The guys who follow the
    'Parade of New Products' with a shovel.
     
    cquirke (MVP Windows shell/user), Mar 27, 2007
    #7
  8. Got it fixed today. It involved emailing my SAM file to someone at Microsoft
    for fixing and then going into WinRE to replace it. Definitely not a
    recommended path for most, but I was in a real bad bind with this issue (had
    a major deadline that this impacted + my machine just so happened to lack
    every single fallback available)
     
    Keith Patrick, Mar 28, 2007
    #8
  9. On Tue, 27 Mar 2007 19:44:51 -0500, "Keith Patrick"
    It's a LOT better than "just" doing a re-install!


    Tech Support: The guys who follow the
    'Parade of New Products' with a shovel.
     
    cquirke (MVP Windows shell/user), Mar 28, 2007
    #9
  10. Sure, but as was explained to me, it's not a general practice of tech
    support to work with a customer to send a machine's SAM file to MS for
    tweaking and then replacing. It's a very isolated case (andmost user
    scenarios would have one of the fallbacks available...the toxic combination
    is: having a Media Center edition of Vista, demoting your user via Computer
    Management instead of Control Panel, buying Vista electronically, owning
    just a DVD reader, having System Restore off (although I don't recall ever
    disabling it on XP and I distinctly remember using it at least twice on XP),
    AND having a Media Center Extender setup on the Vista machine), and swapping
    out the SAM file from WinRE is on par with hacking the local machine
    registry key.

    I'm really hoping I see this show up as a fix in the first SP fix list (IMO,
    Safe Mode needs to ensure that any admin accounts it finds are visible to
    the Welcome screen before deciding not to enable the built-in admin account,
    and also the MMC snap-in needs to be updated to protect the user in the same
    way the control planel applet does)
     
    Keith Patrick, Mar 28, 2007
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.