Case of the Broken UAC Prompt – Extended Attributes are Inconsistent

One day while happily working away on my liquid cooled Windows Developer Preview beast I came across this error when launching regedit:

image

Pretty quickly I found every program that tried to elevate to Administrative privileges had this problem. The UAC prompt to click Yes/No appeared very briefly then was rapidly replaced with this error message. Unfortunately this also applied to my beloved ProcMon.

So what to do?

First to find out to whom the dialog box belonged. Using Process Explorer (http://live.sysinternals.com/ProcExp.exe) and the feature to drag a target over a Windows to identify the process I found out the message box belonged to cmd.exe if run from Command Prompt, or Explorer.exe if launched from Explorer.

As WinDbg doesn’t require admin privilege (for limited user mode debugging of non-elevated processes) it was my debugging tool of choice. WinDbg is included in Windows SDK, which is available for free download here http://www.microsoft.com/download/en/details.aspx?id=8279

I first opened C:\windows\system32\cmd.exe using File –> Open Executable

image

I wanted to ensure any child processes got debugged as well so ran command

.childdbg 1

I then hit g to make the debugger go. Each time a new process starts you will see message like

ntdll!RtlUserThreadStart:
000007fb`a5323c64 4883ec48        sub     rsp,48h

You will need to hit g again to continue further. I then launched regedit from my debugged cmd.exe. Now there are a few potential types of message boxes in Windows, so to make it easy to find out which one was being used, when I got the error message dialog box I hit ‘Break’ on the debugger and typed

!analyse –v –hang

In the stack trace I found the function that generated the message box, so I set a breakpoint for it:

bp SHELL32!SHSysErrorMessageBox

(don’t worry about could not resolve error message here)

and typed

.restart on my process

Which showed me the following:

<modules loading etc here>

Breakpoint 0 hit
SHELL32!SHSysErrorMessageBox:
000007fb`a342fb60 fff3            push    rbx
0:000> kv <- stack trace, find what functions got called before message box
Child-SP          RetAddr           : Args to Child                                                           : Call Site
00000056`e904dfe8 000007fb`a349fe8d : 00000000`0000104c 00000000`0000007f 00000056`e92b74c0 00000000`000000ff : SHELL32!SHSysErrorMessageBox
00000056`e904dff0 000007fb`a33d216e : 00000056`e927fea0 00000000`00230e74 00000000`000000ff 00000000`00000000 : SHELL32!_ExecErrorMsgBox+0x23d
00000056`e904f0b0 000007fb`a32ee389 : 00000056`e904f1f0 00000056`e904f1f0 00000000`00000000 00000000`00000000 : SHELL32!CShellExecute::_DoExecute+0x33f
00000056`e904f130 000007fb`a32ee29d : 00000056`e927fea0 00000000`00008140 00000000`00000000 00000056`e904f1f0 : SHELL32!CShellExecute::ExecuteNormal+0×95
00000056`e904f160 000007fb`a32ee214 : 00000056`e904f1f0 000007fb`a37743e0 00000056`e904f1f0 00000056`e904f080 : SHELL32!ShellExecuteNormal+0x4d
00000056`e904f190 000007fb`99322faa : 00000000`00000000 00000000`00000000 00000000`00000000 00000056`e904f080 : SHELL32!ShellExecuteExW+0×54
00000056`e904f1c0 000007f6`ca0e5429 : 00000056`e9277b30 00000056`e927a300 00000056`e92755f0 000007f6`ca12d360 : fsutilext!ShellExecuteWorker+0x7e
00000056`e904f270 000007f6`ca0e5a3b : 00000056`e927bd50 00000000`00000000 00000056`e9261820 00000056`e92755f0 : cmd!ExecPgm+0x5b0
00000056`e904f530 000007f6`ca0e8158 : 00000000`00000000 00000056`e9261820 00000000`00000000 00000056`e9261820 : cmd!ECWork+0xd7
00000056`e904f790 000007f6`ca0e1306 : 00000000`0000de5c 00000056`e9261820 00000000`00000000 000007f6`ca0e16a1 : cmd!FindFixAndRun+0x54e
00000056`e904fc30 000007f6`ca10beb0 : 00000056`e9261820 000007f6`ca113890 00000056`e9261820 00000000`000000ff : cmd!Dispatch+0xab
00000056`e904fce0 000007f6`ca0f3a68 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : cmd!_chkstk+0x50c6
00000056`e904fd40 000007fb`a2f23cdc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : cmd!Handler+0×291
00000056`e904fd80 000007fb`a5323c85 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0×18
00000056`e904fdb0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
0:000> !gle <- get last error
TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\triage\oca.ini, error 2
TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\winxp\triage.ini, error 2
TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\triage\user.ini, error 2
LastErrorValue: (Win32) 0x7f (127) – The specified procedure could not be found.
LastStatusValue: (NTSTATUS) 0xc0000139 – {Entry Point Not Found}  The procedure entry point %hs could not be located in the dynamic link library %hs.

While this was all well an interesting there was some important information missing: Primarily nothing from consent.exe. Unfortunately no way I was going to be able to debug that as standard user because I was not admin…D’oh!

So I restarted the PC and pressed F8 to enter safe mode. I then logged in with a local administrator account and as safe mode is free of UAC prompts could happily set User Account Control Settings to Never Notify

Warning! Using this setting is not recommended and will increase risk of nasty software doing bad things to your PC.

Restarting back into regular Windows I could now launch programs as admin. I launched a command prompt as Admin and reset UAC back to the previous setting.

image

I then went back to my comfort zone of ProcMon (http://live.sysinternals.com/ProcMon.exe)

I set a filter to include the following processes:

  • cmd.exe
  • consent.exe
  • regedit.exe

I also set a filter on Operation is Load Image as I wanted to look for 3rd party code being loaded.

image

Sure enough we find some perfect suspects. 3rd party codecs were being loaded. These codecs had been installed a few days before from an open source program Audacity and the separate download Lame MP3 Encoder Pack

image

I then brought out the tool that must not be left at home. Ever. AutoRuns (http://live.sysinternals.com/AutoRuns.exe) AutoRuns can disable/enable pretty much any possible location for code to startup within Windows – from drivers, services, codecs, etc, it has it all. You can also analyse offline systems such as a mounted WIM, or an unbootable partition from within Windows PE.

I disabled all codecs at first, then enabled one-by-one to find the culprit. I found two caused the issue:

  • msacm.avis
  • msacm.lameacm

Disabling these and UAC was back in all its glory.
image

But why is Windows loading codecs for the UAC consent dialog?

The codecs are loaded because consent.exe plays a sound effect, which required a codec to decode the audio file.

In fact I found I can also re-enable all my codecs and disable Windows Sounds, and UAC prompt will still work. Peace at last.

image

About Malcolm McCaffery

specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
This entry was posted in Debugging, ProcMon, SysInternals, Windows 8 and tagged . Bookmark the permalink.

28 Responses to Case of the Broken UAC Prompt – Extended Attributes are Inconsistent

  1. siegfre says:

    Thank you, this was extremely helpful. I was having this same issue on the consumer preview.

  2. angeloogle says:

    omg same issue here on Windows 7 x86. Thanks!

  3. Spanko says:

    Totally saved me – upgraded to Win8 and was about to boot into safe mode to nerf UAC. Turning off sounds – very clever.

  4. Slam says:

    Thank you. Have got the same issue after upgrade from Windows 7 to Windows 8 RTM :(

  5. ranmas says:

    no need to disable all sounds, just the windows user account control sound is all that you need to disable and everything will be good.

  6. Chris H says:

    Hi there I have no idea how to do this, is there a possibility for a youtube video maybe? thanks a lot. I can’t run ANY programs and its really frustrating..

    • yeah i may start doing some videos. but as I am usually here showing the technical details of how to identify cause of problem … it may be easier if you jump straight to turning off Windows sound notification for UAC prompt. This can be done by hitting Windows key+E -> In the computer section select “Control Panel” -> In control panel search bar (top right) type ‘Sound’ -> select “Change system sounds” -> select “Windows User Account Control” and change the sound to (none) then click OK

  7. J Dov says:

    Thinks this help a lot i was in autorun disabling some stuff when it said i needed to run as administrator and could not so i didn’t no wth but after reading this i just turned off UAC then i could use autorun againg to fix every thing so thinks a lot

  8. Eichenschildt says:

    Thanks very much from Germany.
    You made my day.

  9. Hrulik says:

    Man, you safe my live, thank you!

  10. Qualcuno says:

    Sir, you’re a lifesaver. It’s incredible that is enough to disable the sound assigned to the UAC event.

  11. James Southward says:

    Thank You!!! No other post on this subject has anything remotely useful (SFC or System Restore or ReInstall OS are all they suggest) Now to identify which codec is the problem….

  12. Satya says:

    Thank you, this was extremely helpful.

  13. dnagent009 says:

    You’ve saved my day! I thought it was some viruses

  14. Bert says:

    Thanks, had the same problem

  15. Allan says:

    Has worked for me – Thanks

  16. Peter says:

    Thanks , you saved my day !! Microsoft and bandicam did not bother much about…

  17. rvox says:

    THIS is why i love the internet. Shared knowledge and help from eachother. The only way is up! Thank you!

  18. Came in handy, thanks. My only suggestion would be to put the solution at the top, for Googlers like myself. That said, I loved the step-by-step, and I’ll be coming back later to try this myself. :-)

  19. fruitlai says:

    having problem when open WinDbg (the extended attributes are inconsistent ). this is new laptop. anyone can help =( ?

  20. Aybe says:

    Thanks a lot !

  21. ramees says:

    you are brilliant and thanks

  22. Mateo says:

    This error message popped up for me recently and I too have noticed nothing with administrative privileges will work (I have Windows 7). I have tried disabling the sound, both for the UAC specifically as well as all sounds, but neither have resolved the issue. Any other suggestions? Or did I do something wrong?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s