One day while happily working away on my liquid cooled Windows Developer Preview beast I came across this error when launching regedit:
Pretty quickly I found every program that tried to elevate to Administrative privileges had this problem. The UAC prompt to click Yes/No appeared very briefly then was rapidly replaced with this error message. Unfortunately this also applied to my beloved ProcMon.
So what to do?
First to find out to whom the dialog box belonged. Using Process Explorer (http://live.sysinternals.com/ProcExp.exe) and the feature to drag a target over a Windows to identify the process I found out the message box belonged to cmd.exe if run from Command Prompt, or Explorer.exe if launched from Explorer.
As WinDbg doesn’t require admin privilege (for limited user mode debugging of non-elevated processes) it was my debugging tool of choice. WinDbg is included in Windows SDK, which is available for free download here http://www.microsoft.com/download/en/details.aspx?id=8279
I first opened C:\windows\system32\cmd.exe using File –> Open Executable
I wanted to ensure any child processes got debugged as well so ran command
.childdbg 1
I then hit g to make the debugger go. Each time a new process starts you will see message like
ntdll!RtlUserThreadStart:
000007fb`a5323c64 4883ec48 sub rsp,48h
You will need to hit g again to continue further. I then launched regedit from my debugged cmd.exe. Now there are a few potential types of message boxes in Windows, so to make it easy to find out which one was being used, when I got the error message dialog box I hit ‘Break’ on the debugger and typed
!analyse –v –hang
In the stack trace I found the function that generated the message box, so I set a breakpoint for it:
bp SHELL32!SHSysErrorMessageBox
(don’t worry about could not resolve error message here)
and typed
.restart on my process
Which showed me the following:
<modules loading etc here>
Breakpoint 0 hit
SHELL32!SHSysErrorMessageBox:
000007fb`a342fb60 fff3 push rbx
0:000> kv <- stack trace, find what functions got called before message box
Child-SP RetAddr : Args to Child : Call Site
00000056`e904dfe8 000007fb`a349fe8d : 00000000`0000104c 00000000`0000007f 00000056`e92b74c0 00000000`000000ff : SHELL32!SHSysErrorMessageBox
00000056`e904dff0 000007fb`a33d216e : 00000056`e927fea0 00000000`00230e74 00000000`000000ff 00000000`00000000 : SHELL32!_ExecErrorMsgBox+0x23d
00000056`e904f0b0 000007fb`a32ee389 : 00000056`e904f1f0 00000056`e904f1f0 00000000`00000000 00000000`00000000 : SHELL32!CShellExecute::_DoExecute+0x33f
00000056`e904f130 000007fb`a32ee29d : 00000056`e927fea0 00000000`00008140 00000000`00000000 00000056`e904f1f0 : SHELL32!CShellExecute::ExecuteNormal+0x95
00000056`e904f160 000007fb`a32ee214 : 00000056`e904f1f0 000007fb`a37743e0 00000056`e904f1f0 00000056`e904f080 : SHELL32!ShellExecuteNormal+0x4d
00000056`e904f190 000007fb`99322faa : 00000000`00000000 00000000`00000000 00000000`00000000 00000056`e904f080 : SHELL32!ShellExecuteExW+0x54
00000056`e904f1c0 000007f6`ca0e5429 : 00000056`e9277b30 00000056`e927a300 00000056`e92755f0 000007f6`ca12d360 : fsutilext!ShellExecuteWorker+0x7e
00000056`e904f270 000007f6`ca0e5a3b : 00000056`e927bd50 00000000`00000000 00000056`e9261820 00000056`e92755f0 : cmd!ExecPgm+0x5b0
00000056`e904f530 000007f6`ca0e8158 : 00000000`00000000 00000056`e9261820 00000000`00000000 00000056`e9261820 : cmd!ECWork+0xd7
00000056`e904f790 000007f6`ca0e1306 : 00000000`0000de5c 00000056`e9261820 00000000`00000000 000007f6`ca0e16a1 : cmd!FindFixAndRun+0x54e
00000056`e904fc30 000007f6`ca10beb0 : 00000056`e9261820 000007f6`ca113890 00000056`e9261820 00000000`000000ff : cmd!Dispatch+0xab
00000056`e904fce0 000007f6`ca0f3a68 : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : cmd!_chkstk+0x50c6
00000056`e904fd40 000007fb`a2f23cdc : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : cmd!Handler+0x291
00000056`e904fd80 000007fb`a5323c85 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x18
00000056`e904fdb0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x1d
0:000> !gle <- get last error
TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\triage\oca.ini, error 2
TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\winxp\triage.ini, error 2
TRIAGER: Could not open triage file : C:\Program Files (x86)\Windows Kits\8.0\Debuggers\x64\triage\user.ini, error 2
LastErrorValue: (Win32) 0x7f (127) – The specified procedure could not be found.
LastStatusValue: (NTSTATUS) 0xc0000139 – {Entry Point Not Found} The procedure entry point %hs could not be located in the dynamic link library %hs.
While this was all well an interesting there was some important information missing: Primarily nothing from consent.exe. Unfortunately no way I was going to be able to debug that as standard user because I was not admin…D’oh!
So I restarted the PC and pressed F8 to enter safe mode. I then logged in with a local administrator account and as safe mode is free of UAC prompts could happily set User Account Control Settings to Never Notify
Warning! Using this setting is not recommended and will increase risk of nasty software doing bad things to your PC.
Restarting back into regular Windows I could now launch programs as admin. I launched a command prompt as Admin and reset UAC back to the previous setting.
I then went back to my comfort zone of ProcMon (http://live.sysinternals.com/ProcMon.exe)
I set a filter to include the following processes:
- cmd.exe
- consent.exe
- regedit.exe
I also set a filter on Operation is Load Image as I wanted to look for 3rd party code being loaded.
Sure enough we find some perfect suspects. 3rd party codecs were being loaded. These codecs had been installed a few days before from an open source program Audacity and the separate download Lame MP3 Encoder Pack
I then brought out the tool that must not be left at home. Ever. AutoRuns (http://live.sysinternals.com/AutoRuns.exe) AutoRuns can disable/enable pretty much any possible location for code to startup within Windows – from drivers, services, codecs, etc, it has it all. You can also analyse offline systems such as a mounted WIM, or an unbootable partition from within Windows PE.
I disabled all codecs at first, then enabled one-by-one to find the culprit. I found two caused the issue:
- msacm.avis
- msacm.lameacm
Disabling these and UAC was back in all its glory.
But why is Windows loading codecs for the UAC consent dialog?
The codecs are loaded because consent.exe plays a sound effect, which required a codec to decode the audio file.
In fact I found I can also re-enable all my codecs and disable Windows Sounds, and UAC prompt will still work. Peace at last.
chentiangemalc 
Thank you, this was extremely helpful. I was having this same issue on the consumer preview.
omg same issue here on Windows 7 x86. Thanks!
Totally saved me – upgraded to Win8 and was about to boot into safe mode to nerf UAC. Turning off sounds – very clever.
Thank you. Have got the same issue after upgrade from Windows 7 to Windows 8 RTM :(
no need to disable all sounds, just the windows user account control sound is all that you need to disable and everything will be good.
Yes, that’s right.
Hi there I have no idea how to do this, is there a possibility for a youtube video maybe? thanks a lot. I can’t run ANY programs and its really frustrating..
yeah i may start doing some videos. but as I am usually here showing the technical details of how to identify cause of problem … it may be easier if you jump straight to turning off Windows sound notification for UAC prompt. This can be done by hitting Windows key+E -> In the computer section select “Control Panel” -> In control panel search bar (top right) type ‘Sound’ -> select “Change system sounds” -> select “Windows User Account Control” and change the sound to (none) then click OK
I did this now i cannot hear sounds of videos???
If you disable a codec that is required to playback certain video/types you won’t be able to play back with windows media player. You must either enable the codec or use a video player doesn’t rely on codecs,like VLC from http://videolan.org
Thinks this help a lot i was in autorun disabling some stuff when it said i needed to run as administrator and could not so i didn’t no wth but after reading this i just turned off UAC then i could use autorun againg to fix every thing so thinks a lot
Thanks very much from Germany.
You made my day.
Man, you safe my live, thank you!
Sir, you’re a lifesaver. It’s incredible that is enough to disable the sound assigned to the UAC event.
Thank You!!! No other post on this subject has anything remotely useful (SFC or System Restore or ReInstall OS are all they suggest) Now to identify which codec is the problem….
Thank you, this was extremely helpful.
You’ve saved my day! I thought it was some viruses
many tks from Brazil! I hope u don’t mind me sharing it with others.
http://answers.microsoft.com/en-us/windows/forum/windows_8-security/how-can-i-fix-the-extended-attributes-are/67146ec5-efde-4d17-abb7-e320952a7e68
cheers!
Thanks, had the same problem
Has worked for me – Thanks
Thanks , you saved my day !! Microsoft and bandicam did not bother much about…
THIS is why i love the internet. Shared knowledge and help from eachother. The only way is up! Thank you!
Came in handy, thanks. My only suggestion would be to put the solution at the top, for Googlers like myself. That said, I loved the step-by-step, and I’ll be coming back later to try this myself. :-)
having problem when open WinDbg (the extended attributes are inconsistent ). this is new laptop. anyone can help =( ?
Did you try what is suggested here first? (I.e. Switch of UAC sound,in control panel)
Thanks a lot !
you are brilliant and thanks
This error message popped up for me recently and I too have noticed nothing with administrative privileges will work (I have Windows 7). I have tried disabling the sound, both for the UAC specifically as well as all sounds, but neither have resolved the issue. Any other suggestions? Or did I do something wrong?
In my case, it was a matter of unchecking “Windows Logon Security” in HP ProtectTools Administrative Console (Applications > Settings). This was HP ProtectTools Security Manager 6.08.1017 on a ProBook 5330m. Unchecking that precludes use of the fingerprint reader to sign on or at a UAC prompt, at least via ProtectTools.
During troubleshooting, I found it helpful that I could be signed on as a normal user, open a command prompt, and use ‘runas /user:%computername%\administrator cmd’ to open a new command prompt as a local administrator and bypass UAC. From this elevated command prompt, I could kick off ProcMon, AutoRuns, etc, in an administrative context, yet avoid the problematic UAC prompt.
That should have said Security > Features, _not_ Applications > Settings.
Thanks, you saved my life too.
Just upgraded to Windows 10 and the problem is still there
This article was extremely helpful after an upgrade of win 7 to 10. Explorer would constantly crash when accessing files on the drives. Later I noticed the “Extended Attributes are Inconsistent” errors and found this article. It did indeed turn out to be caused by previously installed Codecs which had prior to the Win10 upgrade not caused any errors.
Thank you so much for the help.
Strangely, I hade the same problem as well after doing the upgrade from Windows 7 to Windows 10. But for me it was not these codecs (I have them still installed), but the ‘vstmididrv.dll’ which is part of the BASS MIDI and VST MIDI packages.
Oh, btw: It is not enough to switch off the UAC sound. Other programs may trigger this behaviour, too, when playing sounds. Here it was Directory Opus and FreeFileSync.
Brilliant tip! Thanks for the post.
You are brilliant! Happened on virtual 2012R2 Server running ShoreTel. Someone must have installed Audacity on the server at some point… Bad bad!
Thanks for sharing the guidelines! Nice approach! :)
Unfortunately it didn’t work in my case (Windows 7 64-bit SP1): I had the error “The extended attributes are inconsistent” popping up for every ordinary (standard) user when he/she gets own privileges elevated. And luckily no such error occurs for the Administrator.
Disabling the sound of UAC notification (both for ordinary user, and for Administrator) has no effect.
I’ve finally fixed the issue on my PC! The problem was caused by a recently installed software, so I sorted them by date and uninstalled the ones I don’t need any longer, here they are:
1) Point Cloud Library pre-build binaries
2) OpenNI (was installed as a part of PCL)
3) PrimeSense drivers for OpenNI (I guess, this could be the cause)
BTW digging through Process Monitor was useless in my case – there were no suspects there.
So the approach is: hunt for the recently installed software and pray it would clean up its remnants :)