A Windows 7 "WTF?" problem - anybody know what causes this?

[40hz]

I've just run into this problem with the second client in about the last 4 months. I was wondering if anybody knows what might be causing this:

Symptoms:

This is an issue with permissions.

Without warning, the default user with administrative elevation rights is suddenly no longer able to install anything - or run most programs - EXCEPT using the "Run as Administrator" option under Windows 7 Pro.

Additional info:

a) The system has been checked for both malware and rootkits, and has been reported  as being 'clean' after using multiple anti-malware/spyware scanners in both normal and safe mode bootups.

b) The system has been checked and does not have the infamous KB2823324 installed

c) The user profile does not appear to be corrupted

d) The user profile is flagged as an Administrator

e) The machine is current with all Windows critical updates

f) No new apps or app updates have been recently installed

g) Completely disabling UAC is not an acceptable option

Possible smoking gun:

Both affected machines were runing AVG AntiVirus 2013 - although so is every other machine in both client offices. No other machines experienced the symptoms either of the problem machines were experiencing.

Current workaround:

Going back a restore point (or two) has fixed the problem in both cases

---------------------------------



That's about it. No weirdness I can spot - other than this problem - which starts happening without warning. I'm fairly certain it involves some issue with the user profile although I wasn't able to diagnose anything wrong with the profiles on either machine. Just plain weird.

So...anybody know what might be causing this?

[Stoic Joker]

Is user account domain or LM admin?

Are Application Policies being used?

IIRC there is an auto elevate install option in GP but I do not recall where it is. Have you run an RSOP to see if anything (in LM policy) looked hinkey?

I've never used/recommended AVG - actually have a shoot on sight policy - and have never run across this issue (Just an observation).

[Curt]

I had the same problem a couple of months ago. Not understanding why, I "solved" it by removing the last two installed programs AND updating my security program's installation files - and didn't think about it again, until now.

However, I have another "WTF" problem, which I imagine began right after an automatic update from Microsoft in the middle of May, causing unstable USB Charger and mouse performances (which is odd, because the charger is only handling the wireless keyboard, not the wired mouse). Can the beginning of your reported problem maybe be dated to an automatic update?

/64-bits Windows 7 Home Premium

[40hz]

Can the beginning of your reported problem maybe be dated to an automatic update?

-Curt (June 07, 2013, 04:45 PM)

Possible, with AVG being the most likely culprit. Will have to check that out.

Is user account domain or LM admin?

-Stoic Joker (June 07, 2013, 01:46 PM)

It's LM for both. These guys use an open source NAS box without a domain for filesharing.

Are Application Policies being used?

AFAIK they're using Windows policy vanilla defaults since the only person who does have enough systems knowledge to even know what a policy is said she hasn't touched anything.

IIRC there is an auto elevate install option in GP but I do not recall where it is. Have you run an RSOP to see if anything (in LM policy) looked hinkey?

Good call! Will need to try that.

I've never used/recommended AVG - actually have a shoot on sight policy - and have never run across this issue (Just an observation).

I have used AVG. And I too have a shoot on sight policy regarding it.

Ditto for most of the other "all-in-one plus snazzy-interface" security suites. My experiences with them consistently rams home the message: Less is More. I still prefer the old warhorse "do one thing well" AV utilities - and I've currently standardized on Bitdefender as my AV recommendation for all my clients.
 

[worstje]

You may want to try running Process Monitor as an Administrator on one of the affected boxes, and then reproduce the issue. (Of course, that is assuming that the Event Log doesn't have a more helpful message than you have already shared with us.)