Windows 7 Admin has no Admin privledges?

[Mugsy]

While this question has been asked before, I have yet to find a solution that I can actually use.

A virus (Lord only knows how I got it), downgraded all my Privileges even though I'm set as Administrator. In order to fix my computer, I first need to reset all Privileges back to their defaults.

The first "solution" said to install "subinacl.msi", and then run a cmd batch that calls subinacl.exe. Problem here is that "subinacl.msi" attempts to install to the System32 folder... which I naturally no longer have permission to access. Catch-22.

The second "solution" said to use "Takeown" to retake ownership of specific files & folders. But I don't have "Permission" to run "Takeown" either from the CLI.

The third "solution" says to create the "hidden" Administrator account via "net user administrator /active:yes", but (you guessed it), I don't have "permission" to do that either.

Anyone else know how to get my permissions back?

 

[Saltgrass]

I will assume you have tried to do a repair install of Win 7 and it will not allow that either? You do not get UAC prompts or anything when you try to access certain files?

You also cannot type cmd in the Start Run menu the hit CTRL+Shift Enter to run the command prompt as admin?

 

[Mugsy]

Thanks for the reply.

The virus took out all of my Restore points and downgraded all my Permissions so I can't make any changes.

When I tried to do a repair from the DVD, the only options are "Startup Repair", which finds nothing wrong because 7 "starts up" just fine; "System Restore", which it can't do because all my Restore points were deleted; and Recover from an Image, which I didn't make because I only installed 7 a few days ago and was still configuring/installing/tweaking. When I tried to reinstall Windows on top of the existing install (like you could do in XP), the system just makes a few minor changes and then tells you to reboot and insert the CD from the Desktop. But when I do, the CD refuses to boot because "autorun.dll is either missing or corrupt" (it's neither.)

I CAN access the Run command, both from the Start menu AND by via keyboard (Logo+R). The virus "hid" it, but changing the Start Menu Properties brought it right back. I can't access anything in the Windows folder from the Desktop, but I CAN run RegEdit from the Recovery Console off the DVD (one of the few things MS got right after XP.)

I tried to "Takeown" of RegEdit from the RC so "ComboFix" could access it from the desktop, but I "didn't have permission." I tried the "subinacl.exe" fix from the RC (after extracting the MSI file from XP), but the RC couldn't run it. I WAS able to execute "net user administrator /active:yes" from the RC, but when I rebooted, no Admin account had been added.

I'm hoping I can access/change Permissions from the Recovery Console, but I don't know the command. Any ideas?

 

[Saltgrass]

Do you know what virus it is?

I believe if you accidently delete the only administrator account on your system, you are destined for a re-install. I know of no way to get around the security in Win 7. In your case it seems a virus has done this for you, but the results seem to be the same, unless you know of something left over from your Admin rights.

Does your user still show it is an admin?

 

[Saltgrass]

I was thinking, and if the virus messed with the registry, you might be able to get back by using the F8 key during boot and select "Last Known Good Configuration". This replaces the current registry with an older version--maybe.

Been doing some reading and it seems to mention you cannot delete all of the administrator accounts. If that is true and your account now shows as a standard user, perhaps the virus installed itself as an administrator.

Since I am not sure what you can or cannot run, it is hard for me to suggest anything.

Have you messed with the UAC settings?

 

[davehc]

If you can access the RUN try typing netplwiz , then -Advanced tab and Advanced again. Select users and (if it is there!) Administrator. Enable the account log off and see if you have the Admin logon.
Also, see if you are able to create another account, through the Control panel - User accounts. That may well have all the normal priviliges returned.

 

[Mugsy]

Do you know what virus it is?

I believe if you accidently delete the only administrator account on your system, you are destined for a re-install. I know of no way to get around the security in Win 7. In your case it seems a virus has done this for you, but the results seem to be the same, unless you know of something left over from your Admin rights.

Does your user still show it is an admin?

No clue what virus it is/was or what program carried it. I had Avira Free installed at the time, which totally missed it; I also scanned my computer using the online versions of NOD32 and BitDefender, which found nothing; and this morning scanned my Win7 drive from XP using Avast, which found nothing pertinent. So I have no idea what virus or the source.

The most likely culprit: I was searching for an alternative TV Viewing program other than the included "Win Media Center" that will open a specific channel at a particular time (the most WMC can do is silent record on schedule.) Those were the only non-commercial programs I installed before this happened, from what I *thought* were trustworthy download sites. And Avira never detected anything.

My profile still list me as "Administrator", yet when I try to change my privileges, everything is greyed out.

 

[Mugsy]

I was thinking, and if the virus messed with the registry, you might be able to get back by using the F8 key during boot and select "Last Known Good Configuration".

This won't solve the problem because "Last Known Good Configuration" only works when Windows won't start. Windows is starting just fine and I can do everything a person with only the most basic privileges can do.

Since I am not sure what you can or cannot run, it is hard for me to suggest anything.

Have you messed with the UAC settings?

As I noted above, I can't run RegEdit from the desktop, but I CAN run it from the Recovery Console (boot 7 from DVD). So I'm hoping that I can restore my Privileges the same way.

 

[Saltgrass]

This won't solve the problem because "Last Known Good Configuration" only works when Windows won't start. Windows is starting just fine and I can do everything a person with only the most basic privileges can do.


As I noted above, I can't run RegEdit from the desktop, but I CAN run it from the Recovery Console (boot 7 from DVD). So I'm hoping that I can restore my Privileges the same way.

Last Known replaces the current registry with an older one. But once you log off and back on, I believe it resets the Old to what was the current.

You can run Regedit from the WinRE, but it will not load or allow access to the areas to change permissions, or at least that what it looks like. Even so, using the F8 key or a Repair CD allows for you to enter a password. Not sure of exactly what difference it makes, but it might allow more access.

If you are still Administrator, can you open the user panel? (lusrmgr.msc)?

If you can't get into the Windows Directory, you might think about changing the ownership and then giving yourself permissions. But before you do that, maybe seeing what permissions you have currently would help show the problem.

So, right click on the Windows Folder and select properties-security. I show Administrators have "Special Permissions", which on the Advanced Tab, Effective permissions show everything checked except Full Control, Delete Subfolders and files, Change Permissions, and Take Ownership. The TrustedInstaller should be the current owner and have Special permissions with everything checked in Effective Permissions. To get Trusted Installer listed, you may need to use

NT SERVICE\TrustedInstaller

as a name to get it recognized.

If you take this one level up and look at the Windows 7 install (C: ) it should show the System and Administrators as having full control, Authenticated Users-special, and Users Read & Execute, List folder contents, and Read.

If the virus was able to basically lock you out of your system, I am not aware of how that might have happened, unless it was able to take you out of a group or change permissions on everything at once.

 

[Mugsy]

If you are still Administrator, can you open the user panel? (lusrmgr.msc)?

Thanks for the reply.

When I run "lusrmgr.msc", it tells me "this snapin may not be used with this version of Windows". I'm using x64 Home.

If you can't get into the Windows Directory, you might think about changing the ownership and then giving yourself permissions. But before you do that, maybe seeing what permissions you have currently would help show the problem.

As you might expect, I don't have "Permission" to "change ownership". If I did, I don't think I'd be having this problem.

I can Open "C:\Windows" (and all other folders) just fine. I just can't run anything in it... even notepad.

The Permissions on the Windows folder shows that Creator Owner, System, and Administrators (in my name) all have *nothing* checked (on either side) except "Special permissions", where "Allow" is checked.

Under Users (in my name), "Read & Execute", "List Contents" and "Read" are the only things checked (Allow).

The last, "Trusted Installer", only has "list contents" checked.

In all the above cases, NOTHING is checked in the "Deny" column.

The TrustedInstaller should be the current owner and have Special permissions with everything checked in Effective Permissions. To get Trusted Installer listed, you may need to use

NT SERVICE\TrustedInstaller

as a name to get it recognized.

If you take this one level up and look at the Windows 7 install (C: ) it should show the System and Administrators as having full control, Authenticated Users-special, and Users Read & Execute, List folder contents, and Read.

I'm not sure what to do with: "NT SERVICE\TrustedInstaller". Is that a command?

You are correct as to what permissions the C: root directory shows.

If the virus was able to basically lock you out of your system, I am not aware of how that might have happened, unless it was able to take you out of a group or change permissions on everything at once.

The $64 question. I *thought* Win7 was supposed to stop things like this from happening. Even allowing a *program* to ACCESS the Windows directory, and alter... let alone delete... all your System Restore points is something that no modern OS should ever permit.

 

[Saltgrass]

Windows 7 does a pretty good job, but some things come up. For a while, not sure if it still the case, if you dual booted Xp, it would remove all the Win 7 restore points.

But an installer or some other type of malware is not supposed to be able to hurt your system unless you click on something to give it permission. And many people do not even look at what they click on.

Maybe someone will come along that might have a better idea of what you can do, good luck and copy whatever you can of your data to another location in case you have to reinstall.

Did you see the news about the facebook hack where the user allows the hacker full control of their facebook account?

 

[davehc]

Were you able to apply anything from my post?

 

[Mugsy]

Were you able to apply anything from my post?

Hi Dave,

Re: Saltgrass's observations: My Win7 and XP installations were installed on two completely different physical drives, so neither deleted anything from the other. XP was installed previously and the Win7 installer recognized it and created a boot menu to support it.

After a lot of snooping around inside my directories, I noticed a folder named: "free offers from Freeze.com" in my "Program Files (x86)" directory. That's the first evidence I've found this was a virus, though I still don't know what app tracked it in.

I spent another hour last night running every app inside the System32 folder from the Recovery Console's Command Prompt (hoping to find SOMETHING that would let me change my permissions). I can run "RegEdit" and "Notepad" this way even though they won't run from the desktop, but "explorer.exe" won't run from the Console (giving me some weird error), which is the usual way I'd edit my privileges.

No app led to editing privileges. Worse, both the user manager app and "msconfig.exe" told me "I didn't have permission" for one thing or another. THAT is when I realized my search was futile. I see now I have no choice but to reformat and reinstall Win7 from scratch <grumble>. Even if I found an app to change permissions, it is unlikely to let me. Apparently, the damage is permanent.

So right now I'm documenting my configuration, copying data folders, and preparing to start all over. What an enormous pain.

I did learn a few things from this:

1) Avira is total crap. To miss a trojan THIS severe is inexcusable.

2) NEVER use an account with Admin privileges as your primary account with Win7. You can "run as Admin" when needed to install apps that need it, but you need to have an untouched Admin account above your user account that has the power to fix problems like this (there were ways around this in XP, making it unnecessary. Not so in 7.)

Thanks for the feedback. At least this disaster struck only a week days into my first installation.

 

[Saltgrass]

More research, and possibly a solution using the WinRE environment. This procedure enables the System Admin account so you can reinstate your admin privledges. It assumes that account has not been previously enabled and is still not pasword protected. If you see an Administrator account when you log on, the virus may have already enabled it and taken control. If this is the case and you cannot log in using it now, possibly you could follow this procedure and try turning if off, then back on, perhaps that would remove the password.

Anyway, I have tried it through the WinRE using a repair CD and the Install DVD. It did turn on my Administrator, so hopefully it will work for you also. If you have questions about the procedure, post back.

Built-in Administrator - Enable from WinRE - Windows 7 Forums Method II

Good luck and let us know. There is already another poster with your problem.

 

[Mugsy]

Follow-up:

In the end, I ended up having to reformat & reinstall.

I *wish* I knew the program that tracked in the virus. At this point, I can only guess.

At the time of the infection, I was looking for alternative DVR programs that would do the one thing Media Center doesn't: Open the TV to a particular channel on schedule. Very annoying.

Anyway, I tried the following programs. Remember, the programs *themselves* might be okay and the *site* I found them on could of been bad, so take this list with a grain of salt:

nPVR - downloaded off their Wiki page
MediaPortal - Commercial software downloaded off their homepage.
MythTV for Windows - Downloaded off SourceForge via their Wiki link.
ProgDVB - Also commercial software downloaded off their homepage, but never got to work.
dvbdream - Also commercial software downloaded off their homepage, but never got to work.

I also downloaded the K_Lite codec pack (64bit version) the day before off their website.

Everything else I installed was either purchased commercial software, or software I had been running previously under XP, so I haven't a clue how I was infected or where.

In the end though, I switched to using "Avast!" antivirus (free version), and am no longer using an Administrator Level account as my primary account (I created an account called "Admin" for that and use a Standard account for everything, so if disaster strikes, I have access to a higher-level account that can undo the damage.)

MS was so worried about malicious software, that they made it physically impossible to undo the damage should it occur, which clearly is still every bit as capable of happening. Live and learn.

 

[Saltgrass]

Thanks for the info, I will track them one at a time to see if I can stumble on anything.

It is funny you mentioned you are running some programs from XP because when I started searching for info on your situation, most of those posts were about XP having the Admin problem.

Hope things go better in the furture.

Edit: If all of the places you remembered are as active as the nPVR one, I will be quite busy for a while!