Device Manager Blocked By Administrator

Hello,

I've seen this all over the web, but I can't seem to find a good answer.  This customer's computer is running the Fall Creators Update of Windows 10.  I cannot open Device Manager as it says I am blocked.  The publisher is coming up as unknown.  This is also making it so I cannot install updates.

If I go to the Administrator (Built-In), everything does work.  I have already tried to...

SFC /Scannow.  Some errors could not be repaired, but I analyzed the log and did not see any issues.
DISM /RestoreHealth, no issues.
Created a new user account and made an Administrator, same issue in this new account.
Took the user accounts to Local Limited instead of Admin, then reversed, no luck.

Any suggestions?
20171208_094350.jpg
LVL 8
Scott ThompsonComputer Technician / OwnerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
I do not have this issue on any of my own machines or my client machines.

Since you have completed the DISM command with no results, and the problem is true for any profile, consider a non-destructive Repair Install.

Go to the Media Creation Link

https://www.microsoft.com/en-us/software-download/windows10

Windows 10 is running, so click on the Download button (not Upgrade Button, select Open (Run) but NOT Save. Allow the program to run. Allow drivers to update. Then select Keep Everything.
0
RaminTechnical AdvisorCommented:
1.Navigate to C:\Windows\system32\
2.Right-click on MMC.exe.
3.Click Properties.
4.Click the checkbox next to Unblock so that a checkmark appears.
5.Click Apply.
0
McKnifeCommented:
Your screenshot shows, that windows fails to recognize the digital signature of the files as valid.
That could mean, the verification process is buggy or broken, or the file is not the original file.
I'll give you a checksum of my file (fall creator's update as well, win10 x64, 16299.98)
Checksum information
---------------------------
Name: mmc.exe
Size: 1936384 bytes (1 MB)

SHA256: 97FAABAD1D93225121E347462133BB768F3AD7D4B27AC8C232594CC205CA8D3B
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Scott ThompsonComputer Technician / OwnerAuthor Commented:
John,

I did an in-place upgrade with the Media Creation tool.  Believe it or not, the issue still exists!
0
JohnBusiness Consultant (Owner)Commented:
That is strange indeed.

Try driver updates. Use the manufacturer's update tool, or go to their support site. Update BIOS, Chipset and Video drivers.  I am not sure if that will help but ensure all drivers are updated.

Then, if necessary, back everything up and do a fresh install of Windows 10
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Ramin,  there is no unblock option where you suggested, though I kind of figured there would not be.

McKnife,

I'm new to MD5 checksums, but here's some pictures! :)
mmc1.jpg
mmc2.jpg
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Hey guys,

Here's something interesting in Event Viewer,

Log Name:      Application
Source:        Application Error
Date:          12/8/2017 12:08:52 PM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      DESKTOP-4L3SJML
Description:
Faulting application name: svchost.exe_CryptSvc, version: 10.0.16299.15, time stamp: 0x9c786b9a
Faulting module name: bcryptPrimitives.dll, version: 10.0.16299.98, time stamp: 0x384d71d2
Exception code: 0xc0000006
Fault offset: 0x000000000001723a
Faulting process id: 0x2740
Faulting application start time: 0x01d3704f95748011
Faulting application path: C:\WINDOWS\system32\svchost.exe
Faulting module path: C:\WINDOWS\System32\bcryptPrimitives.dll
Report Id: cfb6462d-c535-4027-8ab8-78eb04caccf3
Faulting package full name:
Faulting package-relative application ID:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-12-08T18:08:52.665419900Z" />
    <EventRecordID>445</EventRecordID>
    <Channel>Application</Channel>
    <Computer>DESKTOP-4L3SJML</Computer>
    <Security />
  </System>
  <EventData>
    <Data>svchost.exe_CryptSvc</Data>
    <Data>10.0.16299.15</Data>
    <Data>9c786b9a</Data>
    <Data>bcryptPrimitives.dll</Data>
    <Data>10.0.16299.98</Data>
    <Data>384d71d2</Data>
    <Data>c0000006</Data>
    <Data>000000000001723a</Data>
    <Data>2740</Data>
    <Data>01d3704f95748011</Data>
    <Data>C:\WINDOWS\system32\svchost.exe</Data>
    <Data>C:\WINDOWS\System32\bcryptPrimitives.dll</Data>
    <Data>cfb6462d-c535-4027-8ab8-78eb04caccf3</Data>
    <Data>
    </Data>
    <Data>
    </Data>
  </EventData>
</Event>
0
JohnBusiness Consultant (Owner)Commented:
Is your drive encrypted?  Those files do not appear to be on my machine.
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
It's not encrypted that I am aware of...  here's the Application error that always follows right after it...

Windows cannot access the file C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1492_for_KB3197954~31bf3856ad364e35~amd64~~10.0.1.5.cat for one of the following reasons: there is a problem with the network connection, the disk that the file is stored on, or the storage drivers installed on this computer; or the disk is missing. Windows closed the program Host Process for Windows Services because of this error.

Program: Host Process for Windows Services
File: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1492_for_KB3197954~31bf3856ad364e35~amd64~~10.0.1.5.cat

The error value is listed in the Additional Data section.
User Action
1. Open the file again. This situation might be a temporary problem that corrects itself when the program runs again.
2. If the file still cannot be accessed and
      - It is on the network, your network administrator should verify that there is not a problem with the network and that the server can be contacted.
      - It is on a removable disk, for example, a floppy disk or CD-ROM, verify that the disk is fully inserted into the computer.
3. Check and repair the file system by running CHKDSK. To run CHKDSK, click Start, click Run, type CMD, and then click OK. At the command prompt, type CHKDSK /F, and then press ENTER.
4. If the problem persists, restore the file from a backup copy.
5. Determine whether other files on the same disk can be opened. If not, the disk might be damaged. If it is a hard disk, contact your administrator or computer hardware vendor for further assistance.

Additional Data
Error value: C0000102
Disk type: 3
0
McKnifeCommented:
Disregard the values for mmc.exe, I made a mistake and should have given you the values vor devmgmt.msc
To create a checksum of c:\windows\system32\devmgmt.msc on your system, you need to use this powershell command:
Get-FileHash C:\Windows\System32\devmgmt.msc

Open in new window

and the result should be (on an unmodified file):

Algorithm       Hash                                                                   Path                                                                          
---------       ----                                                                   ----                                                                          
SHA256          81834650BF3682D8C5ED3ED0222EBDE30E8E117CFC8F2B81E8BC2D45B95158D5       C:\Windows\System32\devmgmt.msc            
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          81834650BF3682D8C5ED3ED0222EBDE30E8E117CFC8F2B81E8BC2D45B95158D5       C:\Windows\System32\devmgmt.msc
0
McKnifeCommented:
Ok, so at least the file is original, that is what we know.
Googling your problem, you see some people that have it, but no solution, only workarounds. You should try the aforementioned windows repair process using windows setup.
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Ran another SFC /Scannow after DISM came back clean.

Here are the results...

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection found corrupt files but was unable to fix some
of them. Details are included in the CBS.Log windir\Logs\CBS\CBS.log. For
example C:\Windows\Logs\CBS\CBS.log. Note that logging is currently not
supported in offline servicing scenarios.

I don't understand.  With an in-place upgrade using the Media Creation tool, should all of the Windows files been replaced and verified?
cbs.zip
0
JohnBusiness Consultant (Owner)Commented:
Yes. Most or all files are replaced and the old files end up in Windows. old
0
McKnifeCommented:
The inplace upgrade migrates your settings, keeps your files and installed programs but rewrites all windows system files. It also resets basic OS security settings so in case those are somewhat messed up, they will be good again afterwards. Should be tried, does not hurt.
0
RaminTechnical AdvisorCommented:
Try SFC /SCANNOW in safe mode.

 Follow this Microsoft Article.
https://support.microsoft.com/en-us/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system

Or try to backup your data and Reset Windows.
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Just a note since there tends to be some confusion.  I have already done an in-place upgrade after John suggested it.  It just seems like suggestions are made to do it again from what I have been reading.

I'm going to do SFC /Scannow in safe mode as suggested.
0
RaminTechnical AdvisorCommented:
Another Option is to boot your PC with a bootable Windows 10 installation media (DVD / USB) then go to Startup options >> command prompt and run SFC /SCANNOW from there.
0
McKnifeCommented:
Oh, you already did... you wrote that before, sorry, I missed that.
Something must be extraordinary about your installation. Is the UAC at defaults?
0
arnoldCommented:
The restriction seems to apply to one user, check local group security as admin. Mmc add/remove snap-in

Check whether the settings there..
Gpresults /v /scope user

Or computer restricting access to these tools to only one account, administartor.

Create a new admin account, and see whether that account has this issue as well. If not, the issue is potentially a corruption of the profile ...
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Arnold, I have created another profile as Administrator, but no luck.

I did just find something interesting.  I was trying to read the SFC log when I ran into an error.  I think my environment variables are messed up.

PS C:\> %windir%
%windir% : The term '%windir%' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ %windir%
+ ~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (%windir%:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

PS C:\>
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Here's my Variables though, they look intact...

Variables
0
RaminTechnical AdvisorCommented:
Temporarily uninstall Antivirus software, restart and Test.

Also open a command prompt as Administrator and type:
 net user administrator /active:yes
Hit Enter.
Logoff from current account.
Login with Administrator account.
Create a new User Account as Admin.
logoff from administrator.
login with New account and Test it.
 

Disable Administrator Account:
Open a command prompt as Administrator and type:
 net user administrator /active:no
Hit Enter.
0
arnoldCommented:
cd %WINDIR%
it will not auto switch directory if used %WINDIR%
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Yeah, just realized I was doing it in Powershell.  Oops, my bad.  %windir% works correctly.

I DID just find out the customer's son was trying to Mod something for Minecraft before this happened.  Nothing like hindsight!  Maybe something with Java?  Still looking for something to look for though...
0
Adam LeinssServer SpecialistCommented:
Try turning UAC off and see what happens.  The built-in administrator account "Administrator" does not use or honor UAC.

You can also try capturing a PML log with Process Monitor: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

Run it before do you the action, do the restricted action, then stop logging and upload the PML file here and we can take a look.

You might also want to inspect "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" in Regedit and compare this with a known good, working system and see if any values look different.  You can export this tree out as a backup and should do so before making any changes.
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
That's a great idea Adam!

Here's the requested file when trying to open Device Manager from right-clicking the Start Menu.

NOTE:  I compared the registry entries as requested, and the only difference I found was FilterAdministratorToken was in THIS computer, but not mine.  I changed the value from 0 to 1, but it didn't make a difference.

BTW:  Switched it from PML to txt so could upload.
Logfile2.zip
0
Adam LeinssServer SpecialistCommented:
According to the log: Windows is having problems creating keys in

HKLM\Software\Policies\Microsoft\SystemCertificates\Root
HKLM\Software\Microsoft\SystemCertificates\trust
HKLM\Software\Microsoft\EnterpriseCertificates\TrustedPeople
HKLM\Software\Microsoft\EnterpriseCertificates\Root

HKCU\Software\Policies\Microsoft\SystemCertificates\TrustedPeople.  


HKCU is the current user's profile and HKLM is the machine profile.  I can create keys in these areas (HKLM) just fine on my Win10 PC with REGEDIT.   However, I just ran ProcMon while I went into the device manager and my trace looks exactly the same as yours, so that appears to be fine.

What happens if you run MMC and then add the device manager snap-in?  Does that work?  Did you try turning UAC off to Never notify?
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Okay, I am uploading the Process Monitor file from just trying to open mmc.exe (which I am blocked on)
Logfile2.zip
0
Adam LeinssServer SpecialistCommented:
Nothing looks out of the ordinary in that trace either.  I suspect he made some changes to the operating system, such as running DisableWindowsTracking and it ended up disabling a service that is needed:

https://www.reddit.com/r/Windows10/comments/5p0fvb/application_blocked_for_your_protection/

Maybe compare the running services on a known good system and the bad system?
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
I don't see anything disabled that shouldn't be... I'll look more tomorrow.

I will let you know that if I run Powershell as admin from the start menu (which does work), then I can open up mmc.exe and devmgmt.msc with no issues.
0
McKnifeCommented:
Feedback on UAC, please :-)
 I asked  whether it was at defaults and others wanted to know if turning it off changes anything.
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
This is with UAC Disabled and the computer restarted...

UAC Off
0
McKnifeCommented:
That is one answer out of 2. What about UAC being at defaults, how does it behave at defaults?
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
As far as I know, it was on Defaults. 2nd from the top option.  When I started this thread that's the setting it was at.  Just in the last post I moved it to the option at the bottom.  Did that help?
0
McKnifeCommented:
Sure, that helps. Ok, the repair installation did not help correcting this weird "Publisher unknown" problem which could be standing behind it all. If I was at your place, I would simply restore my latest working image backup and stop worrying - do you have one?
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Well, backup and reload is always an option, and we may be getting to that point.  It's a home computer for a customer, so I do not have any image backups.  Was there anything else in the Process Monitor that helped?  It's so weird because it's like the account which has Administrator privileges doesn't have administrator privileges.
0
McKnifeCommented:
No, nothing in it that helped me. One could suspect that it's some kind of malfunction of a software that tries to protect your computer as in anti-ransomware soft or the usual anti virus junk.
I would rebuild from scratch and sell that guy an external USB drive for image backups - they are done so easily with the internal backup scheduler.
0
Adam LeinssServer SpecialistCommented:
There's nothing out of the ordinary in the two ProcMon logs you posted.  I ran the same actions on my system, compared the logs and they look very similar.  Even if you some how fix that error: I don't know that I would trust that system anymore.  I would be of the opinion of backing it up, doing a Windows reset and then restore his files back.  It looks like he has Steam installed, so when you re-install Steam and he logs in, it will restore all of his games.

He may want to invest in a backup solution...take a backup before messing with anything, that way if he screws something up he can do a restore and not get into the same situation.
0
JohnBusiness Consultant (Owner)Commented:
Well, backup and reload is always an option, and we may be getting to that point.  

I think that is what you need to do after all of this, and that is what was suggested earlier on here.
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Okay, I will reload the system and let you know.  Thank you.
0
Scott ThompsonComputer Technician / OwnerAuthor Commented:
Hello!  Trying to give credit to everyone.  A "RESET THIS PC" did work.  I was able to keep their data on, but wipe the programs and have Windows reinstall.  So, some program or setting definitely was the cause of it.  No issues since I did that.  I did NOT have to wipe the drive.  Thank you for your assistance!
0
JohnBusiness Consultant (Owner)Commented:
You are very welcome and thank you for the update.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.