The system administrator has set policies to prevent this installation - no elevation prompt!

"The system administrator has set policies to prevent this installation"



This has become gradually more frequent on install and uninstall over the last two years or so. It now occurs almost every time.  Win7Pro with Tablet Extensions, fully updated. I am supposedly an admin user...  If I install from a command prompt "as Administrator", or logout and log in as _the_ "real" Administrator, un/installs always work.

I've tried lots of the web "solutions", none helped.

I just compared a failure log with a success (command prompt "as Administrator") log. Quick summary, then details...  Clues welcome!

Loren



In fail log, "MsiRunningElevated" not found.

In both logs:
line 159/161: --> Doesn't seem to be enough...  
MSI (c) (78:E0) [12:04:32:043]: MSI_LUA: Setting AdminUser property to 1 because this is the client or the user has already permitted elevation

In good log:
line 1333:
MSI (s) (88:6C) [12:51:06:262]: MSI_LUA: Credential prompt not required, user is an admin

in fail log:
line 1342:
MSI (s) (60:68) [12:04:59:974]: MSI_LUA: Elevation required to install product, will prompt for credentials

--> but it doesn't prompt, the call fails in 3ms:
MSI (s) (60:68) [12:04:59:977]: MSI_LUA: Credential Request return = 0x80070005
This installation is forbidden by system policy. Contact your system administrator.



Web research:

<http://blogs.msdn.com/b/rflaming/archive/2006/09/30/uac-in-msi-notes-how-do-i-troubleshoot-uac-in-msi-via-the-log.aspx>
-----
The Windows Installer verbose log will contain the following line when the caller to the Windows Installer is already elevated.

    MSI_LUA: Credential prompt not required, user is an admin

The Windows Installer verbose log will contain the following line when the AlwaysInstallElevated policy is set.

    MSI_LUA: No credentials required as all installs will run elevated due to AlwaysInstallElevated policy setting

The Windows Installer verbose log will contain the following line when there was an error returned from the credential dialog service.

    MSI_LUA: Failed to obtain credentials. Error = 0x%X

The Windows Installer verbose log will contain this line when AdminUser is faked.

    MSI_LUA: Setting AdminUser property to 1 because this is the client or the user has already permitted elevation

Additionally the log will not have this line

    Property(C): MSIREALADMINDETECTION = 1

The Windows Installer verbose log will contain the following line when prompting for credentials.

    MSI_LUA: Elevation required to install product, will prompt for credentials

The Windows Installer verbose log will contain the following two line the prompt for credentials has been successful.

    MSI_LUA: Credential Request return = 0x0

    MSI_LUA: Elevated credential consent provided. Install will run elevated
-----

<http://blogs.msdn.com/b/rflaming/archive/2006/09/30/778771.aspx>
-----
How can I troubleshoot when the call to a custom action has failed due to lack of access to a machine?

Custom actions vary in their quality and proper handing of errors.  The underlying error the custom action will receive from their Windows API call is 0x80070005 (Access is Denied).  Assuming the custom action has not written errors to the log indicating Access is Denied, the best guess method is to

    Determine the problem occurred in a custom action by searching for Return Value 3 in the verbose log and looking immediately before the error to see of a Custom Action as the source of the error.
    Run the same install from an elevated command prompt and check to see if the same custom action was successful.

Generally this indicates the custom action was the problem.  The body of the document contains the most frequent custom action errors under UAC and their mitigations.
-----
--> no "Return Value 3" in my logs. But we know the request...  





My Raw Data:

The failing log, as Admin user:

MSI6a09e sdformater-fail.LOG, - Fail - line 30:
---
MSI (c) (78:E0) [12:04:32:006]: Machine policy value 'DisableMsi' is 0
MSI (c) (78:E0) [12:04:32:006]: Machine policy value 'AlwaysInstallElevated' is 0
---

line 128:
---
MSI (c) (78:E0) [12:04:32:027]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (c) (78:E0) [12:04:32:027]: User policy value 'AlwaysInstallElevated' is 0
---

line 161: --> Doesn't seem to be enough...  
MSI (c) (78:E0) [12:04:32:043]: MSI_LUA: Setting AdminUser property to 1 because this is the client or the user has already permitted elevation

line 1248:
---
MSI (s) (60:68) [12:04:59:887]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (60:68) [12:04:59:887]: User policy value 'AlwaysInstallElevated' is 0
---

line 1340:
---
MSI (s) (60:68) [12:04:59:974]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (60:68) [12:04:59:974]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (60:68) [12:04:59:974]: MSI_LUA: Elevation required to install product, will prompt for credentials
MSI (s) (60:68) [12:04:59:976]: MSI_LUA: Entering Credential Request. hwnd = 6687058, MsiAction = 0, productname = SDFormatter, version = 4.0.0, language = 1033, manufacturer = SD Association
MSI (s) (60:68) [12:04:59:976]: MSI_LUA:  (continued)... packagepath = C:\windows\Installer\e870db2.msi, packagesource = C:\Users\Loren\AppData\Local\Downloaded Installations\{5D501D62-F028-4C06-A9FF-CB3356EFA62D}\SDFormatter.msi, dwUpdates = 1
MSI (s) (60:68) [12:04:59:976]: MSI_LUA:  (continued)... update 0 = C:\windows\Installer\e870db3.mst
MSI (s) (60:68) [12:04:59:976]: MSI_LUA:  (continued)... update source 0 = C:\Users\Loren\AppData\Local\Downloaded Installations\{5D501D62-F028-4C06-A9FF-CB3356EFA62D}\1033.MST
MSI (s) (60:68) [12:04:59:977]: MSI_LUA: Credential Request return = 0x80070005
This installation is forbidden by system policy. Contact your system administrator.
C:\Users\Loren\AppData\Local\Downloaded Installations\{5D501D62-F028-4C06-A9FF-CB3356EFA62D}\SDFormatter.msi
MSI (s) (60:68) [12:04:59:986]: Attempting to delete file C:\windows\Installer\e870db3.mst
MSI (s) (60:68) [12:04:59:992]: MainEngineThread is returning 1625
MSI (s) (60:80) [12:04:59:994]: Calling SRSetRestorePoint API. dwRestorePtType: 13, dwEventType: 103, llSequenceNumber: 1350, szDescription: "".
---


(Started from a command prompt "as Administrator")

MSIf5d0 sdformater-good.LOG - Success - line 125:
---
MSI (c) (7C:7C) [12:50:46:179]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (c) (7C:7C) [12:50:46:179]: User policy value 'AlwaysInstallElevated' is 0
MSI (c) (7C:7C) [12:50:46:179]: Product installation will be elevated because user is admin and product is being installed per-machine.
MSI (c) (7C:7C) [12:50:46:179]: Running product '{179324FF-7B16-4BA8-9836-055CAAEE4F08}' with elevated privileges: Product is assigned.
---

line 159:
---
MSI (c) (7C:7C) [12:50:46:195]: MSI_LUA: Setting AdminUser property to 1 because this is the client or the user has already permitted elevation
MSI (c) (7C:7C) [12:50:46:195]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (c) (7C:7C) [12:50:46:195]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (c) (7C:7C) [12:50:46:195]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
---

line 1333:
MSI (s) (88:6C) [12:51:06:262]: MSI_LUA: Credential prompt not required, user is an admin

line 1343:
---
MSI (s) (88:6C) [12:51:06:270]: Machine policy value 'AlwaysInstallElevated' is 0
MSI (s) (88:6C) [12:51:06:270]: User policy value 'AlwaysInstallElevated' is 0
MSI (s) (88:6C) [12:51:06:270]: Product installation will be elevated because user is admin and product is being installed per-machine.
---

line 1397
---
MSI (s) (88:6C) [12:51:06:322]: MSI_LUA: Setting MsiRunningElevated property to 1 because the install is already running elevated.
MSI (s) (88:6C) [12:51:06:322]: PROPERTY CHANGE: Adding MsiRunningElevated property. Its value is '1'.
MSI (s) (88:6C) [12:51:06:322]: PROPERTY CHANGE: Adding Privileged property. Its value is '1'.
---

line 5404:
---
Property(S): MsiTrueAdminUser = 1
Property(S): AdminUser = 1
---

Hello Loren,

Thank you for visiting Microsoft Community and providing us with the detailed description about the issue.

As per the description, I understand that you are experiencing issue with error message: “The system administrator has set policies to prevent this installation” on the system.

I certainly understand your concern and will try my best to help you.

I would suggest you to refer to the suggestions provided by “Santosh Y” replied on August 7, 2010 in the following Microsoft Community link.

http://answers.microsoft.com/en-us/windows/forum/windows_7-security/error-the-system-administrator-has-set-policies-to/b5350e90-fe4b-4544-8549-20c6a7befb51

Note: Antivirus software can help protect your computer against viruses and other security threats. In most cases, you shouldn't disable your antivirus software. If you have to temporarily disable it to install other software, you should re-enable it as soon as you're done. If you're connected to the Internet or a network while your antivirus software is disabled, your computer is vulnerable to attacks.

I hope this information is helpful.

Please do let us know if you need any further assistance, we will be glad to assist you.

Thank you.

Jayant

 

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Jayant,

I only read through the first page of the thread you pointed to, but I recognized each of the suggestions as one I've already tried - with no success. I obviously know how to work around the problem by logging in as _the_ Administrator (or using an elevated command prompt for installs). I've given up on "shotgunning" supposed fixes from web forums. That's why I spent the time to dig through the logs... 

My problem is not with unintended policies or settings. My problem is that "MSI_LUA: Setting AdminUser property to 1" doesn't seem to mark me as an admin any more, and "MSI_LUA: Elevation required to install product, will prompt for credentials" doesn't prompt me to verify my UAC authorization.

I'm not on a domain where any other admin could set any policies on my machine, and I certainly haven't set any myself. I suspect the problem has been created by one of the hundreds of updates pushed out over the years. I'm hoping someone who understands those mechanisms will recognize there is a problem in Win7, and care enough to provide a specific fix.

So thank you for your effort, but I've already tried all those suggestions.

Loren

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi Loren,

Thanks for reply.

I need more information about this issue so that I can assist you better.

1. Which program or application are you trying install?

2. Does it happen with another administrator account?

I would suggest you to sign-out from your current user account, restart your computer and try logging in with different administrator account and check if you are facing the same issue. If you don't have another administrator user account then follow the below steps:

To create new local administrator account.

  1. In the search box type Control Panel.

  2. Click on User Accounts.

  3. Select Make changes to my account in Pc settings.

  4. Next select family and other user present on the left side of the page.

  5. Click on Add someone to this pc option available.

  6. Now select Sign in without a Microsoft account (not recommended).

  7. Next click on Local Account Tab and create a local account and click Finish Tab.

Once the local account is created, click on the local account and select Change account type tab and select Administrator.

Your Local Administrator Account is created now. Sign out from your Microsoft Account and Sign in into your new Local Account.

Try the above step and let us know if it helps. For further assistance feel free to post your queries in Microsoft forums. We will be glad to assist you.

Thanks.

 

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Preeti,

> 1. Which program or application are you trying install?

It seems to be random. Some programs install or uninstall normally. Or maybe some_times_ anything would install normally and other times nothing would. The most recent failure, in the logs above here, was "SDFormatter.msi", a tool from the SD Card Association that formats memory cards Windows can't.

I just tried uninstalling it, and got the prohibited fail. But I uninstalled some other programs with no problems. The ones that worked did not put up the "Windows Installer" dialog, they just disappeared from the list.

> 2. Does it happen with another administrator account?

Good Question! I haven't tried using my other so-called "Admin" account. I found so many things it wasn't allowed to do that I enabled the old-style "Administrator" account - which can always do what I ask it to.

So I just tried the other "Admin" account, which worked fine last time I tried it (back when installs always worked...)  I can't even log into it! When I click its icon I _instantly_ get the message:

The User Profile Service failed the logon.
User profile cannot be loaded.

I logged in as "The Administrator" and created a new "Admin2" account. Can't login there, either - same message.

I fear that after years of "updates" this system is so confused there is no hope of making things work normally. Despite my careful pruning, C:\Windows now takes 24GB of my 64GB SSD. In my more cynical moments I think this is how Microsoft intends to force me to buy a new Windows 10 machine...  

Loren

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

New Installment (sorry) of this saga today. An Adobe Reader update is now failing:

Error 1321. The Installer has insufficient privileges to modify the file C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe.

In the MSI log (repetitions deleted):

---

MSI (s) (14:E8) [20:46:20:885]: Verifying accessibility of file: AcroRd32.exe
MSI (s) (14:E8) [20:46:20:886]: Note: 1: 2318 2: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
MSI (s) (14:E8) [20:46:20:886]: Note: 1: 1321 2: C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 3: 5
MSI (c) (C0:F8) [20:46:20:349]: Creating MSIHANDLE (4328) of type 790531 for thread 5112
MSI (c) (C0:F8) [20:46:20:349]: Closing MSIHANDLE (4328) of type 790531 for thread 5112
MSI (c) (C0:F8) [20:46:20:887]: Creating MSIHANDLE (4329) of type 790531 for thread 5112
MSI (c) (C0:F8) [20:46:20:887]: Closing MSIHANDLE (4329) of type 790531 for thread 5112
MSI (s) (14:E8) [20:46:20:888]: Product: Adobe Acrobat Reader DC -- Error 1321.The Installer has insufficient privileges to modify the file C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe.
---

Privileges for that file and all the files it successfully checked look exactly the same to me, and match what Adobe recommends here:
<https://helpx.adobe.com/creative-suite/kb/error-1321-or-1309-install.html>

For both files and folders, System and Administrators show all the options checked, and as an admin I'm allowed to change them. For folders, there is also "Trusted Installer" which shows minimal access, plus "Special Permissions" which seems to expand to all options checked in the Advanced view. But why the difference? And why does the Installer only have Special Permissions for folders, not files? Maybe that is a key to this problem I'm having? If you just look at the non-Advanced view, it looks like the installer has no permission to install things!

I imagine if I logged in as The Administrator, I could install this update. I still can't login as any other user - they all get the "User Profile Service failed the logon" error.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info


Last updated November 23, 2019 Views 2,488 Applies to: