Windows Defender blocks registry editor

M

Michael

In the past few weeks I began getting a notification in the system tray that
Defender has blocked startup programs. When I right-click on the message
and choose "Run blocked program", it shows that Registry Editor has been
blocked. I used Software Explorer and there are no start-up programs that I
don't recognize, but there are a few that are "Not yet classified".

I don't know if this indicates any problem, but it sure is annoying. Any
ideas as to why this is happening? Thanks.

Vista Home Premium SP1
Windows Defender Version: 1.1.1600.0
Engine Version: 1.1.4306.0
Definition Version: 1.51.73.0
 
M

Michael

Some additional information. There are two user accounts on this computer.
When I choose to run Registry Editor and select "Details", this is what I see:

"C:\Windows\regedit.exe" \s
C:\Users\User2\AppData\Local\Temp\\UAC_Enable.reg
 
B

Bill Sanderson

I'm not aware of there being any GUI link to the registry editor in
Windows--can you give a step by step to reach where you find that link?

(I might easily just have never used it, since I'm partial to command-line
stuff anyway)


Michael said:
Some additional information. There are two user accounts on this
computer.
When I choose to run Registry Editor and select "Details", this is what I
see:

"C:\Windows\regedit.exe" \s
C:\Users\User2\AppData\Local\Temp\\UAC_Enable.reg


--
 
E

Engel

Hi Michael,

From Windows Defender Help:

Using Software Explorer - Understanding Software Explorer details -
Classification

Note: Some programs that ship with the operating system, such as Internet
Explorer or Windows Explorer, can be described as Not yet classified. This
occurs if Windows Defender detects that additional software, such as a
browser add-on or another software utility, is running with the program.

FYI
I run Vista Premium 32-bit on an admin account
NIS 2008
Same numbers like yours through PORTAL
Windows Defender versiºn: 1.1.1600.0 Vista-32 bit SP1
Engine Versiºn: 1.1.4306.0
Definition Versiºn: 1.51.73.0 created ºи Today at 2:17 AM
-=-
 
M

Michael

This happens on start-up. Windows Defender tells me that it's blocked a
program. When I right-click the on the icon in the system tray, it gives me
the option to run the blocked program. When I do, it shows me that Registry
Editor is the blocked program and gives me the option to run the blocked
program. I did that and selected "Show Details" and found the following
information:

"C:\Windows\regedit.exe" \s
C:\Users\User2\AppData\Local\Temp\\UAC_Enable.reg

I have since used Software Explorer within Defender to disable this item in
the start-up programs, but I'd still like to know what this is.
 
B

Bill Sanderson

OK - that's clear.

I think we should be able to figure this out without too much trouble.

Here's my guess: Some process--perhaps legitimate software, perhaps not
(but it isn't hiding its tracks, so I tend towards legit) is launching a
process at startup to modify UAC settings by merging a .reg file into the
registry.

It would be good to find two things--1) the startup point that is launching
this process, and 2) the content of the .reg file itself.

I would recommend going to www.silentrunners.org and getting the latest
version of the script there which should compile a list of all startup items
on your system.

You don't need to make the choice that comes early on and adds time to the
process.

Search the results text file in notepad for "regedit" I think, to see where
this is getting launched from.

Can you, while the file is blocked, or before or after, make a copy of the
..reg file specified, and post the content here--It is probably pretty short.

I would do this at a command prompt--some of the subdirectories involved
will be hidden, so don't worry about whether you can see them just start at
c: and CD your way down . I'm not sure why there's a double back slash just
before the filename, though...

Either the launch point or the contents of the .reg file will probably
reveal what software is trying to make this change at each startup.

I've done a few searches on the .REG filename, and not come to any
conclusions. Are you running Windows Live SkyDrive?


Michael said:
This happens on start-up. Windows Defender tells me that it's blocked a
program. When I right-click the on the icon in the system tray, it gives
me
the option to run the blocked program. When I do, it shows me that
Registry
Editor is the blocked program and gives me the option to run the blocked
program. I did that and selected "Show Details" and found the following
information:

"C:\Windows\regedit.exe" \s
C:\Users\User2\AppData\Local\Temp\\UAC_Enable.reg

I have since used Software Explorer within Defender to disable this item
in
the start-up programs, but I'd still like to know what this is.


--
 
B

Bill Sanderson

I should have added that you can open the .REG file in notepad and cut and
paste into this thread.


Bill Sanderson said:
OK - that's clear.

I think we should be able to figure this out without too much trouble.

Here's my guess: Some process--perhaps legitimate software, perhaps not
(but it isn't hiding its tracks, so I tend towards legit) is launching a
process at startup to modify UAC settings by merging a .reg file into the
registry.

It would be good to find two things--1) the startup point that is
launching this process, and 2) the content of the .reg file itself.

I would recommend going to www.silentrunners.org and getting the latest
version of the script there which should compile a list of all startup
items on your system.

You don't need to make the choice that comes early on and adds time to the
process.

Search the results text file in notepad for "regedit" I think, to see
where this is getting launched from.

Can you, while the file is blocked, or before or after, make a copy of the
.reg file specified, and post the content here--It is probably pretty
short.

I would do this at a command prompt--some of the subdirectories involved
will be hidden, so don't worry about whether you can see them just start
at c: and CD your way down . I'm not sure why there's a double back slash
just before the filename, though...

Either the launch point or the contents of the .reg file will probably
reveal what software is trying to make this change at each startup.

I've done a few searches on the .REG filename, and not come to any
conclusions. Are you running Windows Live SkyDrive?


--
 
G

Gavai

I bet it has something to do with Norton Internet Security because the other
day I had to download a "UAC_tool" file from the Norton Website to update my
AntiVirus Definitions and such. Thereafter whenever I start my computer, I
get the same registry editor message from Windows Defender as you do.
 
Joined
Mar 23, 2009
Messages
1
Reaction score
0
UAC_enable.reg

It has to be Norton Internet Security. I have the same thing happening to me after installing something from Norton. Now, just don't know what to do about it. It doesn't come back if you run the registry editor or if you exit out of it..... it is annoying, however, when I start up my computer and that pops up. I have been all over Microsoft's website looking for a "fix" and good luck trying to find anything in that mess! My antivirus doesn't pick anything up either. Any info??
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top