Windows 10: issue prevents certain apps from launching from non-admin accounts
Microsoft confirmed a new issue today that is affecting users of the Windows 10 operating system. The issue prevents the start of certain apps, if they are started by a non-admin user.
Windows 10 systems that have the latest preview update installed are affected, according to Microsoft.
Note: Optional updates for Windows should be considered Beta, which means that they should not be installed on most systems. The only exception to the rule is if an update fixes a major issue that is experienced on a system. All changes of optional updates are included in the cumulative updates of the following month.
Here are the details:
- This issue affects Windows 10 systems with KB5043131 installed.
- Affected apps include Quick Assist, Microsoft Teams, and Windows Narrator among others.
- Microsoft started a rollback to resolve the issue on most systems.
Some Apps won't launch anymore
The issue affects only apps that launch from "a secure path" and request higher privileges using the attribute uiAccess=true. This means that the issue occurs only when a user is signed-in with regular user privileges and not admin privileges.
Tip: it may be possible to bypass the issue by right-clicking on apps and selecting to run them as administrator. Administrators may still run into the issue, according to Microsoft's description.
Microsoft lists four examples for secure paths in Windows 10:
- %ProgramFiles% (including subdirectories)
- %ProgramFiles(x86)% (including subdirectories for 64-bit versions of Windows)
- %systemroot%\system32
- %systemroot%\syswow64 (for 64-bit versions of Windows)
Any app that launches from these directories and that makes the request is affected by the issue.
Administrators may monitor the issue using Procmon. Check if an app runs with the integrity level low instead of medium.
The fix
Microsoft mitigated the issue using a Known Issue Rollback. This removes code from the update that is causing a issue. The change is applied automatically to non-managed devices. Most consumer devices and any business device that is not managed by an IT department will receive the fix in the coming 24 hour period.
The fix is not applied on managed systems automatically. A policy is provided by Microsoft that needs to be set on affected systems to apply the change.
IMO Teams not starting is not a bug. its a feature.
Cute that they admit their “special”, “protected” folders like those mentioned above are not well implemented.
One worksaround is not installing in those folders, which can be witnessed on a daily basis by programs wanting to install in your “AppData” folder of you user profile (try searching that for *.exe some day). Yeah that “data” folder is being misused on a grand scale to house programs wanting to dodge restrictions.
Specifically to avoid the hassle of UAC and other limitations, for example when running updates or when getting installed.
Lots and lots of programs are using that so people can install stuff without having rights. Often meaning when they should not and are not allowed.
Big plus they also do not need a “service” running to install updates for them with admin privileges.
Big negative: abusing a data folder, installing stuff when not allowed.
As a start, windows should completely forbid running programs, loadings dlls and all that associated stuff as long at is resides anywhere under the ‘Appdata’ folder. And redflag placement of things like that in there. Let data be just that, data. Not programs. ‘Appdata’ folder should not be treated as “Apps”.
The other general workaround (for the protected folders) is installing in a admin level background service to override that (a few things like Steam and Firefox do that) to run updates without UAC prompts when installed in those ‘programs’ folders.
But it is a horrible practice for the sake of convenience, each of them a potential way to escalate privileges.
Strange fact: on windows, by default settings, any user can make a new folder in the root, even on the bootdrive. Yes, it is insane but it happens.
“Note: Optional updates for Windows should be considered Beta” Then shouldn’t it be called “Beta updates” not “Optional updates” so users understand that these updates are not production ready ?
Completely agree. This aspect would have to be very clarified for future Windows reviews.