2

Someone or something recently disabled UAC on a critical server and it is now asking for a reboot (which can not happen). Is there an event in the logs that will tell me which account disabled this? And can I re-enable it without rebooting to get rid of the 'reboot' prompt?

Thanks.

eth0
  • 163
  • 1
  • 3
  • 12
  • Not an answer but... Are you sure about granting admin privileges to lots of people? Unexperienced admins can cause a lot more damage on **critical** (you said that) servers – usr-local-ΕΨΗΕΛΩΝ Nov 27 '12 at 11:57
  • That's a good point. I shouldn't have said critical, as it's not production but it is a shared terminal server in the production environment. By critical I meant, critical that it not be rebooted since it's always in use by many other developers. – eth0 Nov 27 '12 at 20:01

1 Answers1

3

Privilege Elevation yields a logon event, so look after the last occurrences of Event ID 4648 (interactive logon) and 4624 (successful logon attempt) in the Security Log.

Otherwise, change the UAC policy back and check what events are generated in the event log - then search for similar events

Update: If you have large volumes of event log entries to search through, have a go with EventCombMT and search for the above mentioned events. It is a bit old school, but very useful for gathering and sorting event log entries on one or more Windows machines

Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95
  • +1 Also, `System Log: Event 104 - XXX log file was cleared` in case they had half a brain. – Chris S Nov 27 '12 at 00:48
  • And Security Log event id 1102 – Mathias R. Jessen Nov 27 '12 at 00:49
  • The problem is, I have about a dozen users RDP's into this box at once. So I also have a couple dozen security events per minute, it looks like. Even if I knew what time this took place, it would be quite difficult to figure out. – eth0 Nov 27 '12 at 01:47
  • So, basically everybody that is logged into this machine currently match the event ID's I found, which are triggered in the Security event log by changing the UAC; found by testing with my own account. I probably should have mentioned this is a terminal server. Does this make it impossible to find the information I am looking for? – eth0 Nov 27 '12 at 04:27
  • When you say "disabled UAC", are you referring to changing the settings and policies guarding UAC, or per-user UAC options? – Mathias R. Jessen Nov 27 '12 at 12:31
  • That's a good question. I had a developer come to me because the popup came out of nowhere to reboot the machine since UAC was disabled. So I assume it's a global setting and any user could have done this. Is it actually a per-user option? – eth0 Nov 27 '12 at 19:56
  • Even my old Windows Server 2003 Terminal Server bugs the tightly locked down users for a reboot when updates are applied. They are unable to initiate a reboot, but they get bugged for it. It's possible this still happens as Windows Update is jsut telling the user that updates are pending or a reboot is pending. Since my users can't reboot the server, I am not worried about them hitting the "apply updates and restart" magic button. – MikeAWood Dec 06 '12 at 01:29