Fix “This Operation Has Been Cancelled” error when launching applications

One of the nastiest issue with malware is that it isn’t shy to make use of native Windows security mechanisms to wreak havoc. Yesterday I cleaned up virus-infested notebook (took CureIt and SuperAntiSpyware runs) and it was no-brainer to install Microsoft Security Essentials after that…

Except that I was unable to start MSE interface, getting unhelpful “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator” error message.

Symptoms

The error message was displayed when trying to manually launch MSE by either shortcut or executable. Also MSE was not appearing in tray on boot, despite correct entry for that present, active and viewable with Autoruns.

Also MSE service was running just fine in the background, so it wasn’t that interface failed to start because of service absence.

In effect this felt much image file execution hijack, but that part was already cleaned up by SAS and error message seemed security-related, while image debug functionality is development-related.

Tracing

Curiously there were no traces that I could pick up in journals with MyEventViewer or elsewhere. There was also no visible process starting in Process Explorer, so launch was prevented rather than interrupted in some way.

Searching online didn’t help much. Abundant references to this error were mostly covering Internet-related issues with Internet Explorer, Outlook and sometimes simply Explorer.

Search

I was ready to cave in and just dump everything that is going on with Process Monitor, but before that I decided to do complete search of registry with RegScanner for MSE’s executable name. If there was some legit Windows mechanism in use then relevant information was unlikely to be obfuscated.

Solution

Very quickly I got a hit on following registry folder:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun

It had several keys with executable names (all anti-malware related). Deleting these keys and rebooting had immediately resolved the issue and Security Essentials had no trouble functioning.

Later I looked up MS Knowledge Base article Restrict Users from Running Specific Windows Programs that describes in detail how this technique is properly used.

Overall

Malware abusing legit OS features is unfortunately very hard for security software to diagnose and fix automatically. Fortunately since such features are planned to work with system of permissions – information is usually in plain view for administrator account and is relatively easy to find with global searches.

Related Posts

15 Comments

  • Thank you very much for this entry – a customer’s Eset NOD32 anti-virus GUI had this same problem and I’d tried pretty much everything you had, but knew it was something Group Policy or restriction-related. Glad I found you on Google!

  • @Adam Piggott

    You are welcome. :) This is not that often used trick, took me a while to figure it out back then.

  • Just wanted to let you know, I was working with a customer who had this exact error when trying to launch MS Sec Essentials and your fix resolved it perfectly. Thank you very much for posting this.

  • thats guy…i was loosing my head over this!!!! fixed it right up….by the way…for other people…the registery file is under users, not local machine. but thanks again guy

  • Regedit also isn’t working

  • @Sajimonmm

    I’d try copying and renaming regedit.exe or use third party registry utility.

  • Thank you so much! It worked like a charm!

  • Thanks man, you helped me a lot!!!

  • Thank you very much. This really worked!

  • idk how long ago this post was but i have to say THANK YOU!! sooo much, of all the things i know this was not one, and a recent issue I’ve had too, i did the search in the registry for that hive and found it instantly. and just as you described it was full of the exe names for antivirus programs, (in my case eset) i deleted all the keys and restarted and instantly after everything was working like normal. again i have to thank you for this article, it has saved me hours of work.

  • This was exactly what I was looking for. Thanks for your research and write-up. I found out that something had also added all of the AVG executables to the same “do not run” registry key. Still not sure which one, but it’s working right now.

  • I went to my registry:
    Regedit.exe HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Polices\Explore:
    In the explorer folder is:
    Ab (Default) REG_SZ (value not set)
    HideSCAHealth REG_DWORD 0x00000001 (1)
    NoActiveDeskti…. REG_BINARY 00 00 00 00
    NoInstrumentati… REG_SZ 1
    NoSaveSettings REG_DWORD 0x00000000 (0)

    What do I leave in and what do I delete, is there suppose to be something? I’m afraid to erase everything. Appreciate your help.

  • @Diane

    Look for DisallowRun folder inside of Explorer one.

Comments are closed.