One of the nastiest issue with malware is that it isn’t shy to make use of native Windows security mechanisms to wreak havoc. Yesterday I cleaned up virus-infested notebook (took CureIt and SuperAntiSpyware runs) and it was no-brainer to install Microsoft Security Essentials after that…
Except that I was unable to start MSE interface, getting unhelpful “This operation has been cancelled due to restrictions in effect on this computer. Please contact your system administrator” error message.
The error message was displayed when trying to manually launch MSE by either shortcut or executable. Also MSE was not appearing in tray on boot, despite correct entry for that present, active and viewable with Autoruns.
Also MSE service was running just fine in the background, so it wasn’t that interface failed to start because of service absence.
In effect this felt much image file execution hijack, but that part was already cleaned up by SAS and error message seemed security-related, while image debug functionality is development-related.
Curiously there were no traces that I could pick up in journals with MyEventViewer or elsewhere. There was also no visible process starting in Process Explorer, so launch was prevented rather than interrupted in some way.
Searching online didn’t help much. Abundant references to this error were mostly covering Internet-related issues with Internet Explorer, Outlook and sometimes simply Explorer.
I was ready to cave in and just dump everything that is going on with Process Monitor, but before that I decided to do complete search of registry with RegScanner for MSE’s executable name. If there was some legit Windows mechanism in use then relevant information was unlikely to be obfuscated.
Very quickly I got a hit on following registry folder:
It had several keys with executable names (all anti-malware related). Deleting these keys and rebooting had immediately resolved the issue and Security Essentials had no trouble functioning.
Later I looked up MS Knowledge Base article Restrict Users from Running Specific Windows Programs that describes in detail how this technique is properly used.
Malware abusing legit OS features is unfortunately very hard for security software to diagnose and fix automatically. Fortunately since such features are planned to work with system of permissions – information is usually in plain view for administrator account and is relatively easy to find with global searches.