2

title- How can I remove the Win7 message from an exe that has this message appear "Do you want to allow the following program from an unknown publisher to make changes on your computer"?

I receive a message rather like

enter image description here

When I try to run an EXE

The EXE is MFTRCRD64.exe

https://github.com/jschicht/MftRcrd

Click green "clone or download", then the blue "download zip"

enter image description here

I tried copying c:\windows\system32\calc.exe to c:\ab, and I tried copying that exe (MFTRCRD64.exe) to c:\ab. calc.exe (calc.exe of course by MS), has no issue. Any program I write and compile has no issue. But this program pops up a message. Loads of programs I get written by others don't pop up the message. For some reason this one pops up this message.

There are no streams attached to the EXE so I can't see what is causing it. I know win XP used to pop some security thing up and you could delete a zone identifier stream associated with the file and it was fine. But this is different, it's the UAC giving the message(of course, win7 has UAC win xp doesn't).

But for almost any executable I get from anywhere, I don't get this UAC message. But I do for this MFTRCRD64.EXE file. So it must be something about how the file was produced, and I wonder if I can change it.

C:\ab>dir
 Volume in drive C has no label.
 Volume Serial Number is B411-D580

 Directory of C:\ab

01/10/2016  12:31 AM    <DIR>          .
01/10/2016  12:31 AM    <DIR>          ..
14/07/2009  02:38 AM           918,528 calc.exe
15/09/2015  09:42 PM         1,099,499 MFTRCRD64.exe
               2 File(s)      2,018,027 bytes
               2 Dir(s)   7,114,272,768 bytes free

C:\ab>calc

C:\ab>MFTRCRD64.exe

C:\ab>streams MFTRCRD64.exe

Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com


C:\ab>

Rik makes an interesting remark, that it may be trying to write to somewhere that it isn't allowed to, where you have to be administrative. And indeed I don't get that box come up when in an administrative cmd prompt.

"your running into the "Installer Detection Technology" or IDT from the UAC. It tries to detect if it's dealing with an "installer" and if so, gives you that prompt. Here are two links you can read more about it and check the list for IDT-methods to see if you can solve it. http://answers.microsoft.com/en-us/windows/forum/windows_7-security/uac-message-do-you-want-to-allow-the-following/bea30ad8-9ef8-4897-aab4-841a65f7af71 and http://technet.microsoft.com/en-us/library/cc709628(v=ws.10).aspx "

The answers.microsoft.com link says "This occurs when unknown programs (unsigned) try write data to protected system folders or registry settings, and UAC is seeking your permission"

The technet link says

Filename includes keywords like "install," "setup," "update," etc. Keywords in the following Versioning Resource fields: Vendor, Company Name, Product Name, File Description, Original Filename, Internal Name, and Export Name. Keywords in the side-by-side manifest embedded in the executable. Keywords in specific StringTable entries linked in the executable. Key attributes in the RC data linked in the executable. Targeted sequences of bytes within the executable.

I have included some output from processor monitor(I understand that has replaced regmon), though i've no idea what registry areas of folder areas it is accessing that might trigger that (if it even would)

http://pastebin.com/raw/A5XC6pEk

I tried writing a c sharp program to write to an area where you have to be administrative (making a file c:\program files\abc.aaa), http://pastebin.com/raw/4K28DvzK but I notice that didn't trigger a UAC, that just made an unauthorizedaccess exception.

I also just tried running a 32bit exe that had setup in the filename, and it didn't trigger it

C:\crp3>dir
 Volume in drive C has no label.
 Volume Serial Number is B411-D580

 Directory of C:\crp3

02/10/2016  01:31 PM    <DIR>          .
02/10/2016  01:31 PM    <DIR>          ..
22/02/2014  08:21 PM        12,689,608 a_setup_.exe
15/09/2015  09:42 PM         1,099,499 MFTRCRD64.exe
25/07/2015  01:03 AM            73,216 w.exe
               3 File(s)     13,862,323 bytes
               2 Dir(s)   7,455,793,152 bytes free

C:\crp3>file a_setup_.exe
a_setup_.exe; PE32 executable for MS Windows (GUI) Intel 80386 32-bit

C:\crp3>a_setup_.exe

C:\crp3> :: didn't trigger it
C:\crp3>

further addition

I accept the answer from rik and the great contributions from dan, that came in the discussion.

I would note though that when I remove that RequireAdmin line from the top, I get no response in the non-administrative or administrative cmd prompt.

But it's not important. Both rik and dan got the same error response.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\harvey>cd \crp4

C:\crp4>dir
 Volume in drive C has no label.
 Volume Serial Number is B411-D580

 Directory of C:\crp4

02/10/2016  03:51 PM    <DIR>          .
02/10/2016  03:51 PM    <DIR>          ..
02/10/2016  03:15 PM             1,517 changelog.txt
02/10/2016  03:15 PM             1,114 LICENSE.md
02/10/2016  03:15 PM           163,548 MFTRCRD.au3
02/10/2016  03:51 PM         1,222,656 mftrcrd.exe
02/10/2016  03:15 PM           755,712 mftrcrd2.exe
02/10/2016  03:15 PM           792,064 MFTRCRD64.exe
02/10/2016  03:16 PM         1,222,656 MFTRCRDNEW.exe
02/10/2016  03:15 PM           755,712 MFTRCRD_old.exe
02/10/2016  03:47 PM         1,222,656 MFTRCRD_sci.exe
02/10/2016  03:15 PM                 0 readme.txt
              10 File(s)      6,137,635 bytes
               2 Dir(s)   7,346,610,176 bytes free

C:\crp4>mftrcrd.exe

C:\crp4>mftrcrd64.exe

C:\crp4>notepad.exe MFTRCRD.au3

C:\crp4>MFTRCRD C?0x100000 -d indxdump=off 4096 -s

C:\crp4>
C:\crp4>MFTRCRD C?0x100000 -d indxdump=off 4096 -s

C:\crp4>MFTRCRD C?0x100000 -d indxdump=off 4096 -s

C:\crp4>MFTRCRD C?0x100000 -d indxdump=off 4096 -s

C:\crp4>file mftrcrd.exe
mftrcrd.exe; PE32 executable for MS Windows (GUI) Intel 80386 32-bit

C:\crp4>MFTRCRD C?0x100000 -d indxdump=off 4096 -s

C:\crp4>dir
 Volume in drive C has no label.
 Volume Serial Number is B411-D580

 Directory of C:\crp4

02/10/2016  03:51 PM    <DIR>          .
02/10/2016  03:51 PM    <DIR>          ..
02/10/2016  03:15 PM             1,517 changelog.txt
02/10/2016  03:15 PM             1,114 LICENSE.md
02/10/2016  03:15 PM           163,548 MFTRCRD.au3
02/10/2016  03:51 PM         1,222,656 mftrcrd.exe
02/10/2016  03:15 PM           755,712 mftrcrd2.exe
02/10/2016  03:15 PM           792,064 MFTRCRD64.exe
02/10/2016  03:16 PM         1,222,656 MFTRCRDNEW.exe
02/10/2016  03:15 PM           755,712 MFTRCRD_old.exe
02/10/2016  03:47 PM         1,222,656 MFTRCRD_sci.exe
02/10/2016  03:15 PM                 0 readme.txt
              10 File(s)      6,137,635 bytes
               2 Dir(s)   7,348,428,800 bytes free

C:\crp4>MFTRCRD_sci C?0x100000 -d indxdump=off 4096 -s

C:\crp4>mftr_old.exe C?0x100000 -d indxdump=off 4096 -s
'mftr_old.exe' is not recognized as an internal or external command,
operable program or batch file.

C:\crp4>mftrcrd_old.exe C?0x100000 -d indxdump=off 4096 -s

C:\crp4>md a

C:\crp4>copy mftrcrd.exe
The file cannot be copied onto itself.
        0 file(s) copied.

C:\crp4>copy mftrcrd.exe a
        1 file(s) copied.

C:\crp4>cd a

C:\crp4\a>del mftrcrd.exe

C:\crp4\a>cd ..

C:\crp4>cd a

C:\crp4\a>dir
 Volume in drive C has no label.
 Volume Serial Number is B411-D580

 Directory of C:\crp4\a

02/10/2016  04:37 PM    <DIR>          .
02/10/2016  04:37 PM    <DIR>          ..
02/10/2016  04:37 PM    <DIR>          MftRcrd-master
               0 File(s)              0 bytes
               3 Dir(s)   7,346,700,288 bytes free

C:\crp4\a>cd MftRcrd-master

C:\crp4\a\MftRcrd-master>dir
 Volume in drive C has no label.
 Volume Serial Number is B411-D580

 Directory of C:\crp4\a\MftRcrd-master

02/10/2016  04:37 PM    <DIR>          .
02/10/2016  04:37 PM    <DIR>          ..
02/10/2016  04:37 PM             1,517 changelog.txt
02/10/2016  04:37 PM             1,114 LICENSE.md
02/10/2016  04:37 PM           163,563 MFTRCRD.au3
02/10/2016  04:37 PM           755,712 MFTRCRD.exe
02/10/2016  04:37 PM           792,064 MFTRCRD64.exe
02/10/2016  04:37 PM                 0 readme.txt
               6 File(s)      1,713,970 bytes
               2 Dir(s)   7,346,700,288 bytes free

C:\crp4\a\MftRcrd-master>move * ..\
C:\crp4\a\MftRcrd-master\changelog.txt
C:\crp4\a\MftRcrd-master\LICENSE.md
C:\crp4\a\MftRcrd-master\MFTRCRD.au3
C:\crp4\a\MftRcrd-master\MFTRCRD.exe
C:\crp4\a\MftRcrd-master\MFTRCRD64.exe
C:\crp4\a\MftRcrd-master\readme.txt
        6 file(s) moved.

C:\crp4\a\MftRcrd-master>cd ..

C:\crp4\a>rmdir /s MftRcrd-master
MftRcrd-master, Are you sure (Y/N)? y

C:\crp4\a>dir
 Volume in drive C has no label.
 Volume Serial Number is B411-D580

 Directory of C:\crp4\a

02/10/2016  04:37 PM    <DIR>          .
02/10/2016  04:37 PM    <DIR>          ..
02/10/2016  04:37 PM             1,517 changelog.txt
02/10/2016  04:37 PM             1,114 LICENSE.md
02/10/2016  04:37 PM           163,563 MFTRCRD.au3
02/10/2016  04:37 PM           755,712 MFTRCRD.exe
02/10/2016  04:37 PM           792,064 MFTRCRD64.exe
02/10/2016  04:37 PM                 0 readme.txt
               6 File(s)      1,713,970 bytes
               2 Dir(s)   7,346,503,680 bytes free

C:\crp4\a>MFTRCRD.exe

C:\crp4\a>copy MFTRCRD.exe mftrcrd_original.exe
        1 file(s) copied.

C:\crp4\a>dir
 Volume in drive C has no label.
 Volume Serial Number is B411-D580

 Directory of C:\crp4\a

02/10/2016  04:38 PM    <DIR>          .
02/10/2016  04:38 PM    <DIR>          ..
02/10/2016  04:37 PM             1,517 changelog.txt
02/10/2016  04:37 PM             1,114 LICENSE.md
02/10/2016  04:37 PM           163,563 MFTRCRD.au3
02/10/2016  04:37 PM           755,712 MFTRCRD.exe
02/10/2016  04:37 PM           792,064 MFTRCRD64.exe
02/10/2016  04:37 PM           755,712 mftrcrd_original.exe
02/10/2016  04:37 PM                 0 readme.txt
               7 File(s)      2,469,682 bytes
               2 Dir(s)   7,345,741,824 bytes free

C:\crp4\a>"\Program Files (x86)\AutoIt3\SciTE\SciTE.exe"

C:\crp4\a>del mftrcrd.exe

C:\crp4\a>dir mftrcrd.exe
 Volume in drive C has no label.
 Volume Serial Number is B411-D580

 Directory of C:\crp4\a

File Not Found

C:\crp4\a>:: opened  mftrcrd.au3, done tools..compile
C:\crp4\a>
C:\crp4\a>dir
 Volume in drive C has no label.
 Volume Serial Number is B411-D580

 Directory of C:\crp4\a

02/10/2016  04:40 PM    <DIR>          .
02/10/2016  04:40 PM    <DIR>          ..
02/10/2016  04:37 PM             1,517 changelog.txt
02/10/2016  04:37 PM             1,114 LICENSE.md
02/10/2016  04:37 PM           163,563 MFTRCRD.au3
02/10/2016  04:40 PM         1,222,656 MFTRCRD.exe
02/10/2016  04:37 PM           792,064 MFTRCRD64.exe
02/10/2016  04:37 PM           755,712 mftrcrd_original.exe
02/10/2016  04:37 PM                 0 readme.txt
               7 File(s)      2,936,626 bytes
               2 Dir(s)   7,345,045,504 bytes free

C:\crp4\a>>MFTRCRD C?0x100000 -d indxdump=off 4096 -s
'C?0x100000' is not recognized as an internal or external command,
operable program or batch file.

C:\crp4\a>MFTRCRD C?0x100000 -d indxdump=off 4096 -s
Access is denied.

C:\crp4\a>head -n 1 mftrcrd.au3
#RequireAdmin

C:\crp4\a>notepad.exe MFTRCRD.au3

C:\crp4\a>:: removed that line
C:\crp4\a>del mftrcrd.exe

C:\crp4\a>dir mftrcrd.exe
 Volume in drive C has no label.
 Volume Serial Number is B411-D580

 Directory of C:\crp4\a

02/10/2016  04:40 PM         1,222,656 MFTRCRD.exe
               1 File(s)      1,222,656 bytes
               0 Dir(s)   7,345,041,408 bytes free

C:\crp4\a>del mftrcrd.exe
C:\crp4\a\MFTRCRD.exe
Access is denied.

C:\crp4\a>dir mftrcrd.exe
 Volume in drive C has no label.
 Volume Serial Number is B411-D580

 Directory of C:\crp4\a

File Not Found

C:\crp4\a>:: tools..compile
C:\crp4\a>dir mftrcrd.exe
 Volume in drive C has no label.
 Volume Serial Number is B411-D580

 Directory of C:\crp4\a

02/10/2016  04:43 PM         1,222,656 MFTRCRD.exe
               1 File(s)      1,222,656 bytes
               0 Dir(s)   7,345,041,408 bytes free

C:\crp4\a>MFTRCRD C?0x100000 -d indxdump=off 4096 -s

C:\crp4\a>

added-

removing that #RequireAdmin line and doing `"C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe" /in MFTRCRD.au3 /console` both as Rik suggested, and I reproduce what Rik gets.
Improve this question
12
  • 1
    Click the "change when these notifications appear" link. The notification appears because your security settings are set to make them appear on unsigned executables
    – Ramhound
    Commented Oct 1, 2016 at 6:04
  • AT Ramhound.. any alternative ways e.g. is it possible to sign the executable. And why is it that If I write a c or csc file and compile it then I get an exe that runs without that message coming up. I doubt for example that gcc signs executables.
    – barlop
    Commented Oct 1, 2016 at 6:49
  • Yeah; it's possible to sign the executable
    – Ramhound
    Commented Oct 1, 2016 at 6:52
  • AT Ramhound, and you haven't addressed the second part of the comment. "why is it that If I write a c or csc file and compile it then I get an exe that runs without that message coming up. I doubt for example that gcc signs executables.as gcc is a linux based compiler ported to windows". I have for example tiny c compiler, I don't know for sure but doubt it's signing executables yet executables created by it don't pop that message up.
    – barlop
    Commented Oct 1, 2016 at 6:57
  • 1
    Not sure if you got the answers already (in those deleted links)... but your running into the "Installer Detection Technology" or IDT from the UAC. It tries to detect if it's dealing with an "installer" and if so, gives you that prompt. Here are two links you can read more about it and check the list for IDT-methods to see if you can solve it. answers.microsoft.com/en-us/windows/forum/windows_7-security/… and technet.microsoft.com/en-us/library/cc709628(v=ws.10).aspx
    – Rik
    Commented Oct 1, 2016 at 21:38

1 Answer 1

Reset to default
2

Ok, to wrap up this question with an answer after some diagnosing in discussion here is a summary.

The MFTRCRD64.exe is an advanced (compiled) autoit3 script which accesses the harddisk directly. The first line in the au3 script (see the download) is #RequireAdmin. So the resulting .exe will require elevation resulting in the given prompt.

The following question would be if the script could run without elevation (without the #RequireAdmin-line). After compiling it as a console-exe (which is necessary otherwise there is no console output) the error message in user-mode is Error in function CreateFile for: \\.\C:.

That's because the script/exe tries to access the physical disk. The CreateFile('\\.\C') will return a handle which you can use in other api-calls to gain direct disk access. However, physical direct disk is only allowed if the caller has administrative privileges. See the CreateFile() documentation. Hence the need for the #RequireAdmin-line and subsequent UAC-prompt.

Output from user-console (not elevated):

C:\Users\Rik\Downloads\MftRcrd-master\MftRcrd-master>MFTRCRD C?0x100000 -d indxdump=off 4096 -s

Starting MFTRCRD by Joakim Schicht
Version 1.0.0.38

Target offset is: 0x0000000000100000

Filesystem on C: is NTFS
Error in function CreateFile for: \\.\C:

and when elevated:

C:\Users\Rik\Downloads\MftRcrd-master\MftRcrd-master>MFTRCRD C?0x100000 -d indxdump=off 4096 -s

Starting MFTRCRD by Joakim Schicht
Version 1.0.0.38

Target offset is: 0x0000000000100000

Filesystem on C: is NTFS
BytesPerSector:  512
SectorsPerCluster:  8
ReservedSectors:  0
SectorsPerTrack:  63
NumberOfHeads:  255
HiddenSectors:  1028160
TotalSectors:  486442304
LogicalClusterNumberforthefileMFT:  31285383
LogicalClusterNumberforthefileMFTMirr:  874
MFT Record Size: 1024

Found record is not valid:
0000    4d 41 4d 04 a0 dd 00 00  a5 a8 b6 9a 99 b8 aa a9   MAM.............
0010    99 a7 aa aa 99 b7 aa aa  a9 b7 aa aa a9 b7 9a a9   ................
0020    99 97 aa 9a 98 c7 ba bb  89 97 99 99 99 a8 99 8a   ................
etc.
Improve this answer
9
  • Thanks. Can you include a copy/paste of your command console where you get that error of Error in function CreateFile for: \\.\C:. showing the command as well as the output
    – barlop
    Commented Oct 2, 2016 at 15:21
  • I see also, as you mentioned in discussion, CreateFile is a WinAPI function winapi.freetechsecrets.com/win32/WIN32CreateFile.htm and as mentioned, for creating or opening files. And it's CreateFile(...) not on a regular file but on that raw partition, that requires elevation.
    – barlop
    Commented Oct 2, 2016 at 15:24
  • Done... and yes... while CreateFile() can also be used to open normal files, when used with \\.\PHYSICALDRIVE you open a physical handle to the disk.
    – Rik
    Commented Oct 2, 2016 at 15:30
  • Another thing worth noting is that this command line you used MFTRCRD C?0x100000 -d indxdump=off 4096 -s came from the .au3 file
    – barlop
    Commented Oct 2, 2016 at 15:54
  • 1
    @barlop yes, my initial comment that it was the IDT in this case was incorrect. You can see that in the fact that removing #RequireAdmin doesn't trigger the new .exe. But the fact remains that IDT is a mysterious beast which can trigger the same message and the rules of triggering are not that clear (due to obvious reasons). But not the cause here.
    – Rik
    Commented Oct 11, 2016 at 5:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .