Advice Request Windows 8.1 bug? Parental control on Administrator

[Windows_Security]

A friend running windows 8.1 Home on his laptop, which had not updated to 10 because all the fuzz about Microsoft tracking users, had his laptop bricked by one of his kids. So he asked me to help him out.

I use parental control on my Asus Tramsformer running Windows 8.1, together with ValidateAdminSignatures enabled, (which blocks elevation of unsigned programs and can be the reason why UAC prompt is delayed). So I decided that I would put parental control on their PC also.

Just out of (old XP) habit, I set up a PC, then create a new user, make this new user admin and delete the account on which I used to install Windows to remove unsecure Creator/Owner write access in Windows directories (in Windows 10 these user write access holes are closed).

I kept it a vanilla Win 8.1 setup with Windows Defender, Smartscreen enabled, only with UAC tweak to disable elevation of unsigned. I explained him to use two registry files, in case he needed to install unsigned software (he uses only mainstream software, which is all signed). Added EMET for his Windows Office and told him to use Firefox with Silverlight only for watching Televison (I blocked all other IP's in Firewall for Firefox).

I had tested parental control and was offered a cup of coffee. When I came back I made my friends user ID admin (which was the local user I tested parental control on) and removed the admin user which I had used to set up his PC. I had totally forgotten to remove the parental control on his (now admin) account.

To my surprise I had a Local Administrator with Parental control. Off course I created a new Admin without parental control and setup standard local users for his kids with parental control.

Parental control on local Admin account in windows 8.1 BUG?
I was able to replicate this on my Asus Transformer. Since this is IMO a bug, I don't know whether this survices a windows update. See picture with Parental control ("Ouderlijk toezicht" in Dutch) on local Admin.

ValidateAdminSignatures UAC-tweak
Two regfiles which I use to switch on/off blocking elevation of unsigned software. When block is on, it is still possible to run unsigned programs. Unsigned programs are not allowed to elevate (e.g. install in Program Files). When unsigned tries to get admin rights you get an error ("no referral was returned from the server"). Save those text files as regfile from notepad when you want to use this security trick also.

 

[Windows_Security]

I will keep this on my Asus Transformer for a while to see whether this survives OS updates. On my desktop I am setting up a prototype for a website of a customer, so I am not going to try this in VM to check whether it works for Windows 10 Home also(parental control was changed a bit from 8.1 to 10).

 

[Deleted member 178]

The account should survive the update, not so sure about the ValidateAdminSignatures trick , since some MS' exe may not be signed.

 

[Windows_Security]

The account should survive the update, not so sure about the ValidateAdminSignatures trick , since some MS' exe may not be signed.

UAC tweak works perfectly, i have this on since 2010 on Vista, Windows 7 and 10. Only once Microsoft managed to corrupt their internal signatures after an Windows update (forgot which). Simple restore solved the problem. When Microsoft released a new update it went without problems, so this is a well tested tweak.

Parental control allows all executables in Windows folders, so I am not afraid of "direct" updates, only some updates are extracted from Temp and I don't know what parental control will do with those "new" executables. On second thought: updates in standard users work okay with parental control enabled, so why would being an Admin in stead of Standard user cause troubles?

Thanks for replaying, would you mind sharing why you think it will be ok?

 

[Deleted member 178]

i think it should be ok.

My baseline is quite similar than you (one admin account, one SUA) , same UAC tweak , and some other registry (like asking psw in admin account) or Chrome tweaks. i will disable ValidateAdminSignatures just for precaution.

 

[Windows_Security]

I added SRP Basic User through registry hack, because Parental Control should be some sort of SRP for exe's only, some observations:

1. Parental control has its own process (WPCMon), which seemed to spike to 25% CPU on the weak Asus Transformer CPU when Windows did auto updates. At restart (when updates succeeded), these spikes were gone and PCMon dropped to near zero.
2. When installing software (run as admin, bypassing SRP Basic User), Parental control does not give a peep (seems to conform to SRP enforcement, making it plausible that Parental Control is derived from SRP).
3. After software installing, the new software was blocked by Parental Control, which can be bypassed when answering yes to the question whether the parent is near and enter password (a UAC pop up) to allow this new executable.

After disabling Parental Control for this Admin account, I could not switch it on again, so it was probably a bug in Windows 8.1 (in Windows 10 setup of Parental Control is differently)

 

[Ink]

(in Windows 10 setup of Parental Control is differently)

How differently?

 

[Windows_Security]

You need a outlook account. It is nicely explained by Paul Thurrott