Greetings.

I need to know how to find (by all or any method) within the Event Viewer the log of a user clicking a UAC security prompt, and if possible, the information about what process initiated the UAC prompt and what reaction occurred from the user clicking Yes in that prompt.

I know the day and range of minutes the UAC prompt occurred, but there is so much data to sort within that 5 minute range.. It would help to know the Event ID or Task Category of such an action, or how to write the filter to show only UAC prompts being initiated / authenticated by a user.

I believe the system security may have been compromised by this action and I need to pin down what process was responsible for installing, changing or otherwise altering the system by this user click.

Or if Event Viewer is not the best place to get verbose information about this occurrence, what should I be using instead?

Thank you.

You could by all accounts check the installed programs for the one that was installed during that timeframe.

If that yields no results, then most likely it was malicious, and virtually any virus/malware scan will reveal the culprit.

• Edited by Kronical_420 6 hours 59 minutes ago

Thanks for your suggestions.

It was shortly after the system booted, and the user didn't have time to initiate any installs their self. I was looking over his shoulder as he clicked Yes in the UAC prompt. I asked him what that was and he replied:

"I don't know. I get those all the time."

He's no longer allowed to touch Administrative accounts, so at least that problem is solved. I've gone through the filters pertaining to security and "UAC" in the filters and I'm not getting anything. It would be typical to discover that UAC prompts wouldn't be logged under UAC or UAC-FileVirtualization. Thanks Windows..

But seriously again, this is bugging me. An updated avast scan isn't returning malicious activity but the system is not acting right and I'd really like to pin down what was in that UAC prompt.

• Edited by pingray 6 hours 39 minutes ago typo

You could by all accounts check the installed programs for the one that was installed during that timeframe.

If that yields no results, then most likely it was malicious, and virtually any virus/malware scan will reveal the culprit.

• Edited by Kronical_420 Friday, July 10, 2015 12:23 AM

You could by all accounts check the installed programs for the one that was installed during that timeframe.

If that yields no results, then most likely it was malicious, and virtually any virus/malware scan will reveal the culprit.

• Edited by Kronical_420 Friday, July 10, 2015 12:23 AM

Thanks for your suggestions.

It was shortly after the system booted, and the user didn't have time to initiate any installs their self. I was looking over his shoulder as he clicked Yes in the UAC prompt. I asked him what that was and he replied:

"I don't know. I get those all the time."

He's no longer allowed to touch Administrative accounts, so at least that problem is solved. I've gone through the filters pertaining to security and "UAC" in the filters and I'm not getting anything. It would be typical to discover that UAC prompts wouldn't be logged under UAC or UAC-FileVirtualization. Thanks Windows..

But seriously again, this is bugging me. An updated avast scan isn't returning malicious activity but the system is not acting right and I'd really like to pin down what was in that UAC prompt.

• Edited by pingray Friday, July 10, 2015 12:43 AM typo

Thanks for your suggestions.

It was shortly after the system booted, and the user didn't have time to initiate any installs their self. I was looking over his shoulder as he clicked Yes in the UAC prompt. I asked him what that was and he replied:

"I don't know. I get those all the time."

He's no longer allowed to touch Administrative accounts, so at least that problem is solved. I've gone through the filters pertaining to security and "UAC" in the filters and I'm not getting anything. It would be typical to discover that UAC prompts wouldn't be logged under UAC or UAC-FileVirtualization. Thanks Windows..

But seriously again, this is bugging me. An updated avast scan isn't returning malicious activity but the system is not acting right and I'd really like to pin down what was in that UAC prompt.

• Edited by pingray Friday, July 10, 2015 12:43 AM typo

Hi,

Please refer to this thread to enable the UAC audit:

http://stackoverflow.com/questions/8134195/which-events-are-triggered-on-a-uac-prompt

Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Thanks for your suggestions.

It was shortly after the system booted, and the user didn't have time to initiate any installs their self. I was looking over his shoulder as he clicked Yes in the UAC prompt. I asked him what that was and he replied:

"I don't know. I get those all the time."

He's no longer allowed to touch Administrative accounts, so at least that problem is solved. I've gone through the filters pertaining to security and "UAC" in the filters and I'm not getting anything. It would be typical to discover that UAC prompts wouldn't be logged under UAC or UAC-FileVirtualization. Thanks Windows..

But seriously again, this is bugging me. An updated avast scan isn't returning malicious activity but the system is not acting right and I'd really like to pin down what was in that UAC prompt.

If they get them all the time, and on startup, then it is most likely something running as admin in Autoruns. I get that frequently with some AV applications, ODD Firmware monitors, and printer management software.