[IN PROGRESS] check my administrative privileges on new installed Windows 10

Great!

Moving on.

1. FRST fix

Please do the following to run a FRST fix.

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code: 
Start::
CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{07CA83F0-DF06-4E67-89DD-E80924A49512}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\25.035.0223.0003\FileCoAuth.exe" => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{0827D883-485C-4D62-BA2C-A332DBF3D4B0}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\25.035.0223.0003\FileCoAuth.exe" => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\InprocServer32 -> C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\25.035.0223.0003\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{1F80F4F0-5D28-40D3-A252-4D3662D5E4BA}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\25.035.0223.0003\FileCoAuth.exe" => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{20894375-46AE-46E2-BAFD-CB38975CDCE6}\InprocServer32 -> C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\25.035.0223.0003\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /cci /client=Personal => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{3A308EFE-656D-46BB-9963-0A41C0D6BCA2}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\25.035.0223.0003\FileCoAuth.exe" => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{47E6DCAF-41F8-441C-BD0E-A50D5FE6C4D1}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\25.035.0223.0003\Microsoft.SharePoint.exe" => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{544c4c52-de0b-4d14-9510-21745381d5ca}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\25.035.0223.0003\FileCoAuth.exe" => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /autoplay => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /cci => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{7AE67172-9863-42B1-8750-2B85084FD8E8}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\25.035.0223.0003\FileCoAuth.exe" => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{7AFDFDDB-F914-11E4-8377-6C3BE50D980C}\InprocServer32 -> C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\25.035.0223.0003\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /cci /client=Personal => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{82CA8DE3-01AD-4CEA-9D75-BE4C51810A9E}\InprocServer32 -> C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\25.035.0223.0003\FileSyncShell64.dll => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{917E8742-AA3B-7318-FA12-10485FB322A2}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\25.035.0223.0003\Microsoft.SharePoint.exe" => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\25.035.0223.0003\FileCoAuth.exe" => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{A3CA1CF4-5F3E-4AC0-91B9-0D3716E1EAC3}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /cci /client=Personal => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /cci /client=Personal => No File
CustomCLSID: HKU\S-1-5-21-1458773745-2623423197-5585779-1001_Classes\CLSID\{F37369D9-1C22-40A0-A997-0B4D5F7B6637}\localserver32 -> "C:\Users\Manuela\AppData\Local\Microsoft\OneDrive\25.035.0223.0003\FileCoAuth.exe" => No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
HKU\S-1-5-21-1458773745-2623423197-5585779-500\...\Run: [OneDrive] => "C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\OneDrive.exe" /background (No File)
HKU\S-1-5-21-1458773745-2623423197-5585779-500\...\RunOnce: [Delete Cached Update Binary] => C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" (No File)
HKU\S-1-5-21-1458773745-2623423197-5585779-500\...\RunOnce: [Delete Cached Standalone Update Binary] => C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\Administrator\AppData\Local\Microsoft\OneDrive\StandaloneUpdater\OneDriveSetup.exe" (No File)
GroupPolicy: Restriction ? <==== ATTENTION
Policies: C:\ProgramData\NTUSER.pol: Restriction <==== ATTENTION
Task: {B13CE803-B693-4C22-BEE0-775BC11E488F} - System32\Tasks\OneDrive Reporting Task-S-1-5-21-1458773745-2623423197-5585779-500 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe  /reporting (No File) <==== ATTENTION
Task: {6C17F01C-EF47-4825-9836-C84D42FB0999} - System32\Tasks\OneDrive Standalone Update Task-S-1-5-21-1458773745-2623423197-5585779-500 => %localappdata%\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe  (No File) <==== ATTENTION
S4 uhssvc; "C:\Program Files\Microsoft Update Health Tools\uhssvc.exe" [X]
2025-03-23 22:40 - 2025-03-23 22:40 - 000000000 ____D C:\Users\Manuela\AppData\LocalLow\IObit
2025-03-23 22:39 - 2025-03-29 20:39 - 000000000 ____D C:\Users\Manuela\AppData\Roaming\IObit
Powershell: wevtutil el | Foreach-Object {wevtutil cl "$_"}
CMD: DISM /Online /Cleanup-Image /RestoreHealth
CMD: SFC /scannow
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.


2. Run Malwarebytes (scan only)
  • Download Malwarebytes and save it to your Desktop.
  • Once downloaded, close all programs and Windows on your computer.
  • Double-click on the icon on your desktop named MBSetup.exe. This will start the installation of MBAM onto your computer.
  • Follow the instructions to install the program.
  • When finished, double click the program's icon created on your Desktop.
  • Click the little gear in the menu at the left (Settings) and when it opens, click the General tab. Under the title Windows Security Center, make sure the option is disabled.
  • Click the Scan and Detections tab and under the Scan options title, enable Scan for rootkits option. Do not change any other option.
  • Return to the Dashboard and choose Scan.
  • When finished, you will see the Threat Scan Summary window open.
  • If threats are not found, click View Report and proceed to the two last steps below.

    If threats are found, make sure that all threats are not selected,close the program and proceed to the next steps below.
    • Open Malwarebytes again, click on the Scanner, and then on the Reports tab.
    • Find the report with the most recent date and double click on it.
    • Click on Export and then Copy to Clipboard.
    • Paste its content here, in your next reply.


3. Run AdwCleaner (scan only)

Download AdwCleaner and save it to your desktop.
  • Double click AdwCleaner.exe to run it.
  • Click the Scan Now button.
  • Once the scan completes, AdwCleaner shows you all detected PUPs and adware. DO NOT check anything found, and click Next.
  • If any preinstalled software was detected on your device, a message notifies you that your action is requested. DO NOT check anything, and click Cancel to continue.
  • Click the Log Files tab.
  • Double click on the latest scan log (Scan logs have a [S0*] suffix, where * is replaced by a number, the latest scan will have the largest number)
  • A Notepad file will open containing the results of the removal.
  • Please post the contents of the file in your next reply.
Note: Click Skip Basic Repair if you are asked to.




In your next reply, please post:
  1. The fixlog.txt
  2. The AdwCleaner[S0*].txt
  3. The Malwarebytes report
  4. Feedback: How is the computer running? Any questions/issues/concerns?

P.S. It is late for me here now (UTC +2), so I'll be back to you tomorrow, my time.
 
Thank you for your help.
All the scans are clear.
DR M said:
How is the computer running? Any questions/issues/concerns?
Click to expand...
yes, it's running fine, but a couple of nights ago I must have created a further Administrator account, while I was trying to acquire most privileges under my name. (My concern)
And I definitely need to understand better all those accounts in W10 and under UTENTE (see screenshot in attachment), where I now have 2.
Cannot get rid of that Administrator Guest...aarrgh!
Corday said:
Rather then writing out the solution, it's here: https://thegeekpage.com/gain-full-access-permissions-to-c-drive/ Should be the same for 10.
Click to expand...
 

Attachments

Last edited:
Hello.

Your logs are clean, as I claimed from the beginning.

As to the account profiles in your system, everything seems to be normal.

Administrator > The built-in Administrator account, disabled
DefaultAccount > A built-in local account, disabled
Guest > A guest account in your computer, with limited privileges, disabled
Manuela > Your personal account, with administrator's privileges
WDAGUtilityAccount > Part of Application Guard, beginning with Windows 10, version 1709, disabled

Remove the built-in accounts? Why! They are system accounts!

And why do you want to gain more privileges under your name? The operating system handles everything as it should be, and it's wrong and dangerous to mess up with these things.

Is there a specific task you would like to do, and you can't?


===============================


EDIT

Just noticed you didn't run the FRST fix I provided in my previous post. Please, read carefully the instructions and attach the requested fixlog.txt.
 
Last edited:
Good! Some corrupted files were repaired.

You didn't comment on my questions/remarks above :-) :

Remove the built-in accounts? Why? They are system accounts!

And why do you want to gain more privileges under your name? The operating system handles everything as it should be, and it's wrong and dangerous to mess up with these things.

Is there a specific task you would like to do, and you can't?
Click to expand...
 
Well, I wnted to be able to check what was in Windows defender, but of course we've achieved that by going into safe mode.
And I was unsure about the meaning of all those accounts SID, which you explained.
I'd say that I'm fine with that.

The only thing I'm noticing today it's a blank flash appearing when I open Ms edge.
Surely it's a problem with my graphic driver Intel. I'll have to uninstall it first with DDU (if you agree), and hopefully find the right upgrade. (Not easy because my Asus support doesn't intentionally provides for more than 3 drivers for my machine in W10.
That's the reason why you found Iobit driver Booster on my desktop - I didn't have many other chances, as AHCPI would keep detecting wrong installation, and I kept banging my head on the wall...
 
Let's take everything step by step.

You said:

Well, I wanted to be able to check what was in Windows defender, but of course we've achieved that by going into safe mode.
Click to expand...

Can you please explain this further to me? What do you want to check and what you did?
 
Ok,
step by step.
It was my intention getting rid of those quarantined files, as I used to do in W8.1
Apparently in W10 Home edition it's not possible anymore, because it's owned by SYSTEM, and the only way to keep the pc clean is acting in safe mode, as we've seen together.
Something concerning me in the fixlog.txt is this part,
========= wevtutil el | Foreach-Object {wevtutil cl "$_"} =========

wevtutil : Impossibile cancellare il registro Microsoft-Windows-LiveId/Analytic.
In C:\FRST\tmp.ps1:1 car:31
+ wevtutil el | Foreach-Object {wevtutil cl "$_"}
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Impossibile can...iveId/Analytic.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError

Accesso negato.
wevtutil : Impossibile cancellare il registro Microsoft-Windows-LiveId/Operational.
In C:\FRST\tmp.ps1:1 car:31
+ wevtutil el | Foreach-Object {wevtutil cl "$_"}
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Impossibile can...Id/Operational.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError

Accesso negato.
wevtutil : Impossibile cancellare il registro Microsoft-Windows-USBVideo/Analytic.
In C:\FRST\tmp.ps1:1 car:31
+ wevtutil el | Foreach-Object {wevtutil cl "$_"}
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Impossibile can...Video/Analytic.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError

Il nome di istanza inviato non Þ valido per il provider di dati WMI.

========= End of Powershell: =========


Where it says access denied, impossible to cancel registry, etc..

But if you say that it's still fine, then it's ok, of course.
 
It was my intention getting rid of those quarantined files, as I used to do in W8.1
Apparently in W10 Home edition it's not possible anymore, because it's owned by SYSTEM, and the only way to keep the pc clean is acting in safe mode, as we've seen together.
Click to expand...

I guess you are referring to this link Corday posted earlier: Redirecting

This I think can also be applied in Windows 10 too: Manage Quarantined Items and Exclusions in Windows Defender

Look, there are more places "keeping" several types of detections of Windows Defender. There are "hacks" to remove them (bypassing privileges), but only in special cases (e.g. corruptions) and for sure not from regular users.

The command in the fixlist just removed the events related to Windows Defender in the Addition log. The "Access denied" you see there is expected and didn't prevent/cancel the command's purpose.

So, yes, everything is fine, and I can assure you about this. :-)


As to your Intel graphics issue, have you tried this?
Download Intel Drivers and Software
 
Yes, it all started with microsoft defender, which opened my eyes to the new concept by Microsoft.
Thank you for the "Quarantine link---" btw. I'll study it asap.
And yes, I suppose that items quarantined are stored also in registry items.
Regarding Intel, I've tried the Intel Driver & Support Assistant, which is always stating that it has nothing for my pc.
I will uninstall it again now.
I guess I need to find some other way.
 
I would trust Intel's site for such things rather than any other program.

May I ask for more details about the "flash" appearing when you start Edge? Does this happen only when you open Edge? What about other browsers?
 
Sure.
It actually persists. I can see it clearly when opening Ms Edge.
The other browser I have installed is Brave, and it shows a different behaviour: white lag time window when prompted to open.
I'm puzzled.
 
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top