Ping a Specific Port

Question

Nina G

Asked: 2022-11-29 14:13:36 +0800 CST2022-11-29 14:13:36 +0800 CST 2022-11-29 14:13:36 +0800 CST

Microsoft .Net Runtime UAC Pops Up Every Few Minutes - How to Stop it

772

I have a user getting prompted by UAC every few minutes regarding Microsoft .Net Runtime requesting admin credentials. Every time the user clicks No, UAC comes back after a few minutes shown below:

Nothing in our security stack is flagging as malicious or blocking anything from this user's device. However, I did find some logs that are related to the UAC prompt issue. Shown below is an output of one of the logs:

[0B54:0AD4][2022-11-22T07:08:58]i001: Burn v3.14.0.5722, Windows v10.0 (Build 19044: Service Pack 0), path: C:\Users\User~1\AppData\Local\Temp\{85268AAC-6881-41DB-85FA-9DF8936C33C0}\.cr\DNCR605-KB4054530-x64-AllOS-ENU.exe
[0B54:0AD4][2022-11-22T07:08:58]i000: Initializing string variable 'BUNDLEMONIKER' to value 'Microsoft .NET Runtime - 6.0.9 (x64)'
[0B54:0AD4][2022-11-22T07:08:58]i000: Initializing string variable 'PRODUCT_NAME' to value 'Microsoft .NET Runtime - 6.0.9 (x64)'
[0B54:0AD4][2022-11-22T07:08:58]i000: Initializing string variable 'LINK_PREREQ_PAGE' to value 'https://go.microsoft.com/fwlink/?linkid=846817'
[0B54:0AD4][2022-11-22T07:08:58]i009: Command Line: '-burn.clean.room=C:\Users\User\AppData\Local\Temp\SupportAssistAgent\AutoUpdate\DNCR605-KB4054530-x64-AllOS-ENU.exe -burn.filehandle.attached=556 -burn.filehandle.self=572 /q /norestart'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\User\AppData\Local\Temp\SupportAssistAgent\AutoUpdate\DNCR605-KB4054530-x64-AllOS-ENU.exe'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleOriginalSourceFolder' to value 'C:\Users\User\AppData\Local\Temp\SupportAssistAgent\AutoUpdate\'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\User~1\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.9_(x64)_20221122070858.log'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleName' to value 'Microsoft .NET Runtime - 6.0.9 (x64)'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleManufacturer' to value 'Microsoft Corporation'
[0B54:2CE4][2022-11-22T07:08:58]i000: Setting numeric variable 'WixStdBALanguageId' to value 1033
[0B54:2CE4][2022-11-22T07:08:58]i000: Setting version variable 'WixBundleFileVersion' to value '6.0.9.31619'
[0B54:0AD4][2022-11-22T07:08:58]i100: Detect begin, 3 packages
[0B54:0AD4][2022-11-22T07:08:58]i101: Detected package: dotnet_runtime_6.0.9_win_x64.msi, state: Absent, cached: None
[0B54:0AD4][2022-11-22T07:08:58]i101: Detected package: dotnet_hostfxr_6.0.9_win_x64.msi, state: Absent, cached: None
[0B54:0AD4][2022-11-22T07:08:58]i101: Detected package: dotnet_host_6.0.9_win_x64.msi, state: Absent, cached: None
[0B54:0AD4][2022-11-22T07:08:58]i052: Condition '((VersionNT > v6.1) OR (VersionNT = v6.1 AND ServicePackLevel >= 1))' evaluates to true.
[0B54:0AD4][2022-11-22T07:08:58]i052: Condition 'VersionNT64' evaluates to true.
[0B54:0AD4][2022-11-22T07:08:58]i199: Detect complete, result: 0x0
[0B54:0AD4][2022-11-22T07:08:58]i200: Plan begin, 3 packages, action: Install
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleRollbackLog_dotnet_runtime_6.0.9_win_x64.msi' to value 'C:\Users\User~1\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.9_(x64)_20221122070858_000_dotnet_runtime_6.0.9_win_x64.msi_rollback.log'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleLog_dotnet_runtime_6.0.9_win_x64.msi' to value 'C:\Users\User~1\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.9_(x64)_20221122070858_000_dotnet_runtime_6.0.9_win_x64.msi.log'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleRollbackLog_dotnet_hostfxr_6.0.9_win_x64.msi' to value 'C:\Users\User~1\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.9_(x64)_20221122070858_001_dotnet_hostfxr_6.0.9_win_x64.msi_rollback.log'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleLog_dotnet_hostfxr_6.0.9_win_x64.msi' to value 'C:\Users\User~1\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.9_(x64)_20221122070858_001_dotnet_hostfxr_6.0.9_win_x64.msi.log'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleRollbackLog_dotnet_host_6.0.9_win_x64.msi' to value 'C:\Users\User~1\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.9_(x64)_20221122070858_002_dotnet_host_6.0.9_win_x64.msi_rollback.log'
[0B54:0AD4][2022-11-22T07:08:58]i000: Setting string variable 'WixBundleLog_dotnet_host_6.0.9_win_x64.msi' to value 'C:\Users\User~1\AppData\Local\Temp\Microsoft_.NET_Runtime_-_6.0.9_(x64)_20221122070858_002_dotnet_host_6.0.9_win_x64.msi.log'
[0B54:0AD4][2022-11-22T07:08:58]i201: Planned package: dotnet_runtime_6.0.9_win_x64.msi, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
[0B54:0AD4][2022-11-22T07:08:58]i201: Planned package: dotnet_hostfxr_6.0.9_win_x64.msi, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
[0B54:0AD4][2022-11-22T07:08:58]i201: Planned package: dotnet_host_6.0.9_win_x64.msi, state: Absent, default requested: Present, ba requested: Present, execute: Install, rollback: Uninstall, cache: Yes, uncache: No, dependency: Register
[0B54:0AD4][2022-11-22T07:08:58]i299: Plan complete, result: 0x0
[0B54:0AD4][2022-11-22T07:08:58]i300: Apply begin
[0B54:0AD4][2022-11-22T07:08:58]i010: Launching elevated engine process.

From the above, it looks like an auto update task is being attempted. And for it to complete, it needs elevated privileges. However, if the user clicks No that should be the end of it.

Can anyone help in stopping the UAC constantly prompting?

2 Answers

Voted

Lex Li · Answer 1 · 2022-11-29T17:17:03+08:00

Best Answer

Lex Li

2022-11-29T17:17:03+08:002022-11-29T17:17:03+08:00

"C:\Users\User\AppData\Local\Temp\SupportAssistAgent\AutoUpdate" from the log indicates that something on your machine is pushing an update of ASP.NET Core runtime, which is supernatural as that runtime is updated monthly (6.0.11 is the latest) to resolve security vulnerabilities.

Talk to your domain/machine administrators as they are the only resources you should turn to in such cases.

0

Jonathan Rixon · Answer 2 · 2022-12-03T15:07:55+08:00

Jonathan Rixon

2022-12-03T15:07:55+08:002022-12-03T15:07:55+08:00

All roads lead to - you need admin permission on the PC to fix this.

As mentioned by Lex, the dotnet update is being called by SupportAssistAgent which is the Dell Support Assistant. Disabling the service or uninstalling the software should stop the prompt.

However - If you're the admin for these users, how are you dealing with hardware (drivers and firmware) updates and Windows updates?

Any reason you (as admin) can't install the dotnet update it's asking for? That would also prevent the prompt from coming back :-)

0

Microsoft .Net Runtime UAC Pops Up Every Few Minutes - How to Stop it

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?