"This program is blocked by group policy" why?

[pcguy9441]

To hopefully alleviate system instability I recently downloaded a fresh copy of Win10 on top of the 5 yr old OS on "C" . Works great for the most part. But, now in trying to reinstall just a few needed apps and drivers (virtually all apps survived the reinstall) I get the error below.

Googling this I get from 3 to 5 ways to fix it, none of which work! All the "fixes" assume that somewhere in one of the many ways that Windows allows us to restrict an app install (or run), a group policy has been initiated. NONE have. Nothing is enabled in this regard. Zip nada. I'm trying to reinstall the Epson 550V scanner driver and it won't let me. Had same error with Olympus Studio 2, but enabling the Windows master admin (God) account, it let me install it but still won't with the Epson driver. It's a winzip folder, BTW, so it appears it's Zip it doesn't like. I do not have the app, but that's never stopped me in the past.

Suggestions? Maybe a new bug/gotcha with a fully fresh Win10 with all updates?

 

[User55555555587]

Where did you get this P.C.

Group policy is usually used on school/work P.C.

 

[zebanovich]

This dialog is shown when App Locker blocks a program, for missing digital signature you would get a message something like "A referral was returned from server"

Which Windows edition did you install?
You can share system info with TSG Utility:
TSG System Information Utility (latest version) (techguy.org)

 

[Couriant]

To hopefully to alleviate system instability I recently downloaded a fresh copy of Win10 on top of the 5 yr old OS on "C" . Works great for the most part. But, now in trying to reinstall just a few needed apps and drivers (virtually all apps survived the reinstall) I get the error below.
...

What you describe is not a fresh install. If you have had problems before (as you mentioned here, every month or so), you should always do a fresh install of the OS as the issues you had before may still be on the computer if it's not part of the core Windows files, like with your apps.

 

[pcguy9441]

PC is home made 6 yrs ago. i5 4670k, Asus Z87M Plus, 16gig RAM, no OC 3.8 turbo. Thought I completed that config/profile thing long ago. My 3rd build over 18 yrs.

OS installed last week is version 20H2 build 19042.630.

So your saying an ISO download from Microsoft and install preserving apps and data is NOT a fresh install? I have to wipe out everything for fresh install? With ~30 apps that will take me a week.

I don't knowingly have applocker or group policy enabled. I'm the only person using this PC and it's not a work/business/school system. I went to applocker folder and it's empty. First I've heard of this feature in 20yrs of using Windows. Is it enabled by default with an ISO installed with apps Microsoft doesn't' like. I'd think it would be ok with winzip. Actually it unzips, it's the Epson driver .exe it won't run. Also seems odd that even under the Windows master administrator account it won't run. I assumed that was the super user/do anything account. Always had been for me in the past.

I may just go back to earlier image which seemed stable after an earlier image restore. I was just following the Windows maxim that it's good to do a fresh install every 5-6 yrs just to clear out any cobwebs or dry rot. Or is that an "old wives tale"?

The earlier instability was a frozen cursor (dead mouse) 3-4 seconds after restart/bootup 5-6 times in a row. Was not a bad mouse connection, as booting to Win7 ran just fine proving hardware was ok. This just happened out of the blue, but likely after a middle of the night Windows update.

Thanks for the feedback.

 

[zebanovich]

What edition of Windows was installed prior to this one?
Do you recall modifying group policy or running tweak tools in previous Windows?

 

[pcguy9441]

Naw, not Applocker. I went in there and it's all blank. To create a rule you first have to install the app in question? That's what I can't do. The definition of "catch 22".

By default Windows wants you to white list apps you want to run before you install them. Don't think so, especially since I just learned Applocker dates back to Win7. Have never seen this problem before.

Also, in reading about Applocker, it says it comes default on "enterprise versions of Windows". I have Win10 Pro 64. Is that considered enterprise? Maybe I downloaded the wrong version of Windows.

Good info on Applocker here: https://securityboulevard.com/2020/07/how-to-use-applocker-in-windows-10/

 

[Couriant]

Naw, not Applocker. I went in there and it's all blank. To create a rule you first have to install the app in question? That's what I can't do. The definition of "catch 22".

By default Windows wants you to white list apps you want to run before you install them. Don't think so, especially since I just learned Applocker dates back to Win7. Have never seen this problem before.

Also, in reading about Applocker, it says it comes default on "enterprise versions of Windows". I have Win10 Pro 64. Is that considered enterprise? Maybe I down loaded the wrong version of Windows.

No, Enterprise version is like an upgrade, but only used in a corporate setting. It looks like other people are unsuccessfully able to enable this. I think WIndows 10 pro works with group policies.

To be honest, you would probably save time and headaches by doing a clean install of Windows 10

 

[zebanovich]

Maybe I down loaded the wrong version of Windows.

You didn't say what edition you had before so I don't know.
Anyway it's possible to enable AppLocker (probably even by mistake) but that's not the point, you can quickly verify if applocker is working or not with these steps:

1. Right click on Windows button and select "Windows PowerShell"
Run this command:
Get-Service AppIDSvc

What is the output of this command?

 

[zebanovich]

I have Win10 Pro 64

So you can access GPO, see if you have software restriction policies set in the following location:
Open gpedit.msc as Administrator

Computer Configuration\Windows Settings\Security Settings\Software Restriction Policies

Question:
Into which location is WinZip extractor program installed?
See if it's install location fits into description of:

Computer Configuration\Windows Settings\Security Settings\Security Options
User Account Control: Only elevate UIAccess applications that are installed in secure locations

 

[pcguy9441]

I think I've done all that and nothing enabled. This was just a day's old install, so no time for to screw something up, plus I didn't even know those places/facilities existed. Will take a look at the Powershell idea.

The WinZip location was either desktop or downloads folders, or a new dedicated folder on desktop. Have tried this multiple times/places.

On previous Windows version, don't know, but pretty current. One reason I wanted to do a fresh install is a few wks ago updates hit a wall with an error that seems common from internet searches. Can't find screen shot now but something like "we've encountered a problem and will try again later" then an error number which others were getting too. I waited days with no change and many manual attempts gave same error. I guess in a perverse way this is a good way to turn off Windows updates permanently. They seem to be breaking stuff more often than not.

Thanks.

 

[pcguy9441]

Ok, here's results of running powershell. Is this good, bad or indifferent?
From what I just read "stopped" is what I want to disable AppLocker.

 

[zebanovich]

Hello, it appears either WinZip program is blocked OR compressed archive contains unwanted program that is blocked.

There are multiple options:

IF you have installed WinZip and are using WinZip extractor just fine with other archives then download 7-zip from here:
7-Zip (7-zip.org)

Right click archive that is having this problem and in context menu use 7-zip to extract it, this may result in some error but feel free to ignore it.
Then run the printer driver you wanted to run.

Otherwise if not working please download fresh installer from here:
Zip, Unzip, and Share Files with Winzip Products

Install your instance of WinZip and see if that works.

-------------
IF this doesn't work then follow these steps:

1. Right click on Windows button and select "Windows PowerShell (Admin)"
2. If prompted for password, enter administrator password and click "Yes" to continue
3. Copy all of the code below at once, right click into console to paste and press enter

ni -ItemType Directory $env:SystemDrive\PSLogs | Out-Null
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* |
? DisplayName -like "*WinZip*" | select DisplayName, DisplayVersion, Publisher, InstallLocation |
fl > $env:SystemDrive\PSLogs\winzip.log
Get-ItemProperty HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
? DisplayName -like "*WinZip*" | select DisplayName, DisplayVersion, Publisher, InstallLocation |
fl >> $env:SystemDrive\PSLogs\winzip.log
Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun -EA Ignore |
fl > $env:SystemDrive\PSLogs\blocked.log
Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\ |
fl  >> $env:SystemDrive\PSLogs\blocked.log

In addition please run non elevated command:
4. Right click on Windows button and select "Windows PowerShell" (NOT Admin)
5. Copy all of the code below at once, right click into console to paste and press enter

Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun -EA Ignore |
fl >> $env:SystemDrive\PSLogs\blocked.log
Compress-Archive -Force -Path $env:SystemDrive\PSLogs -DestinationPath $env:SystemDrive\PSLogs.zip

6. This will create folder named "PSLogs" and zip file named "PSLogs.zip" in your C:\ root drive
7. Attach "PSLogs" zip file to your new reply
8. Feel free to delete "PSLogs" folder and zip file when done

 

[pcguy9441]

Thanks for putting the time into that reply! Whew! Will dig into that after I put up the lights.

I did finally get a driver installed from an Epson CD I forgot I had, BUT label on CD says only good for up to Win7 and Vista. It did go in however, but scanner still not working with Win10, but could be more steps as there are with 7 in Device Manager. Have not had time to pursue yet. Also, when I downloaded the driver from the Epson site, the Win7 and 10 drivers appear the same (same file name) though they are at different places on their site. I mention Win7 since I'm dual boot and want the scanner to work on 7 as plan B, which it now does BTW with the just downloaded driver. But, following same steps in 10, no work. Acts as if scanner is disconnected/unplugged/powered off. This is for after the lights are up. "happy wife = happy life".

Still, if I don't figure out this Group Policy blockage now, it will only bite me in the rear another time. I don't like to sweep problems under the rug.

 

[Couriant]

Scanners typically use a TWAIN driver.. but it looks like Espon does have a driver for WIndows 10.

Try this:


Windows 10 symbol - click left bottom corner of screen

1) Restart computer pressing key SHIFT and follow next menu,
2) Choose option >> Solve problems
3) Solve problems >> Advanced options
4) Advanced options >> Startup settings (fifth box on screen)
5) Startup settings >> Turn off signature verification (fifth option)

Then try installing the driver.