Welcome to our peer-to-peer forums, where owners help owners. Need help now? Visit eSupport here.

English Community

Software and Operating SystemPre-Installed Lenovo Software and Applications
All Forum Topics
Options

5 Posts

02-08-2009

Los Angeles, CA, USA

16 Signins

132 Page Views

  • Posts: 5
  • Registered: ‎02-08-2009
  • Location: Los Angeles, CA, USA
  • Views: 132
  • Message 1 of 7

CSS runs at user log on with UAC, wants to restore keys, requires non-existant user as admin.

2009-02-08, 18:37 PM

I am not sure exactly when this happened, but I am pretty sure it happened after the last system update that I accepted from Lenovo.  Now, every time I log on to Vista (Ultimate, SP1) I get a UAC prompt, then when I accept, I end up with an OK dialog that says:

 

The Client Security system keys need to be restored.  Only the Client Security administrator can perform this operation.  The following user must log onto this computer to continue: Robert-PC\Robert.

 

Though I am "Robert", the X61T I am user has never had "Robert-PC" as a domain name or a computer name.  That looks like some Windows Vista default that I changed a year and a half ago when I installed the OS.

 

I've tried running CSS (8.20.00023.00)  and successfully removed all settings.  I even told it to disable Password Recovery, Enhanced security, etc..  I even reset the TPM chip in the program and in BIOS.  When I reenabled after many reboots, I still get this message every time I log on.

 

Any ideas how I can fix this annoyance?  I just want to discard the keys and start over, but I cannot figure out how.  I suspect even if I complete uninstall, the data will remain and show up again when I reinstall (though I haven't tried this, yet.)

 

Help!

Message Edited by sfwrtr on 02-08-2009 10:40 AM
Reply
Options

3 Posts

03-25-2009

USA

13 Signins

120 Page Views

  • Posts: 3
  • Registered: ‎03-25-2009
  • Location: USA
  • Views: 120
  • Message 2 of 7

Re: CSS runs at user log on with UAC, wants to restore keys, requires non-existant user as admin.

2009-03-27, 0:55 AM

I ended up in the same pickle through a different route.

 

Restored the backup of one ThinkPad (running CSS 8.2) to another trying to save time on setting it up. (Ahem ;) 

 

Much older machines than you have, T43 running XP SP3, but the exact same symptom. 

 

You are correct, removing the software and reinstalling it did not help. I am not sure if all of what I did next was needed, but it did eventually get the darn thing reset and working. (We do income taxes, so the issue with the TPM was a tad more than an annoyance. We bind the whole disk encryption software to the TPM, so the TPM issue had to be resolved.) 

 

The first thing I did was remove the software again, and then manually deleted all files, registry entries, etc. Followed by deliberately installing 8.1, hoping that it might not find any remaining vestiges of the prior 8.2 install. 

 

Of course, it still complained about not being able to restore keys. However, it did not prompt for the user it was looking for.

 

This seemed like it could be progress, so I optimistically ran the CSS wizard again. Which appears to do nothing other than create an .xml file named .xml. 

 

Ever optimistic, (and about ready to test the strength of IBM keyboards) I tried running the advanced reset security settings option one last time, and remarkably, it accepted the current windows password, and viola, all was well. I was able to reestablish user logins bound to the TPM, and then bind the disk encryption to the TPM. 

 

Oddly enough, CSS 8.1 update claims there are no new updates, even though we all know there is an 8.2 out there. I am going to leave well enough alone and leave the new machine at 8.1.

 

If anybody at Lenovo is watching, a simple utility to scrap all the keys and start over would be pretty handy. There seem to be other threads here addressing essentially the same issue. On a planar swap, perhaps one does want the old keys back. But in most cases, especially those where a system is cloned, the last thing one would want is the same keys. (Password files can be moved or recovered without any trouble even though the master TPM keys have changed.)
Reply
Options

13 Posts

04-04-2009

New York

31 Signins

321 Page Views

  • Posts: 13
  • Registered: ‎04-04-2009
  • Location: New York
  • Views: 321
  • Message 3 of 7

Re: CSS runs at user log on with UAC, wants to restore keys, requires non-existant user as admin.

2009-04-10, 2:57 AM
magyar, you seem to be the only person who's gotten anywhere with this issue.  Were you able to recover your encrypted data?
Reply
Options

3 Posts

03-25-2009

USA

13 Signins

120 Page Views

  • Posts: 3
  • Registered: ‎03-25-2009
  • Location: USA
  • Views: 120
  • Message 4 of 7

Re: CSS runs at user log on with UAC, wants to restore keys, requires non-existant user as admin.

2009-04-11, 20:20 PM

Yes, encrypted data was never at risk. Just the ability to properly secure the "new" laptop.

 

Disclaimer: comments here are based solely on observation of run time behavior. We have no knowledge of the actual source programming that results in these behaviors.

 

After a data restore from a rescue and recovery backup, nothing is encrypted. We use PGP whole disk encryption (WDE), but the backup made by rescue and recovery is only encrypted by rescue and recovery encryption, not the PGP WDE. On a restore to a different machine, there end up two issues:

 

The first issue is just getting the system to boot, and there is another thread here about that. The restored system image still has the PGP boot sector changes and tries to load the PGP bootguard module that checks the TPM hardware for a match and then accepts the PGP user passphrase. Since the restored image is no longer PGP encrypted, this of course does not work. The cure for this is to write a new normal master boot record. There are several ways to do this, we simply boot the system with a linux based tools CD (trinity rescue kit) and use the ms-sys utility to write a new MBT. At this point, the restored system boots somewhat normally.

 

Until it hits the second issue, which is client security solution complaining about not being able to restore keys, which is the subject of this thread. We needed to resolve this issue so we could encrypt the "new" machine and again have PGP WDE bind to the hardware chip (TPM). I am not sure exactly what part of uninstalling everything, removing all registry entries and files, etc. did the trick. My suspicion is that it was the decision to use CSS 8.1 instead of 8.2. CSS 8.1 still had a complaint about restoring keys, but it was willing to start over with new keys, never referencing the mythical non-existent user that 8.2 keeps squawking about. Despite the documentation, it would seem to be impossible to recover from a TPM change when using CSS 8.2.

 

After successfully getting 8.1 to set up new TPM keys, we were able to install the WDE encryption using the TPM, and re-encrypt the hard drive. The existing encrypted CSS password file was of course gone, but an import from a CSS export file worked just fine. Oddly enough, fingerprints survived the whole process, at least for windows login. We however ended up deleting them and putting them in again to get the power on fingerprints working properly.

 

Again, sure would be nice if somebody from Lenovo would look into this.

Reply
Options

13 Posts

04-04-2009

New York

31 Signins

321 Page Views

  • Posts: 13
  • Registered: ‎04-04-2009
  • Location: New York
  • Views: 321
  • Message 5 of 7

Re: CSS runs at user log on with UAC, wants to restore keys, requires non-existant user as admin.

2009-04-12, 17:58 PM

OK, it sounds like we are dealing with different problems.  I'm running CSS 7.00.0022.00, and the problem is that the securedrive won't mount.  The computer asks for an 'administrator password' on boot up (but eventually gives up and lets me into XP) and whenever an attempt is made to mount the securedrive.  But the administrator password is not any password I've ever used, and appears to be something generated internally by CSS, and that has somehow gotten lost. And of course, my numerous R&R backups of the secure drive are still encrypted and therefore useless.

 

So I think your solution won't help me recover my secure drive data.  But thanks for your clairification. 
Reply
Options

1 Posts

03-30-2010

Costa Mesa, ca

3 Signins

11 Page Views

  • Posts: 1
  • Registered: ‎03-30-2010
  • Location: Costa Mesa, ca
  • Views: 11
  • Message 6 of 7

Re: CSS runs at user log on with UAC, wants to restore keys, requires non-existant user as admin.

2010-03-30, 21:48 PM

I found a simple fix for this problem. I located Computer\user entry in the registry and changed it to the Domain\Administrator and logged off and then back on. It prompted me for my password and continued to update successfully. The registry key is "HKLM\SOFTWARE\Lenovo\TVT Common\Client Security Solution\AdminUser

Reply
Options

2 Posts

04-14-2010

Northern Virginia

3 Signins

20 Page Views

  • Posts: 2
  • Registered: ‎04-14-2010
  • Location: Northern Virginia
  • Views: 20
  • Message 7 of 7

Re: CSS runs at user log on with UAC, wants to restore keys, requires non-existant user as admin.

2010-04-14, 12:46 PM

Thanks!  I found the same key in a different place:

    HKEY_LOCAL_MACHINE\SOFTWARE\IBM ThinkVantage\AdminUser

 

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete

X

No, I don’t want to share ideas Yes, I agree to these terms