This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Non-admin users are still getting a UAC prompt for updates despite Maintenance Service being installed

  • 4 replies
  • 1 has this problem
  • 661 views
  • Last reply by JDub

more options

Running 60.6.1esr (64-bit) on Windows Server 2012 R2, non-admin users are unable to install updates and are getting blocked by the UAC prompt. The Mozilla Maintenance Service is installed and is supposed to handle these updates (app.update.service.enabled=true).

From what I can tell, the update (and logs) are supposed to be in C:\ProgramData\Mozilla (which I can see on my personal non-ESR install), but that folder is not getting created on the problem machine, and the update is downloading to the local user's profile in AppData.

Are there any other options I can look for that would affect the functionality of the Maintenance Service?

Running 60.6.1esr (64-bit) on Windows Server 2012 R2, non-admin users are unable to install updates and are getting blocked by the UAC prompt. The Mozilla Maintenance Service is installed and is supposed to handle these updates (app.update.service.enabled=true). From what I can tell, the update (and logs) are supposed to be in C:\ProgramData\Mozilla (which I can see on my personal non-ESR install), but that folder is not getting created on the problem machine, and the update is downloading to the local user's profile in AppData. Are there any other options I can look for that would affect the functionality of the Maintenance Service?

Chosen solution

One last follow-up for internet posterity. I discovered that the updater was able to successfully use the Maintenance Service on some accounts, but not the original account I was testing on. I believe that my predecessors had done some strange modifications of the ACLs for all services and the SCM in regards to the problem account, which I assume is what is throwing off the updater. Since the user accounts that will actually be running the updater in the wild aren't affected and work as expected, I'm going to count this as good enough for me.

EDIT: Further update in case it helps anyone later... The Mozilla Maintenance Service is getting created with a non-default ACL. Deleting the registry key with this ACL (HKLM\SYSTEM\CurrentControlSet\Services\MozillaMaintenance\Security) and rebooting will reset it back to the default, which allowed my problem users to update without getting the UAC prompt.

Read this answer in context 👍 0

All Replies (4)

more options

Did you try to reinstall the Mozilla Maintenance Service as a normal user?

  • maintenanceservice_installer.exe

Also check the update settings in Options/Preferences.

more options

I'm not sure what you mean. Normal users can't install software because they don't have admin privileges.

I have app.update.service.enabled=true in about:config, and "Use a background service to install updates" is checked in about:preferences.

more options

For completeness, I am seeing the same result on both 60.6.1esr and 66.0.3 (.exe and .msi).

I also tried running ProcMon when starting Firefox to see exactly what calls are being made, and at no point is maintenanceservice.exe ever read or executed before the UAC prompt is shown, so it's obvious that Firefox isn't even trying to use it.

more options

Chosen Solution

One last follow-up for internet posterity. I discovered that the updater was able to successfully use the Maintenance Service on some accounts, but not the original account I was testing on. I believe that my predecessors had done some strange modifications of the ACLs for all services and the SCM in regards to the problem account, which I assume is what is throwing off the updater. Since the user accounts that will actually be running the updater in the wild aren't affected and work as expected, I'm going to count this as good enough for me.

EDIT: Further update in case it helps anyone later... The Mozilla Maintenance Service is getting created with a non-default ACL. Deleting the registry key with this ACL (HKLM\SYSTEM\CurrentControlSet\Services\MozillaMaintenance\Security) and rebooting will reset it back to the default, which allowed my problem users to update without getting the UAC prompt.

Modified by JDub