Driver stopped installing (0x80070002)

Hi everyone (first post). Glad such a place exists

I don’t know much about writing drivers but I was asked to write a driver installer for our driver (NDIS 5.0). I’ve found the famous ProtInstall sample and have modified it extensively creating a simple tool capable of doing an install or uninstall. And it was used often without problems until a few days/weeks ago when suddenly, on some computers, the installation started failing with 0x80070002 (“specified file was not found”). We have not changed anything in the driver/INFs/installer for years… The issue appears to be system-independent (we’ve seen it on Win7x64 and XPx86 with SP3). Has there been any change in Windows that affects this area recently?

I’ve tried uninstalling the driver completely (uninstall + search and destroy via regedit + files) which runs OK. But install is still impossible.

A bit about the driver/structure. It’s an NDIS 5.0 packet filter. It consists of one .SYS file which ‘hosts’ two services - the miniport service (one per network interface) and the filter service (one per machine). Each service has it’s own INF file based on the DDK passthru sample INFs.
The installer first installs the filter INF and later the miniport INF. Interestingly enough the problem affects only the miniport install (the filter installs OK).

Maybe someone has/has a similar issue?
I’ve tried a few tricks but nothing seems to work…
I could post the setupapi.log file, but I’m afraid it’s in Polish (we currently have that single XP_SP3 machine that has this problem)…

Best regards,
James

Try to post here setupapi anyway. Some people can understand (a little of) polish (hello from Ukraine)

One of the things I can also suggest is to make uninstallation and perform search in registry on your driver (inf file names, service names) to see for any traces.

I also had simular issues - mostly related to difxapp which I was able to repro on any OS when doing cyclic install/uninstall sequence.

If you have some time, you can write a dummy test application which will be doing the following steps:

(clean OS)

1. Install

2. Reboot

3. Uninstall

4. Reboot

5. Go to (1)

Let it run for a night and see if it breaks. Being able to reproduce the case you can then see what is left in registry or fs and behave accordingly.

Good luck,
V.

OK. Here’s the log:

[SetupAPI Log]
Wersja systemu operacyjnego = 5.1.2600 Dodatek Service Pack 3
Identyfikator platformy = 2 (NT)
Pakiet Service Pack = 3.0
Zestaw = 0x0100
Typ produktu = 1
Architektura = x86
[2011/02/01 13:36:15 2520.18]
#-199 Wykonywanie “C:\Program Files\ArcaBit\abndis\infInstaller.exe” z wiersza polecenia: infInstaller.exe inst
@ 13:36:15.687 #V132 Plik “C:\WINDOWS\INF\certclas.inf” (klucz “certclas.inf”) jest zarejestrowany w wykazie “C:\WINDOWS\system32\CatRoot{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\NT5INF.CAT”.
[2011/02/01 13:36:15 2520.19]
#-199 Wykonywanie “C:\Program Files\ArcaBit\abndis\infInstaller.exe” z wiersza polecenia: infInstaller.exe inst
@ 13:36:15.750 #V005 Otwarto plik PNF dla ?C:\WINDOWS\INF\certclas.inf? (J?zyk = 0415).
[2011/02/01 13:36:15 2520.17 Driver Install]
#-019 Wyszukiwanie identyfikator?w sprz?tu: ms_abndis
#-199 Wykonywanie “C:\Program Files\ArcaBit\abndis\infInstaller.exe” z wiersza polecenia: infInstaller.exe inst
@ 13:36:15.437 #V017 Wyliczanie plik?w ?C:\WINDOWS\inf?.
@ 13:36:15.453 #V392 U?ywanie pami?ci podr?cznej pliku INF “C:\WINDOWS\inf\INFCACHE.1”.
@ 13:36:15.468 #I382 Migracja “abndis.PNF”: plik INF m?g? zosta? zmodyfikowany.
@ 13:36:15.796 #V042 Otwarto plik INF ?C:\WINDOWS\inf\abndis.inf?, utworzono plik PNF (J?zyk = 0415).
@ 13:36:15.812 #I022 Znaleziono ?ms_abndis? w C:\WINDOWS\inf\abndis.inf; Urz?dzenie: ?AbNDIS Driver?; Sterownik: ?AbNDIS Driver?; Dostawca: ?ArcaBit?; Producent: ?ArcaBit?; Nazwa sekcji: ?ABndis.ndi?.
@ 13:36:15.843 #I087 W?ze? sterownika jest niezaufany, zmieniono rang? z 0x00000000 na 0x00008000.
@ 13:36:15.859 #I023 Rzeczywista sekcja instalacyjna: [ABndis.ndi]. Klasyfikacja: 0x00008000. Efektywna data sterownika: 01/01/1601.
@ 13:36:15.890 #I382 Migracja “abndis_m.PNF”: plik INF m?g? zosta? zmodyfikowany.
@ 13:36:15.921 #V042 Otwarto plik INF ?C:\WINDOWS\inf\abndis_m.inf?, utworzono plik PNF (J?zyk = 0415).
@ 13:36:15.953 #V073 Pami?? podr?czna: wykluczanie INF “accessor.inf”.
@ 13:36:15.984 #V073 Pami?? podr?czna: wykluczanie INF “agtinst.inf”.
@ 13:36:16.015 #V073 Pami?? podr?czna: wykluczanie INF “apcompat.inf”.
@ 13:36:16.046 #V073 Pami?? podr?czna: wykluczanie INF “appmig.inf”.
.
.
.
@ 13:36:19.453 #V073 Pami?? podr?czna: wykluczanie INF “wmpocm.inf”.
@ 13:36:19.468 #V073 Pami?? podr?czna: wykluczanie INF “wmtour.inf”.
@ 13:36:19.500 #V073 Pami?? podr?czna: wykluczanie INF “wordpad.inf”.
@ 13:36:19.531 #V073 Pami?? podr?czna: wykluczanie INF “wsh.inf”.
@ 13:36:19.562 #T075 Wyliczanie plik?w: przej?cie katalogu uko?czone.
@ 13:36:19.687 #I393 Zmodyfikowano pami?? podr?czn? pliku INF “C:\WINDOWS\inf\INFCACHE.1”.
@ 13:36:19.718 #V005 Otwarto plik PNF dla ?C:\WINDOWS\inf\oem27.inf? (J?zyk = 0415).
@ 13:36:19.750 #I022 Znaleziono ?ms_abndis? w C:\WINDOWS\inf\oem27.inf; Urz?dzenie: ?AbNDIS Driver?; Sterownik: ?AbNDIS Driver?; Dostawca: ?ArcaBit?; Producent: ?ArcaBit?; Nazwa sekcji: ?ABndis.ndi?.
@ 13:36:19.765 #I087 W?ze? sterownika jest niezaufany, zmieniono rang? z 0x00000000 na 0x00008000.
@ 13:36:19.796 #I023 Rzeczywista sekcja instalacyjna: [ABndis.ndi]. Klasyfikacja: 0x00008000. Efektywna data sterownika: 01/02/2011.
@ 13:36:19.812 #T076 Wyliczanie plik?w: przej?cie pami?ci podr?cznej uko?czone.
@ 13:36:19.843 #I063 Wybrany sterownik jest instalowany z sekcji [ABndis.ndi] w ?c:\windows\inf\oem27.inf?.
@ 13:36:19.859 #I320 Identyfikatorem GUID klasy urz?dzenia pozostaje: {4D36E974-E325-11CE-BFC1-08002BE10318}.
@ 13:36:19.875 #I060 Ustawiono wybrany sterownik.
@ 13:36:19.906 #I058 Wybrano najlepszy zgodny sterownik.
[2011/02/01 13:36:19 2520.20]
#-199 Wykonywanie “C:\Program Files\ArcaBit\abndis\infInstaller.exe” z wiersza polecenia: infInstaller.exe inst
@ 13:36:19.953 #V005 Otwarto plik PNF dla ?c:\windows\inf\oem27.inf? (J?zyk = 0415).
[2011/02/01 13:36:20 2520.23]
#-199 Wykonywanie “C:\Program Files\ArcaBit\abndis\infInstaller.exe” z wiersza polecenia: infInstaller.exe inst
@ 13:36:20.031 #V005 Otwarto plik PNF dla ?C:\WINDOWS\INF\drvindex.inf? (J?zyk = 0415).
[2011/02/01 13:36:19 2520.21]
#-199 Wykonywanie “C:\Program Files\ArcaBit\abndis\infInstaller.exe” z wiersza polecenia: infInstaller.exe inst
@ 13:36:20.000 #V005 Otwarto plik PNF dla ?c:\windows\inf\oem27.inf? (J?zyk = 0415).
@ 13:36:20.062 #V094 Umieszczono w kolejce kopiowanie z sekcji [ABndis.Files.Sys] w “c:\windows\inf\oem27.inf”: “abndis.sys” do “abndis.sys” z flagami 0x00000400, katalog docelowy to “C:\WINDOWS\system32\DRIVERS”.
@ 13:36:20.078 #V095 ?r?d?o w sekcji [sourcedisksfiles] w “c:\windows\inf\oem27.inf”; No?nik=1 Opis=“Arcabit AbNDIS Driver Disk” Tag=“” ?cie?ka=“”.
@ 13:36:20.093 #T185 Oczyszczanie plik?w: weryfikowanie wykaz?w/plik?w INF.
@ 13:36:20.125 #I180 Weryfikowanie pliku “c:\windows\inf\oem27.inf” (klucz “abndis.inf”) wed?ug wykazu “” nie powiod?o si?. B??d 1168: Nie mo?na odnale?? elementu.
@ 13:36:20.140 #I180 Weryfikowanie pliku “c:\windows\inf\oem27.inf” (klucz “abndis.inf”) wed?ug wykazu “” nie powiod?o si?. B??d 1168: Nie mo?na odnale?? elementu.
@ 13:36:20.156 #T186 Oczyszczanie plik?w: zako?czono weryfikowanie wykaz?w/plik?w INF.
@ 13:36:20.187 #W334 Nie mo?na zweryfikowa? wykazu podczas skanowania kolejki plik?w. B??d 1168: Nie mo?na odnale?? elementu.
@ 13:36:20.218 #T181 Instalacja plik?w: weryfikowanie wykaz?w/plik?w INF.
@ 13:36:20.234 #I180 Weryfikowanie pliku “c:\windows\inf\oem27.inf” (klucz “abndis.inf”) wed?ug wykazu “” nie powiod?o si?. B??d 1168: Nie mo?na odnale?? elementu.
@ 13:36:20.265 #I180 Weryfikowanie pliku “c:\windows\inf\oem27.inf” (klucz “abndis.inf”) wed?ug wykazu “” nie powiod?o si?. B??d 1168: Nie mo?na odnale?? elementu.
@ 13:36:20.281 #E360 Zostanie zainstalowany niepodpisany lub podpisany niepoprawnie plik “c:\windows\inf\oem27.inf” dla sterownika “Us?uga sieciowa” (Zasady=Ignoruj). B??d 1168: Nie mo?na odnale?? elementu.
@ 13:36:20.296 #T182 Instalacja plik?w: zako?czono weryfikowanie wykaz?w/plik?w INF.
@ 13:36:20.328 #I167 SPFILENOTIFY_NEEDMEDIA: Tag = ??, Opis = ?Arcabit AbNDIS Driver Disk?, ?cie?ka?r?d?owa = ?C:\Program Files\ArcaBit\abndis?, Plik?r?d?owy = ?abndis.sys?, Znaczniki = 0x00000400.
#-024 Kopiowanie pliku ?C:\Program Files\ArcaBit\abndis\abndis.sys? do ?C:\WINDOWS\system32\DRIVERS\abndis.sys?.
@ 13:36:20.375 #E360 Zostanie zainstalowany niepodpisany lub podpisany niepoprawnie plik “C:\Program Files\ArcaBit\abndis\abndis.sys” dla sterownika “Us?uga sieciowa” (Zasady=Ignoruj). B??d 1168: Nie mo?na odnale?? elementu.
@ 13:36:20.390 #I336 Kopiowanie pliku “C:\Program Files\ArcaBit\abndis\abndis.sys” do “C:\WINDOWS\system32\DRIVERS\abndis.sys” za pomoc? pliku tymczasowego “C:\WINDOWS\system32\DRIVERS\SET27.tmp”.
@ 13:36:20.421 #V250 Zastosowano zabezpieczenia do pliku “C:\WINDOWS\system32\DRIVERS\abndis.sys”.
#-035 Przetwarzanie sekcji Dodaj/Usu? us?ugi [ABndis.ndi.Services].
@ 13:36:20.468 #E280 Dodawanie us?ugi: nie mo?na uzyska? konfiguracji us?ugi “ABndis”. B??d 2: Nie mo?na odnale?? okre?lonego pliku.
@ 13:36:20.500 #E033 B??d 2: Nie mo?na odnale?? okre?lonego pliku.
@ 13:36:20.562 #E275 B??d podczas instalowania us?ug. B??d 2: Nie mo?na odnale?? okre?lonego pliku.

This last part is interesting so I’ll translate:
#-035 Parsing section Add/Remove services [ABndis.ndi.Services].
@ 13:36:20.468 #E280 Adding service: cannot get configuration for service “ABndis”. Error 2: Specified file cannot be found.
@ 13:36:20.500 #E033 Error 2: Specified file cannot be found.
@ 13:36:20.562 #E275 Error during service install. Error 2: Specified file cannot be found.
// end of translation

The uninstallation I mentioned was just what you suggest. I used the tool to uninstall, reboot. Search for anything left on FS/registry, remove it, reboot. What I get should be a “clean” system. But I cannot install after all that anyway…

I will try your suggestion of “endless” install/uninstall cycles and see if it breaks. However other suggestions are more than welcome

Thanks and regards,
James

> suddenly, on some computers, the installation started
failing with 0x80070002 (“specified file was not found”).

This may occur if the admin account under which the setup runs, has no access to the file. For exampe, the file is on the desktop of other user.

Or, a stupid antivirus blocks access while it scans the files.

–pa

I’m afraid it’s neither.
The files (2xINF+SYS) are located in \Program Files.… The installer has an option to either copy them to %WINDIR%\inf and %WINDIR%\system32\drivers or just assume they’re already there. Either way fails during the installation of the second INF file.

Antivirus turned off.

> The files (2xINF+SYS) are located in \Program Files.… The installer has an option to either copy them

to %WINDIR%\inf and %WINDIR%\system32\drivers or just assume they’re already there.

Are you using the proper way of installing the driver, i.e. DifX stuff, or your own C/C++ code written the same way as DEVCON sample? you can also install using devcon.exe

The installer must not do such file copies explicitly, SetupApi must be used for this.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

We’re using our own C++ app. I don’t quite remember what it’s based on exactly, but it uses COM a lot. Where can I find this DEVCON? Maybe I’ll find something useful in it.

We do copies ourselves as the SetupAPI (if I remember correctly) showed a lot of windows during install which we didn’t like. Maybe this is not the right way, but I don’t really know what is…

Thanks a lot & regards,
James

>lot. Where can I find this DEVCON? Maybe I’ll find something useful in it.

In the WDK, both binaries and source.

We do copies ourselves as the SetupAPI (if I remember correctly) showed a lot of windows during
install which we didn’t like

Only 1 window about signature, nothing else.

So, sign the driver package (.cat), or better pass the package via WHQL, and the things will go correctly.

I’m 99% sure that these manual file copies were done incorrectly and introduced the issues.

If you need reliability, then go the approved way.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

On DEVCON:
I’ve found it. I’m learning to use it at the moment. Is there a way to have it output some sort of debugging info?

On WHQL:
I’d love to but somehow the responsible team has not been able to have it signed for a few years now…

Thanks a lot!

James

> I’ve found it. I’m learning to use it at the moment. Is there a way to have it output some sort of

debugging info?

setupapi.dev.log

I’d love to but somehow the responsible team has not been able to have it signed for a few years
now…

Then sign it with your own cert and live with 1 yellow box of “Do you trust?” on install.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

This is XP so I don’t have the .dev.log file but I see other setup*.log files which I’ll inspect…

Signing is not my business thus I have no influence on that part. I can only swear and moan…

Thanks a lot for your help, now I have something to “work” with.

Regards,
James

xxxxx@arcabit.com wrote:

I’m afraid it’s neither.
The files (2xINF+SYS) are located in \Program Files.… The installer has an option to either copy them to %WINDIR%\inf and %WINDIR%\system32\drivers or just assume they’re already there. Either way fails during the installation of the second INF file.

That is NOT a legitimate installation technique, and has not been
legitimate since Windows 98. Installation applications should never
copy anything directly to %WINDIR%\inf.

The correct technique is to “pre-install” your driver into the driver
store, using a tool like devcon or dpinst, or by calling the
DriverPackagePreinstall API. PnP will take over from there.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Mhm, didn’t know that. So basically we have two problems:

1. The machines that return 0x80070002 and need fixing
2. The bad installation technique

#1
I still have not been able to fix this on the single machine we’ve been lucky enough to develop the issue. Using DEVCON I’ve managed to find and remove a few ‘zombie’ devices but still no-go on install. To install I’ve tried both DEVCON (never succeeded) and the ‘Microsoft way’ (described with the DDK sample our driver is based on) which is Control Panel -> Network Adapters -> bla bla (“GUI” technique - not useful for installers but SHOULD work). The INFs are taken directly from the sample with just a few minor modifications (names and descriptions).
I have dropped using my installer.
No idea what to try next…

#2
So, what IS the best technique? By ‘best’ I mean one that is compatible with systems ranging from XP SP3 until Win7x64 and hopefully beyond. I’m a “user mode” developer so all I did was adjusting the DDK sample installation program… That was a while ago and I don’t quite remember why I chose this way. But now is now so I’ll gladly make adjustments!
From what I see there are at least three techniques:
-DEVCON (SetupAPI tool as I’ve learned)
-dpinst (? tool)
-DriverPackagePreinstall API (new to me, I’ll read about it)

Since I want to have this work and done properly I’d like to select the best and hopefully most ‘futuristic’ one. Which do you recommend? Which is likely to last until Windows 8?

BTW:
You’ve used the term ‘driver store’. Is that the ‘place’ all installed drivers are cached? A sample will clarify: I buy a new piece of hardware and put it inside the computer. Windows starts and has no idea what that new thing is so it asks for drivers. I provide. When later I uninstall the drivers (for whatever reasons) and reboot it doesn’t ask for drivers again. It already knows what it is and (I don’t know why/where from) it automatically installs the drivers. The very same drivers I’ve uninstalled for what I know!
Is that how the ‘driver store’ works? That has always been a vexing thing for me…

Regards,
James

> From what I see there are at least three techniques:

-DEVCON (SetupAPI tool as I’ve learned)
-dpinst (? tool)
-DriverPackagePreinstall API (new to me, I’ll read about it)

I think they are the same.

To install a driver for a device using devcon, you must:

devcon dp_add

and then

devcon update

DO NOT USE “devcon install” - this creates a root-enumerated devnode which is not what you need for real PCI or USB hardware.

“devcon dp_add” installs your driver to Driver Store. This asks the signing dialog and copies the INF to \windows\inf. The underlying API is SetupCopyOEMInf.

“devcon update” associates the driver package with the particular devnode, this is the same as “Update Driver” in the Device Manager. The underlying API is UpdateDriverForPlugAndPlayDevices.

Since these APIs are clumsy for use in installer frameworks and scripting, there is also DifX API which is wrapped around them and specially intended for use in installer frameworks and scripts. “dpinst” is IIRC the binary app which calls these DifX APIs. Also IIRC you can ship “dpinst” but not “devcon” with your install package.

Also note that, unlike the Setup APIs, DifX will register your driver as installed software in Control Panel.

what that new thing is so it asks for drivers. I provide. When later I uninstall the drivers

Driver package cannot be removed (only by manual procedure unsuitable for production use).

You can only delete the devnode, or dissociate the package from it.

So, the driver package is forever, and, if you re-connect the hardware, PnP will automatically associate the driver package with it.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

OK, so both you (Maxim) and Tim recommend this DifX API approach. And dpinst is a binary wrapper around it. I shall explore and devise a completely new installer for our drivers.

However, a question arises. I didn’t write the driver so maybe this is a silly question, but the driver is not for a real piece of hardware. It’s a virtual device. So when I store the driver package in the Driver Store how do I “plug-in” this device? Or will the OS just know? I suppose so but I find it’s better to ask.

BTW, my DEVCON doesn’t have a dp_add function - maybe the DDK one is better/newer? I got it from MSDN which says it’s release date is 2003…

Still, what about the broken computer(s)? It seems we’ve been using a wrong approach (coping SYS/INF files manually, installing with the wrong API, …), but there must be a way of removing a driver COMPLETELY? I’d like to use the new technique and install it correctly. At the moment the system automatically uses the old (wrongly installed) drivers which might be the cause of the problem…

Best regards,
James

No, sorry. There isn’t. A few people have tried to write such a utility, but it seems that down that path lies only madness.

So, if you have a system onto which you’ve already installed – or tried to install – a version of your driver the only solution is to try the install on a different system. Sorry.

In terms of using devcon, if your driver is a software-only (pseudo) driver, you can just do:

devcon install

as in

devcon install nothing.inf ROOT\OSRNothing

And yes… you want to use the one from the WDK — you need to install the WDK in any case, right? So, just use the right version of the tool.

Peter
OSR

xxxxx@osr.com wrote:

No, sorry. There isn’t. A few people have tried to write such a utility, but it seems that down that path lies only madness.

You are EXACTLY right. I had a client that insisted on this. So, I
wrote them a nuclear vacuum utility that removes all traces of the
driver. It was not easy. The code to take control of and adjust the
permissions on a registry tree is unbelievably gnarly, and anything but
intuitive.

And, as you have implied, XP gets unstable after it runs. I have the
utility put out an annoyware message saying “You REALLY need to reboot,
and I mean RIGHT NOW!”. Personally, I never run the tool. The standard
uninstall does exactly what I need.

The worst part is the client’s sales staff thinks this is a great
general purpose tool, so they keep handing it out. I’ve had to tell
them many times, “This is ONLY to be used in case of emergency – it’s
not healthy.”

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

xxxxx@arcabit.com wrote:

OK, so both you (Maxim) and Tim recommend this DifX API approach. And dpinst is a binary wrapper around it. I shall explore and devise a completely new installer for our drivers.

However, a question arises. I didn’t write the driver so maybe this is a silly question, but the driver is not for a real piece of hardware. It’s a virtual device. So when I store the driver package in the Driver Store how do I “plug-in” this device? Or will the OS just know? I suppose so but I find it’s better to ask.

Well, let’s step back a bit. Is this a plug-and-play device, or is this
a legacy device? How do you expect the driver to be started? If it’s
PnP, what does the device ID look like that you match in your INF?
Given that, maybe we need to offer you different advice.

BTW, my DEVCON doesn’t have a dp_add function - maybe the DDK one is better/newer? I got it from MSDN which says it’s release date is 2003…

Good lord, yes. You have an antique. That’s the Windows Server 2003
DDK, version 3790. You need the Windows 7 WDK, version 7600.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

>Store how do I “plug-in” this device?

“devcon install”. The underlying APIs are:

SetupDiCreateDeviceInfoList
SetupDiCreateDeviceInfo
SetupDiSetDeviceRegistryProperty for hardware ID
SetupDiCallClassInstaller(DIF_REGISTERDEVICE)

BTW, my DEVCON doesn’t have a dp_add function - maybe the DDK one is better/newer?

WDK 6001.18002 must be used if you need to still support w2k, the latest Win7 WDK - otherwise.

SYS/INF files manually, installing with the wrong API, …), but there must be a way of removing a driver
COMPLETELY?

Lots of file and registry key deletions.

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com

“Tim Roberts” wrote in message news:xxxxx@ntdev…
…
> The worst part is the client’s sales staff thinks this is a great
> general purpose tool, so they keep handing it out.

Doesn’t the experience prove that customers are always right -
so better give them what makes them happy?

Once MS tried to teach users to always click on the “safely remove” widget.
They understood that it won’t happen, desisted and instead improved surprise
removal path.
MS tried to teach users to stop browsing web from admin account.
They understood this not realistic, and invented something else. And so on.

Regards,
–pa