Hacking Windows TrustedInstaller (GOD MODE)
Вставка
- Опубліковано 5 вер 2024
- jh.live/pwyc || Jump into Pay What You Can training at whatever cost makes sense for you! jh.live/pwyc
James Forshaw's blog post: www.tiraniddo....
Reddit delirium: / how_does_one_become_tr...
Learn Cybersecurity - Name Your Price Training with John Hammond: nameyourpricet...
Learn Coding: jh.live/codecr...
WATCH MORE:
Dark Web & Cybercrime Investigations: • Tracking Cybercrime on...
Malware & Hacker Tradecraft: • Malware Analysis & Thr...
📧JOIN MY NEWSLETTER ➡ jh.live/email
🙏SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎FOLLOW ME EVERYWHERE ➡ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/discord ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
🔥UA-cam ALGORITHM ➡ Like, Comment, & Subscribe!
James Forshaw's blog: www.tiraniddo.dev/2017/08/the-art-of-becoming-trustedinstaller.html
I love seeing the sentiment for "just run Linux", or "just boot into Safe Mode", or "just attach a recovery USB", etc., but I think in the case of leveraging this for a penetration test, red team engagement, or offensive security work, if it is a remote Windows target (where you can't change the OS or have physical access) you have to live off the land and the constraints of the environment. This process should be valuable when you've got initial access, escalated privileges, and can do further post-exploitation to do damage or set up some sneaky persistence -- you can't as easily make changes, but you can sure as hell run PowerShell code. Just an option and one of many ways to skin a cat :)
Cheers, was checking the comments for the link, wanna check it out myself and get some more context. Maybe pin it to the top (atm its somewhere down your own page)?
Great vid, cheers man.
@@daanmageddon Hmmm, it should be a pinned comment, and is now in the description -- sorry I hadn't had it there earlier! Thanks so much for watching! 💙
Challenge for you, try disabling the delivery optimization service without touching the registry.
(i don't know about windows 11 but its pretty tough on windows 10).
:3 Shalom.
:3 Reddit is thankfully just 200+ million Google Play downloads for how toxic it gets. Cesspool, indeed. I almost entirely avoid using it. A lot of inaccurate info, down voting anything they don't like, getting banned by groups easily, far-left cancer, far-right cancer, etc.
I've bricked my vm windows install 3 times this year since I found this channel, excellent video!!
If you use Linux, it is easier to brick your system! Give it a try lol.
@@vidal9747this is the way
@@vidal9747 its also easier to fix.
@@vidal9747 If your'e bricking anything, then you just dont know wtf youre doing isnt it lol
User: "can I uninstall Edge?"
Windows: "absolutely not."
User: "can I uninstall the Kernal"
Linux: "Let's find out!"
linux, afterward: "Welcome to systemd emergency mode!"
I want to like this fun and interesting content about getting back control of Windows, but at the same time I just see this as a bunch of BS steps to get around something that shouldn't have been in the way in the first place, it's so hard to be unbiased about OSs when Windows is this bad lol
@@bluelindenSystemd? More like grub recovery shell!
@@KCKingcollinIt's incredibly that in old machines, Linux LITERALLY GIVE YOU PERMISSION to destroy the BIOS of the system, that's how powerful it is.
@@SleepTime-Dark That's actually something I didn't know, that's kinda cool, but also sounds dangerous lmao
3:06 what stackoverflow is like now -
Q: "How do I do X"
A: "Why would you do that? dont do that." (if your lucky they give an alternative)
What it should be: "You *can* do that by doing this, but you this is the better way"
The problem is the commenters don't know how to do it themselves. And if they don't know something, no one should do that, right? ; )
gpt for the win | in this case
@@elijahjflowers GPT is only good for surface level stuff,i.e. questions that are already answered somewhere on the internet.
It's basically useless for any questions that aren't in some way already answered.
@@boltez6507 - GPT = a web-scraper mostly from Wikipedia, which you could do yourself in seconds with better focus. lol
That's known as a X Y problem
Redditors are so aggressive about being wrong that it's quite comical.
the single worst thing about reddit is that you get suggestions and advice instead of answers when you come there with a question. I DO NOT ASK HOW BIG IS THE ROOM I SAID "I CAST FIREBALL"
I found Reddit to be an absolutely creepy place. Tried it for a short while…nope, not for me.
Reddit is a hivemind of group think. You made a great decision.
The entirety of the site is like that, everybody thinks they know everything and are aggressive as shit about everything. That's why I stopped using it.
Classic behavior.
Now imagine deleting every single internet application apart from teamviewer and anydesk and calling tech scam call centers.
Amazing idea 😆
That shit would be hilarious
we do a little trolling
THAT HAS TO BE VIDEO, make it happen, i wanna see, im already laughing out loud of the IDEA that they wouldnt find a BROWSER anywhere on windows of all places!
why imagine when you can do?
Reminds me of how on XP you could actually become System, complete with XP startmenu identifying as system.
Windows XP were the golden days of computers... I still have a VM on my PC where Windows XP Professional 64-Bit is installed... I even copy-pasted the Pinball Game into Windows 10 AND IT STILL WORKS despite being soooo goddamn old...
Also, you make great videos, i love them ❤
This to this date can happen if you run explorer.exe as TI or "NT Authority\System"
I think he didn't GUI of notepad.exe on 13:28 because he wasn't running explorer.exe as "NT Authority\System" (He ran privileged command prompt from Sysinternals as System)
I didn't know that :o
Man I *just* came here after watching one of your videos xd
@@HoneypawsModsDE I think they just scrapped it because they couldn't make it run native x64 in time and didn't want to use WoW64 🤔 One beauty of Windows, the backwards compatibility
Great to see you here Eric, I have been loving all your recent videos! 😁
There is a plugin for Process Hacker which allows you to start any process with TrustedInstaller permissions and even run GUI apps like cmd.
PSExec can do it via command line.
@@HEXiT_ triggering a dumb AV program is simply an elevated permission state. Get your plugin from the dev and you can turn AV off and just use MB's who are more than aware of Process Hacker.
Anyone with a modern PC should be using a VM to run Process Hacker on first anyway and if you aren't already then you haven't learnt that lesson yet.
Image your OS into a VM, test and then decide. Only kids run exe's or scripts on their gaming machines.
cmd is the exact opposite of a GUI app. It's descended of MS-DOS and was the equivalent of a Linux shell or...whatever BSD derived thing iFruit computers use. You have limited scripting and access to MS-DOS operating system executables like COPY, DELETE, etc.
Up to Windows 98, in fact, MS-DOS, or that same command prompt, bootstrapped Windows, and there were MS-DOS configuration files for Windows that probably caused a lot of headache for Microsoft, leading to what has been a slow, slow move away from it, starting with XP.
It remains as a useful artifact of the past, but if you use Windows Terminal in Windows today, the default tab will be a Powershell prompt.
Anyway, GUI stands for "Graphical User Interface."
@@NameThievery CMD by default opens as a terminal emulator and a shell. A terminal emulator is a GUI app. CMD is a GUI app.
@@HEXiT_ that could be said of anything. Stuff the fear mongering. Windows is literally spyware
Every single time i watch Jhon Hammond i look at myself and say :
I'm a noob in IT even though i was that strange kid that was obsessed over computers out of curiosity.
I was the only kid who hacked my school and sold wifi passwords for admin privilege at my first year of high-school.
I fixed my first laptop (from a friend) replacement with hardware when i was 11 but yet Jhon Hammond reminds me the learning curve in IT is ENDLESS!
*GOD I LOVE THE ENDLESS LEARNING*
I really enjoyed the way you broke this problem down. Add this to the list of follies that is Windows OS. Once Linux is fully able to boot whatever games I want I will fully drop windows. It’s so annoying to have to jump through so many hoops to delete programs from your own PC.
The fact that this is denied by Microsoft as a vulnerability, instead they call it "normal behavior" raises all kinds of red flags to me.
Not that Windows in itself wasn't one huge backdoor already... for all that matters I cannot check for myself as the OS is proprietary.
Fixing this exploit would probably put a lot of "cheap and easy" backdoors out of service as privileges would work much better.
I will only switch to Linux when le terminal™ is no longer used for everything (even the most basic thing), but that will never happen, which is bad because the only good thing it currently does is shutting down in less than a minute
@@revival_of_the_canned_justiceThat is incorrect, you can do everything without using terminal.
@@revival_of_the_canned_justice have u actually tried linux
Steam's work on Proton has greatly enhanced game compatibility on Linux in the past few years; if you last checked for compatibility before the release of the Steam Deck it may be worth taking another look.
Guess what, recently Windows started harassing me with the win11 update by installing a program called RUXIM, and every time i deleted it windows just installed it back. So i changed the privilige from system to me, and i denied write access for system :d
I actually pulled an uno revers card on the system. " If I can't touch your files, then you can't touch mine"
Yes. Ruximics exe > Properties > Security tab > Advanced > Change Owner (from SYSTEM or TrustedInstaller to your user name) > Apply > Edit permissions > Deny ALL
So... let me get this straight: RUXIM helps keep Windows updated and performing well by scheduling and delivering necessary updates.. Why delet?
It doesn't do that. It pesters you to upgrade to 11. wuauclt.exe along with several other binaries handles system patches.
@@Mario583aaverage reddit comment
Hahaha, this thumbnail aged like fine wine :D
How it was uploaded 8 days ago it doesn’t have time to age
Wait i dont get it
?
In other words, removing bloatware with the equivalent of Linux sudo
fr hahaha
Or delete the windows stuff through a secondary Linux os
I'm pretty sure it could also be used by a malicious software to remove the current antivirus and then install itself as TrustedInstaller to incrust itself into the system... Even better would be to replace the AV by a fake one so it takes more time for the user suspect anything wrong.
You can remove that stuff without such tricks in official ways you know.
@@Alfred-Neuman You don't need TrustedInstaller for that. An administrator can set the AV program without any additional rights. In fact every AV installer does this: register itself as the main antivirus program by setting a simple key in the registry, that is writeable by an admin.
Whoa, this was a great video with some even better enthusiasm!
Thanks for sharing this, I learned several new things and I have some new ideas for setting up security policies around the trusted installer or attempts to a abuse it. 🙏🙏🙏🔥🔥🔥
13:45 Notepad.exe is not a service binary.
"Service binaries are different in the sense that they must “check in” to the service control manager (SCM) and if it doesn’t, it will exit execution."
-specterops, Offensive Lateral Movement
Fixing the family computer when my dad broke it when I was a kid is what started my hacking journey and a lifelong love of computers. Break all the things!
Mine was breaking my dad’s XP install on his laptop by writing batch files and him making me fix it lol
"You have unlocked god mode."
"For more information on this issue..."
Amazing how people on Reddit will just bash you over and over for asking a simple question, on a tech forum nonetheless. Absolutely ridiculous behavior from these people
Do you know a place where poeple are not like that ?
They're fake idiots farming karma. None of them would exist on a real hacking forum.
To be completely fair, the number of people I've seen complaining "hurr durr winblows bad because something broke while i was randomly changing registry values/acls/system files" over the decades suggests there is a huge number of Dunning-Krugers out there who really have no idea what they're doing.
Feel free to run out in the middle of the highway and play in the traffic, but don't expect me to help you.
@@throwaway6478 I'll help you play in the middle of a highway :)
sounds like rtfm neckbeards
I barely use that joke of a website but every time I've had to because there was no other option, 99% of my experience from reddit has been almost exactly what you showed in the video. Armchair redditors answering everything besides the question you're asking and in the most condescending way possible. I unironically have more competent conversations with people on /b/ than anywhere I've been forced to go on reddit.
Great video btw
The reason you're getting the error when setting binpath for the service is because there are certain requirements for executables designed to operate as Windows services, one of which is to respond to queries from the service control manager. Obviously tools that aren't designed this way (like cmd.exe) don't respond and the service control manager thinks "this service is not responding and didn't start correctly." The reason you still see the executable being run is due to a small timeout that the service control manager uses to wait for the service to initialize.
The reason you can't see graphical applications like notepad is because services don't run under the local user session and don't have access to the desktop.
I subbed because I liked your beard. Second, your IT knowledge is somewhat refreshing.
You should be able to run a GUI app, you just need to flag the service to interact with the desktop. It's been a while since I have messed with with, but its an option for launching a service somewhere.
You can not do this past windows xp (early 7). Session 0, can not have window (CreateWindow does not work)
@@stanislavpetkov7408 Yeah I think I wanted to have a gui app run as a service in win10 and was sad after my research
I think I saw a video of enderman just doing that. Gui apps all worked except for explorer.exe if I remember correctly
It was possible in NT4 and 2000, because there the interactive user was on window station session 0. THis is now randomized and so this was intentionally killed.
@@Lofote really? I could have swore I have done it in XP and Win7 back in the day.
It’s seems like every new video John’s hair grows larger and flows further up and to the left maybe one day it will look like Johnny Bravo’s
Last I checked, Johnny Bravo did not have a beard nor a mustache.
Edit: I doubt Mr. Hammond will shave them off.
@@Mario583ameant more the height of his hair
It might also be worthwhile noting that any process run in "Session 0" will always result be in a non-gui context. AFAIK "most" services are run as Session 0 meaning they will never have a GUI to interact with.
Bro has never heard of Advanced Run...
I was on the path to be a programmer, but I got kicked out of computer science in high school for getting caught having full access to the hd, bypassing the name/password.. I didn't keep up with it. I became a musician for the last 25 years and became really good at that, realizing now, If i would have continued my computer programming path, I'd be smart enough to follow all of this video, but now it's over my head.. lol.. The way he talks as if it's obvious to do this and that.. Shake my head and smile, the world is in the hands of people far smarter than I ... :)
That reminds me, but not as technical... I forget how I did it, but late 90s high school computer class, I made the login window on NT 4.0 show up as porn. On all 30 computers in the lab. I was on the shitlist from then on.
@@MattExzy I also guessed a student in another classes password, but they thought I hacked everyone's, so they made an announcement that everyone including the teachers all had to change their passwords... lol I told them the truth but they didn't believe me..
It's not about being smarter, it's about taking the time to learn. Your choice if you do it or not. Sometimes it's harder for intelligent people to learn things because they're not used to hitting barriers/hurdles, so the moment they do they simply stop. Those who are used to struggling often get further because to them hurdles are the norm.
@@roboverholt9959 In college I was not happy that they would not give me privileges on the lab computer I worked on (6 months from my CE) and thought a simple boot locker was sufficient to secure the systems so as a joke I accessed the boot locker and turned on the screen saver function and used "Micheal Angelo at Work !!!" as the bouncing text and came back the next monday to find out they had low level formatted all the internal systems at the school! LOL what a bunch of idiots.
@@LabelsAreMeaningless Its more difficult for more intelligent people to learn things that do not adhere to logic such as languages. When contradictory information just boils down to rote memorization the more intelligent among us will go off on tangents to find out why and how to fix the problem rather than just memorizing and moving on. And when they figure out how to fix the problem they will find out they are running into entrenched established institutional monoliths that will fight them tooth and nail rather than admit any wrong which is the first step to addressing change.
As admin you can take ownership of the folder and then remove "Trusted installer" from the permissions, add yourself as full control and then delete the folder. Alternatively I removed trusted installer as a user from the local account, which breaks all the permissions, you can then take ownership of the whole drive, obviously this is a massive security risk though. This was on the first release of windows 10, this may be harder or impossible now. The other thing this does is prevents the os from doing updates as it no longer has permission to save updates to the staging folder it uses, so if you want an update you need to do it yourself
14:00 notepad isn't showing up because services are started in Session 0, it's a special windows session (like being logged in as another user that would also be a different session), you can even see it in process explorer :)
Windows: "Noooo you can't uninstall critical software it will brick your installation noooo!!!"
Linux: "Hahah rm -rf / go brrrrr"
The only reason anyone would type that is if the FBI came knocking on your doors (that says a lot about you guys, honestly 🤨)
@@revival_of_the_canned_justiceits called a joke bruh 😐 its funny because WE all understand that unlike you apparently
@@surr3ald3sign I know what it does, you fanboy
@@revival_of_the_canned_justice they were talking about what a joke is not rm rf you unfilled water bottle
Great video, very informative! Thanks for sharing your knowledge!
get out
Challenge for you, try disabling the delivery optimization service without touching the registry.
(i don't know about windows 11 but its pretty tough on windows 10).
Also I don't even know why it can't be disabled even after taking ownership of its parent service i.e. the infamous svhost.
So funny, when he deletes "Windows Mail", says we nuke that up, and laughs "it's gone" ! Great video, into the arcanes of Windows, but man it's overcomplicated, not your fault though :)
it's your fault, wasn't it john?
why do i keep seeing these comments?? i dont get it
@@Jxhsxn we know what you did.
@@Jxhsxnidk but based on the user of the username of the commenter, it’s a bot. And for the person who replied to you, probably just a troll
Thank you I downloaded profile pic
i think im ben, not john smith in this tangent man...
That thumbnail was kind of prophetic, it seems 😂
a bored guy at crowd strike followed the tutorial, I suppose
I thought this is today’s video, you actually time travelled!
You can install Take Ownership which lets you take ownership of the file so you can edit or delete it. I used to do that on Windows 7 and 8 when I was using it. You could also unlock God Mode by editing the Windows Explorer file by typing in a registry key. I don't know if that's changed on Windows 10 because I am using Linux now.
you don't need to install anything to take ownership you can do it from windows explorer or the command line already
So MS trying to transform Windows in a smartphone again and locking the admin from his own files. Miss the old days of NT4 where being part of Administrator's group already gave you all this, like Dave Cutler wanted.
THIS IS WHAT WE COME HERE FOR JOHN!! YOU HAVE A PASS TO DO A FULL VIDEO ON A SPONSOR!!
reddit used to be a cool place to get help and meet great people. Today it's complete garbage, highly politicized, and just down right filled with wrong information. I miss old reddit before mods ruined the site.
Or just run NSudo and run the process with TI priv
TrustedInstaller is so called Well-Known Security Principal, it is not visible in the local SAM database and is built-in the OS
Always fun John, thanks!
Absolutely hands down one of the best tutorials I've seen in a long time John you did a fabulous job breaking down this tutorial for everyone whether your new or a seasoned veteran absolutely hit the mark thank you for a great video
There are also the "Network Service" and "Loacl Service" users, I saw that some of my services were running at those "accounts", so what are those?
"SYSTEM" has full admin privileges
"Local Service" has privileges similar to a regular non-admin user
"Network Service" has the same privileges as "Local Service" but it can use the computer's identity. This one is a bit complex:
First off, if there is no central password management server, "Local Service" and "Network Service" are the same. Otherwise...
Assuming...
* You're in a university with an "Active Directory Domain Controller" server that manages the users and passwords for the entire network
* There's a shared network folder Z:\
* You are logged on as user "Steve" on the PC "Library-01"
Then...
* GUI programs on the desktop will access the shared folder as "Steve"
* "Local Service" will try to access the shared folder as a guest with no password
* "Network Service" will access the shared folder as "Library-01$"
Hope this makes sense.
@@haraberu Thanks for the explanation 😛 Even though I didn't understand 50% of it the first time I read it, but I quess these "accounts" just exist because some software requires these special properties to work.
You should be able to launch UI apps from a service (eg TrustedInstaller) when you configure the option 'allow interaction with the desktop' on the service. Windows will then ask you to open a separate user interface which in turn will show the service app on screen.
this thumbnail has not aged well 🤣
Or amazingly well!
what happened? I've been living under a rock.
@@WarLightning042watch his most recent video
Global computer/server outages due to solar winds endpoint security update causing BSOD on all windows machines it was pulled to. Hospitals, airlines and other critical infrastructure affected worldwide
Crowdstrike not solar winds@@bjangles8718
That thumbnail has been really popular the past few days 😅
Meanwhile in Linux the root user is all powerful, and requires none of this weird working around
Yeah, any admin can just do "sudo su" and tad-dam! Full system acess granted, i can even delete Windows protected files mounted on Linux.
@@SleepTime-Dark any way i can use rm -rf to remove depression?
I don’t understand any of this but I find it enjoyable
so it was you
"Complete and unrestricted access to the computer" is not the same as "complete and unrestricted control over the computer."
That "GOD MODE" probably got many people clicking on this video :D
As you can attest! Lol
At 14:00 or so - you need to presumably have to start something that will either act as a service or will do something before the service controller kills it. I thought services had a different entry point than ordinary applications, so I was surprised this approach worked.
Does the SYSTEM and/or TrustedInstaller privilege thing run at the kernel level, or just a very high privilege level outside the kernel?
2nd Question: Are all kernel drivers and other kernel software running *in the ntoskrnl.exe process* OR *outside the ntoskrnl.exe process* in a service or something?
for 1) trusted installer is just a dummy privilege used to own system files (think component store/winsxs and msstore) to prevent malicious modifications and accidental deletions. it isn't a security boundary and is unrelated to the kernel.
ill leave 2 for someone with more expertise regarding the kernel.
Kernel mode drivers run in the same context as the kernel, and on windows, they generally use the native Windows API. But they do not necessarily need to interact with the OS. If they're launched via a UEFI bootstrapper they can technically run entirely platform independent. They can directly interact with hardware through interrupts, PCI lanes, and unvirtualized memory addresses. They don't _have_ to, but they can. Therefore, they're not resident in any specific process unless injected. They do often operate on Windows via svchost as a service, though, since this is a simple way to manage such low-level drivers. This is why the SC command is typically used to launch them. However, note that services and kernel mode drivers are not the same thing! The kernel mode driver has far less restrictive permissions. Therefore, the service needs to be specifically configured to launch such drivers in the proper context.
@@Mavendow Thank you for the VERY detailed explanation of the second question ❤
I didn't know that drivers could be launched via a "UEFI bootstrapper". I thought that the only task for the BIOS/UEFI relating to the OS was to launch the "OS boot instruction code" (or BOOTMGR for the Windows OS), but from what I understood from your speech, there are other capabilities as well such as loading drivers.
@@privatechannel1272 Yes, this is how the LAN and USB works in some modern UEFIs. It would be a hassle to hardcode every individual motherboard's configuration. Drivers basically expose hardware properties to specific memory addresses that other firmware or software can hook, therefore a driver written without proprietary code can technically work in any context. Though, in the case of Windows, DLL/SYS itself is proprietary. More often these will be compiled as SO or shared objects.
@@lordechnobas Thank you for clearing up my ignorance 👍
This brings me back to high school,
I used to screw with settings enough that I was able to access the trusted installer security pass,
Since I was a TI, I had the access to change the permissions for every other file system on my laptop, and every other device on the schools local network,
Good times, good times,
Also, if you just tap the change button in the properties settings, if you are already TI, then you’ll be able to change the highest access to modify those files to the user group and just be able to access TI restricted files and turn them into user accessible files,
Recommendation.. fuck around and find out
Windows is an absolute unfixable disaster.
It's fine for plebs like me.
@@KK-eg3em Until they blue screen you or use the recall feature
;)
I did a lot of this research a few years ago and got stuck where you were at like 12:45. This is awesome, seeing the next steps I could never quite get. Will be removing windows defender from my computer as soon as I get home
well well well
It's a deep subject! 🙃
Linux, Linux and Linux
Parrot OS and Mint are fantastic
Tetris , tetris, and tetris
Too many bugs and insecure asf. all hobby projects. For serious stuff NO. For fun def yes
@@atorik1076 it's fine to be ignorant on the internet, but hopefully not irl.
If Linux were really to be a hobby project, it shouldn't be used as servers by Microsoft itself. RedHat literally exists, that's a hobby project?
@@atorik1076 Hmm, yes, insecure, that's why youtube, the service you are using, handles everything with instances of Linux.
Cool video I always wanted info on Trusted Installer.
I actually used some of this one time. I had installed the SSD from my old laptop as a second drive in my new laptop. I had some large and important media on it so I didn't want to reformat it, because I didn't have enough spare diskspace to copy it to first. So figuring out how to dupe TrustedInstaller entries in the ACL was the only way to make the hard drive look like a normal secondary harddrive.
The reason the service timeout errors occur is that you are running applications and not services, where service executables handle events and ate stateful based on them e.g. start, stop, pause, resume, etc
Great. Had some issues with TI and at the end I forced to reinstall windoes but the path for beging forced to delete my windows was actually educative.
Didn't watch the full video yet, but. If you right click your windows drive, go to security write and read, set your account to full access, you can do what ever you want with your files. hope this helps.
Love watching CMD - powershell users. This is way above my pay grade, but I love peaking behind the curtain.
The more I lean about how Windows wants to control you the more I wish to move to Linux. I think I might do that soon.
why was this so fun to leave on the background
14:21 You would have to enable "Allow service to interact with desktop" in the service configuration..
Here specifically to spite UA-cam not letting you get ad dollars on this. Great content as always. It's a nice break from my web app pentest studies
Penetration testing doesn't matter when you give away the credentials or other valuable information directly in the software. Keep it in mind and keep on keeping on. Best to ya.
@@MrChrisRP I appreciate that got a code injection that allowed me to etc/passed the other night and it made me extatic
I have a legal question:
(Note: using analogy here, no demand for accuracy is required to make the point.)
If "Trusted Installer" is the Windsows OS owned by Microsoft, akin to an OS installed on an electric app-capable vehicle owned by the same vehicle company, the subscription service to make the car's computer work is what makes the vehicle function, the lease or owner has a no-right-to-repair clause because both the vehicle and the OS are proprietary, the same we would expect of a Microsoft computer running Windows, just like Google runs Chromebook.
Ok, so just like we'll never see a truck OS on a jeep vehicle, we won't see Windows on a Chromebook, not without extensive modification and agreement between companies for such, so an agreement-to-modify exists. So....why is Windows operating a Trusted Installer limitation on non-Microsoft computers where it doesn't have authority to compel an owner to operate their computer to OS standards not designed explicitly for it? The OS must match the device for it to function, be it a vehicle or computer, in order for tangible operations to match digital limitations, whereby the digital is limiting the tangible, like how Windows wouldn't be compatible to a Chromebook inherently, the agreement to modify must prevail, with or without license? I say this because purchasing Windows OS is not requiring a Microsoft computer explicitly.
You are, and i mean this as close to literal as possible, comparing apples to oranges here... first off trustedinstaller is not the OS, it is just a brick wall within the windows os designed to keep idiots from bricking their system and has been used to also protect their bloatware. And second do you remember the part of your windows installation where it said something to the effect of "terms and conditions" you are literally agreeing to everything they do, and a chromebook is infact designed to run on the windows os idk what tf you think it runs on, so that part of your "point" literally meant nothing. And to rain on your parade some more, if you own a computer of any kind, odds are microsoft owns some part or all of it bc they own like 90% of all computer technology atp bc they just buy out any competition. Go ahead and look up who owns all those different companies that make the parts in your computer and youll notice, unsuprisingly, that microsoft either owns them or owns a major part of their company and thus more or less owns them anyway. And imma just absolurely rip on you now for that last part "the os must match the device in order for it to function" factually incorrect as the os and the hardware are 2 VASTLY different and incomparable things, the hardware provides the body and the os provides the brain (see THATS how you make an analogy that makes sense in this context btw) the reason vehicles work differently is bc each vehicle company functions ENTIRELY inpdepandant of one another where as consumer use computers are made by many different companies all working together (and still ofc microsoft owning an uncomfortable majority of them bc they are a monopoly) so to attempt to actually answer your question is pointless bc you have a general misunderstanding of even the base concept of software versus hardware and have failed to make a question that makes any form of sense, itd be like if i asked you what your favorite color of the alphebet is, it doesnt make any sense bc thats not even remotely how either of those things work, does that kinda help guide you towards the general idea of what im trying to tell you?
Interesting. This would be much less evasive then constantly taking ownership of termsrv every time you want to edit it for....reasons. Then storing the original permissions and changing it back at the end.
Always something to learn. Great job, John. Thx.
The reason your Notepad didn't show up on your desktop is because you were running it from the "session 0" which does not have a desktop. So it was running, but couldn't display it's GUI.
The way I get rid of ANYTHING I want on windows is to boot from the usb recovery disk offered by windows and then drop to a cmd prompt. I can then dir/delete/move etc anything and that includes hidden and system files as well. A great utility for browsing the windows hard drive from DOS is called Q-Dir and that would be the portable version. Another trick to have complete control of all windows files is to boot up a live Linux system from usb and browse that way with the sudo. In some instances when trying to access the windows hard drive from a Linux boot disk the windows disk will be locked and you cannot work with it. The fix , trick, is to do a restart from windows and when the screen goes blank showing windows is shut down press and hold the computer off button until the computer completely shuts down. Now boot up into your Live Linux and mount the windows hard drive . Using the root option then browse windows and do what you like! I like using a gui interface like Linux when doing operations on windows files because of all the file utilities available. :O)
Fun story: I once had to install a sketchy "run executable as" app to run an antivirus installer as TrustedInstaller because a malware was preventing me from running the antivirus installer normally.
The malware of course didn't have much of a chance after that.
this is much cool. A long time ago I found out about a process hacker addon that allowed me to run stuff with the permissions of trusted installer. It required admin access and had something to do with services. I mainly used it for tampering with old Windows drives with total commander, because my host os refused to let me into the user folders and taking ownership was not ideal. I wanna try making my own automated powershell script now
This brings back the feelings of system privs with the at command on XP
Actually during windows install when you see preparing setting up services youre actually trusted installer for a moment (with mouse and keyboard suspension tho) and oobe where you setup your first account is run as NT authority/system. With right knowledge you can create account as trusted installer during preparation which leads to stealing sid and registering it as normal user. Full control over files despite a lot of bugs and apps not working correctly but a fun experiment to do.
You're actually LocalSystem for the early parts of OOBE, then in Windows 10 and later, it switches to defaultuser0 for the question panels. At no point are you interactively TrustedInstaller.
0:39 you could use iobit unlocker and unlock and delete it
If you hold SHIFT and reset your computer, then select trouble shoot - advanced and select command prompt. You can delete any file you want.
I just deleted windows defender using this simple method
"King Osirus" ->Great Observation and Reporting.
"...for I have become TrustedInstaller, destroyer of Windows."
--Barbara Millicent Roberts-Oppenheimer
yeah I noticed. I WAS expecting a seperate video but this is perfect. Thanks.
Owls need HUGS
@@Margen67 Indeed. :D
Funnily enough I ran into this issue recently - I was trying to create a desktop shortcut to the Realtek control panel. Little did I know the Realtek's exe is stored in WindowsApps folder which is owned by TrustedInstaller. I managed to change the owner to Administrator but it still wouldn't let me look inside WindowsApps folder. So there you go, the absolute state of Windows. Can't even create a desktop shortcut anymore. I also can't create desktop shortcuts to webpages or documents on my Android phone. Amazing.
If I’m not mistaken, the reason why notepad didn’t appear is because services run in a separate desktop/winstation in session 0
Love how the NTAPI undocumented functions website looks like an old school help file!
start a new powershell with admin privileges with: start powershell -v runas -arg "-noexit". After -noexit and inside the quotes you can add a command or a script, and then skip -noexit if you want the admin window to close when the command ends (but you won't see any errors) - doesn't make you NT Authority/System, though
as an admin, you could also inject your payload into a system owned process like lasass or printspooler to get nt system shell without psexec
"It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error." - HAL 9000...
I like how Install-Module worked with the _wrong_ TrustedInstaller configuration
Which implies TrustedInstaller is not exactly responsible for everything related to installing stuff on the system
You can't run interactive shells or gui apps because services run in session 0 which to my knowledge can't be accessed anymore.
I go around TrustedInstaller on systems that are low on disk space, so I can relocate the Windows Update folders to a secondary drive.
The LCU and SoftwareDistribution folders can fill up very quickly and the computer will cease to update. It’s nice to be able to move those around as needed.
Nice Man U Have Clearly Earned My Sub This Is A Game Changer 100% Thank You
The reason why the command fails is because neither cmd nor notepad follow the API required from services. And services are not allowed to use GUI, hence notepad didn't even display, just got killed after timeout.
Thanks John. Very helpful unlike the first top Google results. 😡
TI is absolutely a good thing. (When it comes to keeping stupids from bricking their pc)
But there's no reason you shouldnt be able to be sole arbiter of commands if you want to have that responsibility.
Thats because you can command TI. You can remove whatever you want via Windows Features.
There are ways to do what the end-goal. The way you guys are going about it is silly. Because deleting a folder in system32 or ProgramFiles doesn't get rid of the program,
your getting rid of the system dependent files. The people on reddit are correct, because whatever your trying to accomplish can be done much easier USING the TI
rather than BECOMING the TI. That account is there for a reason.
"You can remove whatever you want via Windows Features." Well no, not everything. I wanted to remove Edge, and that is not an option under Windows Features.
Why not install the windows nt version made to obey EU laws that doesn't have many pre installed programs and stuff by Microsoft?
It's actually all the same installation distribution. During installation just pick one of those EU countries, but select language/keyboard as English (World) or something instead of English (US). You might see "colour" instead of "color" or some other nonsense but it will work just fine.
Liked, commented and subscribed. Nice video, thank you.
Oh I believe there are way more, even higher than what Windows is capable of exposing e.g. Ring 0. I think there are ways to go even higher than that as well.