0

I am currently working on a script that does all my hacks to my Windows 10 20H2 OS in one run.

I am using PowerShell 7.0.4 x64, I want to run the script in Admin pwsh, I found some registry keys require TrustedInstaller privileges to be changed, I have found a solution: using psexec -S to start a pwsh process to run the commands with TrustedInstaller privileges, unfortunately I don't know how to pass variables to new processes, and make it automatically exit psexec to continue script execution.

I will use this as an example:

$TiSvc=@(
"PrintWorkflowUserSvc"
"RmSvc"
"SCardSvr"
"SecurityHealthService"
"Sense"
"SgrmBroker"
"wscsvc"
)
$TiSvc | %{Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$_" -Name Start -Type DWord -Value 4}

Without TrustedInstaller privilege, the command will fail with access denied error.

Now, to solve this, use psexec to run the command (I have put SysInternals folder in path):

$PwSh=(Get-Process -Id $pid).path
PsExec -S $PwSh ???

I want to set the [array] variable $TiSvc in current session, I don't know how to pass $TiSvc to the new pwsh session and run this command:

$TiSvc | %{Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$_" -Name Start -Type DWord -Value 4}

And after the command is executed, exit the new pwsh session and exit psexec to continue script execution;

How can I do that? Any help is appreciated.

Ξένη Γήινος
  • 3,902
  • 13
  • 45
  • 84

1 Answers1

0

Put whatever commands you want to run as TrustedInstaller in a text file in the same path as your script file, make sure PsExec.exe is in the Path, then use these commands:

$PwSh=(Get-Process -Id $pid).path
psexec -S $pwsh -file $psscriptroot\tiworker.txt

To run the commands that need TrustedInstaller privilege in another PowerShell process, the process will exit automatically after the execution is completed, allowing the main script execution to continue.

Fixed a minor mistake that caused the PowerShell process to start without TrustedInstaller privilege.

The above method somehow didn't work properly, as when I tried it to run these commands:

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\WinDefend" -Name "Start" -Type DWord -Value 4
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\WdBoot" -Name "Start" -Type DWord -Value 4
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\WdFilter" -Name "Start" -Type DWord -Value 4
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\WdNisDrv" -Name "Start" -Type DWord -Value 4
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\WdNisSvc" -Name "Start" -Type DWord -Value 4

I got the error:

Set-ItemProperty: Attempted to perform an unauthorized operation.

If I use reg add

ERROR: Access is denied.

However the commands before them all returned:

The operation completed successfully.

Specifically these commands:

Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Type DWord -Value 1
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender" -Name "DisableRoutinelyTakingAction" -Type DWord -Value 1
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender" -Name "ProductStatus" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableAntiSpywareRealtimeProtection" -Type DWord -Value 1
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Type DWord -Value 1
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\Scan" -Name "AutomaticallyCleanAfterScan" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\Scan" -Name "ScheduleDay" -Type DWord -Value 8
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\UX Configuration" -Name "AllowNonAdminFunctionality" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\UX Configuration" -Name "DisablePrivacyMode" -Type DWord -Value 1

When run as Administrator and not TrustedInstaller, each will return this error:

Set-ItemProperty: Requested registry access is not allowed.

When run using PsExec, this error will not be generated.

But this error:

Set-ItemProperty: Attempted to perform an unauthorized operation.

Will still be generated.

I guess this is because PsExec relies on remote stuff and I have disabled "Remote Assistance", "Remote Desktop" and "Remote Registry";

I used NSudoLC.exe and it successfully disabled Windows Defender without errors:

NSudoLC.exe -U:T -P:E $pwsh -file $home\desktop\tisvc.txt

When using NSudo both the errors mentioned above are not generated.

Ξένη Γήινος
  • 3,902
  • 13
  • 45
  • 84