0

I am currently working on a script that does all my hacks to my Windows 10 20H2 OS in one run.

I am using PowerShell 7.0.4 x64, I want to run the script in Admin pwsh, I found some registry keys require TrustedInstaller privileges to be changed, I have found a solution: using psexec -S to start a pwsh process to run the commands with TrustedInstaller privileges, unfortunately I don't know how to pass variables to new processes, and make it automatically exit psexec to continue script execution.

I will use this as an example:

$TiSvc=@(
"PrintWorkflowUserSvc"
"RmSvc"
"SCardSvr"
"SecurityHealthService"
"Sense"
"SgrmBroker"
"wscsvc"
)
$TiSvc | %{Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$_" -Name Start -Type DWord -Value 4}

Without TrustedInstaller privilege, the command will fail with access denied error.

Now, to solve this, use psexec to run the command (I have put SysInternals folder in path):

$PwSh=(Get-Process -Id $pid).path
PsExec -S $PwSh ???

I want to set the [array] variable $TiSvc in current session, I don't know how to pass $TiSvc to the new pwsh session and run this command:

$TiSvc | %{Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\$_" -Name Start -Type DWord -Value 4}

And after the command is executed, exit the new pwsh session and exit psexec to continue script execution;

How can I do that? Any help is appreciated.

Ξένη Γήινος
  • 2,824
  • 6
  • 28
  • 62
  • You need to likely save the array variable in a file overwritten per array list written to it, with a standard name, and then use `get-content` to read from it in your other session. Wam, bam! – Vomit IT - Chunky Mess Style Jan 24 '21 at 03:37
  • OK, but then, how to automatically exit PsExec to continue script execution? – Ξένη Γήινος Jan 24 '21 at 03:38
  • I'd say set the task that needs the elevated permissions to run as a Task Scheduled task that runs as `SYSTEM` "**whether is logged on or not**", and then execute that task scheduler job and NOT use the PSExec and then the rest is trivial and PowerShell. That's my thought but I'm trying to play with CentOS8 on WSL a little but someone with your skillset with PowerShell, you can most certainly figure that out. I'm sure Keith Miller or one of the other PS experts have some methods too. I say if it time to expand your PS and use Task Scheduler and like all other things I've mentioned. – Vomit IT - Chunky Mess Style Jan 24 '21 at 03:46
  • Here's a link to one of I'm sure many with this sort of logic because by making the Task Scheduler run the "task" I mean the PowerShell script on the local file system of the Windows machine you are running it. https://superuser.com/questions/1486939/tasks-on-scheduler-wont-start-with-files-on-onedrive-sharepoint-powershell/1487707#1487707 Run the script with pwsh.exe rather than PowerShell.exe for PS7 I suppose but use Task Scheduler to work around your issue with the sessions and elevations, execute the script logic that needs elevated with Task Scheduled job. – Vomit IT - Chunky Mess Style Jan 24 '21 at 03:50
  • As far as "*is not recognized as the name~*".... `1.`Try to not use PS aliases (e.g. `%`) with 3rd party tool and `2.` make sure it's a valid value array defined iteration of the loop passed i.e. `"PrintWorkflowUserSvc","RmSvc","SCardSvr","SecurityHealthService","Sense","SgrmBroker","wscsvc" | ForEach-Object { $_ };` – Vomit IT - Chunky Mess Style Jan 24 '21 at 04:06

1 Answers1

0

Put whatever commands you want to run as TrustedInstaller in a text file in the same path as your script file, make sure PsExec.exe is in the Path, then use these commands:

$PwSh=(Get-Process -Id $pid).path
psexec -S $pwsh -file $psscriptroot\tiworker.txt

To run the commands that need TrustedInstaller privilege in another PowerShell process, the process will exit automatically after the execution is completed, allowing the main script execution to continue.

Fixed a minor mistake that caused the PowerShell process to start without TrustedInstaller privilege.

The above method somehow didn't work properly, as when I tried it to run these commands:

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\WinDefend" -Name "Start" -Type DWord -Value 4
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\WdBoot" -Name "Start" -Type DWord -Value 4
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\WdFilter" -Name "Start" -Type DWord -Value 4
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\WdNisDrv" -Name "Start" -Type DWord -Value 4
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\WdNisSvc" -Name "Start" -Type DWord -Value 4

I got the error:

Set-ItemProperty: Attempted to perform an unauthorized operation.

If I use reg add

ERROR: Access is denied.

However the commands before them all returned:

The operation completed successfully.

Specifically these commands:

Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender" -Name "DisableAntiSpyware" -Type DWord -Value 1
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender" -Name "DisableRoutinelyTakingAction" -Type DWord -Value 1
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender" -Name "ProductStatus" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableAntiSpywareRealtimeProtection" -Type DWord -Value 1
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\Real-Time Protection" -Name "DisableRealtimeMonitoring" -Type DWord -Value 1
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\Scan" -Name "AutomaticallyCleanAfterScan" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\Scan" -Name "ScheduleDay" -Type DWord -Value 8
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\UX Configuration" -Name "AllowNonAdminFunctionality" -Type DWord -Value 0
Set-ItemProperty -Path "HKLM:\Software\Microsoft\Windows Defender\UX Configuration" -Name "DisablePrivacyMode" -Type DWord -Value 1

When run as Administrator and not TrustedInstaller, each will return this error:

Set-ItemProperty: Requested registry access is not allowed.

When run using PsExec, this error will not be generated.

But this error:

Set-ItemProperty: Attempted to perform an unauthorized operation.

Will still be generated.

I guess this is because PsExec relies on remote stuff and I have disabled "Remote Assistance", "Remote Desktop" and "Remote Registry";

I used NSudoLC.exe and it successfully disabled Windows Defender without errors:

NSudoLC.exe -U:T -P:E $pwsh -file $home\desktop\tisvc.txt

When using NSudo both the errors mentioned above are not generated.

Ξένη Γήινος
  • 2,824
  • 6
  • 28
  • 62