RunAsTI - TrustedInstaller access rights while keeping HKCU loaded, with explorer support supports Windows 7 - Windows 10 - Windows 11 release - Windows 11 dev RunAsTI.reg context menu for folders, exe, msc, bat, cmd, reg - updated 2022.04.07 Code: Windows Registry Editor Version 5.00 ; Context Menu entries to use RunAsTI - lean and mean snippet by AveYo, 2018-2022 ; [FEATURES] ; - innovative HKCU load, no need for reg load / unload ping-pong; programs get the user profile ; - sets ownership privileges, high priority, and explorer support; get System if TI unavailable ; - accepts special characters in paths for which default run as administrator fails ; - show on the new 11 contextmenu via whitelisted id; plenty other available, f**k needing an app! ; 2022.04.07: PowerShell / Terminal here (if installed, use Terminal as TI, else use PowerShell as TI) [-HKEY_CLASSES_ROOT\RunAsTI] [-HKEY_CLASSES_ROOT\batfile\shell\setdesktopwallpaper] [-HKEY_CLASSES_ROOT\cmdfile\shell\setdesktopwallpaper] [-HKEY_CLASSES_ROOT\exefile\shell\setdesktopwallpaper] [-HKEY_CLASSES_ROOT\mscfile\shell\setdesktopwallpaper] [-HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\shell\setdesktopwallpaper] [-HKEY_CLASSES_ROOT\regfile\shell\setdesktopwallpaper] [-HKEY_CLASSES_ROOT\Folder\shell\setdesktopwallpaper] [-HKEY_CLASSES_ROOT\Directory\background\shell\extract] ; To remove entries, copy paste above into undo_RunAsTI.reg file, then import it ; RunAsTI on .bat [HKEY_CLASSES_ROOT\batfile\shell\setdesktopwallpaper] "MUIVerb"="Run as trustedinstaller" "HasLUAShield"="" "Icon"="powershell.exe,0" [HKEY_CLASSES_ROOT\batfile\shell\setdesktopwallpaper\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\"" ; RunAsTI on .cmd [HKEY_CLASSES_ROOT\cmdfile\shell\setdesktopwallpaper] "MUIVerb"="Run as trustedinstaller" "HasLUAShield"="" "Icon"="powershell.exe,0" [HKEY_CLASSES_ROOT\cmdfile\shell\setdesktopwallpaper\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\"" ; RunAsTI on .exe [HKEY_CLASSES_ROOT\exefile\shell\setdesktopwallpaper] "MUIVerb"="Run as trustedinstaller" "HasLUAShield"="" "Icon"="powershell.exe,0" [HKEY_CLASSES_ROOT\exefile\shell\setdesktopwallpaper\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\"" ; RunAsTI on .msc [HKEY_CLASSES_ROOT\mscfile\shell\setdesktopwallpaper] "MUIVerb"="Run as trustedinstaller" "HasLUAShield"="" "Icon"="powershell.exe,0" [HKEY_CLASSES_ROOT\mscfile\shell\setdesktopwallpaper\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\"" ; RunAsTI on .ps1 [HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\shell\setdesktopwallpaper] "MUIVerb"="Run as trustedinstaller" "HasLUAShield"="" "Icon"="powershell.exe,0" [HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\shell\setdesktopwallpaper\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% powershell -nop -c iex((gc -lit '%L')-join[char]10)" ; RunAsTI on .reg [HKEY_CLASSES_ROOT\regfile\shell\setdesktopwallpaper] "MUIVerb"="Import as trustedinstaller" "HasLUAShield"="" "Icon"="powershell.exe,0" [HKEY_CLASSES_ROOT\regfile\shell\setdesktopwallpaper\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% regedit /s \"%L\"" ; RunAsTI on Folder [HKEY_CLASSES_ROOT\Folder\shell\setdesktopwallpaper] "MuiVerb"="Open as trustedinstaller" "HasLUAShield"="" "Icon"="powershell.exe,0" "AppliesTo"="NOT System.ParsingName:=\"::{645FF040-5081-101B-9F08-00AA002F954E}\"" [HKEY_CLASSES_ROOT\Folder\shell\setdesktopwallpaper\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\"" ; Open Terminal or Powershell as trustedinstaller here - can spawn another terminal with: cmd /c $env:wt [HKEY_CLASSES_ROOT\Directory\background\shell\extract] "MuiVerb"="PowerShell / Terminal" "HasLUAShield"="" "NoWorkingDirectory"="" "Position"=- "Position"="Middle" "Icon"="powershell.exe,0" [HKEY_CLASSES_ROOT\Directory\background\shell\extract\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% cmd /c pushd \"%V\" & start \"RunAsTI\" %%wt%%" ; RunAsTI function [HKEY_CLASSES_ROOT\RunAsTI] "10"="function RunAsTI ($cmd,$arg) { $id='RunAsTI'; $key=\"Registry::HKU\\$(((whoami /user)-split' ')[-1])\\Volatile Environment\"; $code=@'" "11"=" $I=[int32]; $M=$I.module.gettype(\"System.Runtime.Interop`Services.Mar`shal\"); $P=$I.module.gettype(\"System.Int`Ptr\"); $S=[string]" "12"=" $D=@(); $T=@(); $DM=[AppDomain]::CurrentDomain.\"DefineDynami`cAssembly\"(1,1).\"DefineDynami`cModule\"(1); $Z=[uintptr]::size " "13"=" 0..5|% {$D += $DM.\"Defin`eType\"(\"AveYo_$_\",1179913,[ValueType])}; $D += [uintptr]; 4..6|% {$D += $D[$_].\"MakeByR`efType\"()}" "14"=" $F='kernel','advapi','advapi', ($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), ([uintptr],$S,$I,$I,$D[9]),([uintptr],$S,$I,$I,[byte[]],$I)" "15"=" 0..2|% {$9=$D[0].\"DefinePInvok`eMethod\"(('CreateProcess','RegOpenKeyEx','RegSetValueEx')[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}" "16"=" $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)" "17"=" 1..5|% {$k=$_; $n=1; $DF[$_-1]|% {$9=$D[$k].\"Defin`eField\"('f' + $n++, $_, 6)}}; 0..5|% {$T += $D[$_].\"Creat`eType\"()}" "18"=" 0..5|% {nv \"A$_\" ([Activator]::CreateInstance($T[$_])) -fo}; function F ($1,$2) {$T[0].\"G`etMethod\"($1).invoke(0,$2)}" "19"=" $TI=(whoami /groups)-like'*1-16-16384*'; $As=0; if(!$cmd) {$cmd='control';$arg='admintools'}; if ($cmd-eq'This PC'){$cmd='file:'}" "20"=" if (!$TI) {'TrustedInstaller','lsass','winlogon'|% {if (!$As) {$9=sc.exe start $_; $As=@(get-process -name $_ -ea 0|% {$_})[0]}}" "21"=" function M ($1,$2,$3) {$M.\"G`etMethod\"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H += M \"AllocHG`lobal\" $I $_}" "22"=" M \"WriteInt`Ptr\" ($P,$P) ($H[0],$As.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=1; $A2.f2=1; $A2.f3=1; $A2.f4=1" "23"=" $A2.f6=$A1; $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M \"StructureTo`Ptr\" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false)" "24"=" $Run=@($null, \"powershell -win 1 -nop -c iex `$env:R; # $id\", 0, 0, 0, 0x0E080600, 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5]))" "25"=" F 'CreateProcess' $Run; return}; $env:R=''; rp $key $id -force; $priv=[diagnostics.process].\"GetM`ember\"('SetPrivilege',42)[0]" "26"=" 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$priv.Invoke($null, @(\"$_\",2))}" "27"=" $HKU=[uintptr][uint32]2147483651; $NT='S-1-5-18'; $reg=($HKU,$NT,8,2,($HKU -as $D[9])); F 'RegOpenKeyEx' $reg; $LNK=$reg[4]" "28"=" function L ($1,$2,$3) {sp 'Registry::HKCR\\AppID\\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' 'RunAs' $3 -force -ea 0" "29"=" $b=[Text.Encoding]::Unicode.GetBytes(\"\\Registry\\User\\$1\"); F 'RegSetValueEx' @($2,'SymbolicLinkValue',0,6,[byte[]]$b,$b.Length)}" "30"=" function Q {[int](gwmi win32_process -filter 'name=\"explorer.exe\"'|?{$_.getownersid().sid-eq$NT}|select -last 1).ProcessId}" "31"=" $env:wt='powershell'; dir \"$env:ProgramFiles\\WindowsApps\\Microsoft.WindowsTerminal*\\wt.exe\" -rec|% {$env:wt='\"'+$_.FullName+'\" \"-d .\"'}" "32"=" $11bug=($((gwmi Win32_OperatingSystem).BuildNumber)-eq'22000')-AND(($cmd-eq'file:')-OR(test-path -lit $cmd -PathType Container))" "33"=" if ($11bug) {'System.Windows.Forms','Microsoft.VisualBasic' |% {$9=[Reflection.Assembly]::LoadWithPartialName(\"'$_\")}}" "34"=" if ($11bug) {$path='^(l)'+$($cmd -replace '([\\+\\^\\%\\~\\(\\)\\[\\]])','{$1}')+'{ENTER}'; $cmd='control.exe'; $arg='admintools'}" "35"=" L ($key-split'\\\\')[1] $LNK ''; $R=[diagnostics.process]::start($cmd,$arg); if ($R) {$R.PriorityClass='High'; $R.WaitForExit()}" "36"=" if ($11bug) {$w=0; do {if($w-gt40){break}; sleep -mi 250;$w++} until (Q); [Microsoft.VisualBasic.Interaction]::AppActivate($(Q))}" "37"=" if ($11bug) {[Windows.Forms.SendKeys]::SendWait($path)}; do {sleep 7} while(Q); L '.Default' $LNK 'Interactive User'" "38"="'@; $V='';'cmd','arg','id','key'|%{$V+=\"`n`$$_='$($(gv $_ -val)-replace\"'\",\"''\")';\"}; sp $key $id $($V,$code) -type 7 -force -ea 0" "39"=" start powershell -args \"-win 1 -nop -c `n$V `$env:R=(gi `$key -ea 0).getvalue(`$id)-join''; iex `$env:R\" -verb runas" "40"="}; $A=([environment]::commandline-split'-[-]%+ ?',2)[1]-split'\"([^\"]+)\"|([^ ]+)',2|%{$_.Trim(' \"')}; RunAsTI $A[1] $A[2]; # AveYo, 2022.04.07" ; 2022.01.16: added Open Powershell as trustedinstaller entry on directory background 2022.01.28: workaround for 11 release (22000) hindering explorer as TI; fix 7 args; fix non-breaking typo $path=$path= 2022.04.07: PowerShell / Terminal (if installed, use Terminal as TI, else use PowerShell as TI) RunAsTI.bat with Send to right-click menu entry to launch files and folders as TI - updated 2022.01.28 Code: @echo off& title RunAsTI - lean and mean snippet by AveYo, 2018-2022 goto :nfo [FEATURES] - innovative HKCU load, no need for reg load / unload ping-pong; programs get the user profile - sets ownership privileges, high priority, and explorer support; get System if TI unavailable - accepts special characters in paths for which default run as administrator fails - adds Send to - RunAsTI right-click menu entry to launch files and folders as TI via explorer [USAGE] - First copy-paste RunAsTI snippet after .bat script content - Then call it anywhere to launch programs with arguments as TI call :RunAsTI regedit call :RunAsTI powershell -noprofile -nologo -noexit -c [environment]::Commandline call :RunAsTI cmd /k "whoami /all & color e0" call :RunAsTI "C:\System Volume Information" - Or just relaunch the script once if not already running as TI: whoami /user | findstr /i /c:S-1-5-18 >nul || ( call :RunAsTI "%~f0" %* & exit /b ) 2022.01.28: workaround for 11 release (22000) hindering explorer as TI; fix 7 args :nfo ::::::::::::::::::::::::: :: .bat script content :: ::::::::::::::::::::::::: :: [optional] add Send to - RunAsTI right-click menu entry to launch files and folders as TI via explorer set "0=%~f0"& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':SendTo\:.*')[1])& goto :SendTo: $SendTo=[Environment]::GetFolderPath('ApplicationData')+'\Microsoft\Windows\SendTo\RunAsTI.bat'; $enc=[Text.Encoding]::UTF8 if ($env:0 -ne $SendTo) {[IO.File]::WriteAllLines($SendTo, [io.file]::ReadAllLines($env:0,$enc))} :SendTo: :: call RunAsTI snippet with default commandline args - if none provided, defaults to opening This PC as TI call :RunAsTI %* echo args: %* ::whoami ::timeout /t 7 :: done exit /b :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: .bat script content end - copy-paste RunAsTI snippet :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: #:RunAsTI snippet to run as TI/System, with innovative HKCU load, ownership privileges, high priority, and explorer support set ^ #=& set "0=%~f0"& set 1=%*& powershell -c iex(([io.file]::ReadAllText($env:0)-split'#\:RunAsTI .*')[1])& exit /b function RunAsTI ($cmd,$arg) { $id='RunAsTI'; $key="Registry::HKU\$(((whoami /user)-split' ')[-1])\Volatile Environment"; $code=@' $I=[int32]; $M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal"); $P=$I.module.gettype("System.Int`Ptr"); $S=[string] $D=@(); $T=@(); $DM=[AppDomain]::CurrentDomain."DefineDynami`cAssembly"(1,1)."DefineDynami`cModule"(1); $Z=[uintptr]::size 0..5|% {$D += $DM."Defin`eType"("AveYo_$_",1179913,[ValueType])}; $D += [uintptr]; 4..6|% {$D += $D[$_]."MakeByR`efType"()} $F='kernel','advapi','advapi', ($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), ([uintptr],$S,$I,$I,$D[9]),([uintptr],$S,$I,$I,[byte[]],$I) 0..2|% {$9=$D[0]."DefinePInvok`eMethod"(('CreateProcess','RegOpenKeyEx','RegSetValueEx')[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)} $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I) 1..5|% {$k=$_; $n=1; $DF[$_-1]|% {$9=$D[$k]."Defin`eField"('f' + $n++, $_, 6)}}; 0..5|% {$T += $D[$_]."Creat`eType"()} 0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -fo}; function F ($1,$2) {$T[0]."G`etMethod"($1).invoke(0,$2)} $TI=(whoami /groups)-like'*1-16-16384*'; $As=0; if(!$cmd) {$cmd='control';$arg='admintools'}; if ($cmd-eq'This PC'){$cmd='file:'} if (!$TI) {'TrustedInstaller','lsass','winlogon'|% {if (!$As) {$9=sc.exe start $_; $As=@(get-process -name $_ -ea 0|% {$_})[0]}} function M ($1,$2,$3) {$M."G`etMethod"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H += M "AllocHG`lobal" $I $_} M "WriteInt`Ptr" ($P,$P) ($H[0],$As.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=1; $A2.f2=1; $A2.f3=1; $A2.f4=1 $A2.f6=$A1; $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false) $Run=@($null, "powershell -win 1 -nop -c iex `$env:R; # $id", 0, 0, 0, 0x0E080600, 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5])) F 'CreateProcess' $Run; return}; $env:R=''; rp $key $id -force; $priv=[diagnostics.process]."GetM`ember"('SetPrivilege',42)[0] 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$priv.Invoke($null, @("$_",2))} $HKU=[uintptr][uint32]2147483651; $NT='S-1-5-18'; $reg=($HKU,$NT,8,2,($HKU -as $D[9])); F 'RegOpenKeyEx' $reg; $LNK=$reg[4] function L ($1,$2,$3) {sp 'HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' 'RunAs' $3 -force -ea 0 $b=[Text.Encoding]::Unicode.GetBytes("\Registry\User\$1"); F 'RegSetValueEx' @($2,'SymbolicLinkValue',0,6,[byte[]]$b,$b.Length)} function Q {[int](gwmi win32_process -filter 'name="explorer.exe"'|?{$_.getownersid().sid-eq$NT}|select -last 1).ProcessId} $11bug=($((gwmi Win32_OperatingSystem).BuildNumber)-eq'22000')-AND(($cmd-eq'file:')-OR(test-path -lit $cmd -PathType Container)) if ($11bug) {'System.Windows.Forms','Microsoft.VisualBasic' |% {[Reflection.Assembly]::LoadWithPartialName("'$_")}} if ($11bug) {$path='^(l)'+$($cmd -replace '([\+\^\%\~\(\)\[\]])','{$1}')+'{ENTER}'; $cmd='control.exe'; $arg='admintools'} L ($key-split'\\')[1] $LNK ''; $R=[diagnostics.process]::start($cmd,$arg); if ($R) {$R.PriorityClass='High'; $R.WaitForExit()} if ($11bug) {$w=0; do {if($w-gt40){break}; sleep -mi 250;$w++} until (Q); [Microsoft.VisualBasic.Interaction]::AppActivate($(Q))} if ($11bug) {[Windows.Forms.SendKeys]::SendWait($path)}; do {sleep 7} while(Q); L '.Default' $LNK 'Interactive User' '@; $V='';'cmd','arg','id','key'|%{$V+="`n`$$_='$($(gv $_ -val)-replace"'","''")';"}; sp $key $id $($V,$code) -type 7 -force -ea 0 start powershell -args "-win 1 -nop -c `n$V `$env:R=(gi `$key -ea 0).getvalue(`$id)-join''; iex `$env:R" -verb runas }; $A=$env:1-split'"([^"]+)"|([^ ]+)',2|%{$_.Trim(' "')}; RunAsTI $A[1] $A[2]; #:RunAsTI lean & mean snippet by AveYo, 2022.01.28 2022.01.28: workaround for 11 release (22000) hindering explorer as TI; fix 7 args; fix non-breaking typo $path=$path= RunAsTI.ps1 or copy-paste function code in powershell console - updated 2022.01.28 Code: $host.ui.RawUI.WindowTitle = 'RunAsTI - lean and mean snippet by AveYo, 2018-2022' <# [FEATURES] - innovative HKCU load, no need for reg load / unload ping-pong; programs get the user profile - sets ownership privileges, high priority, and explorer support; get System if TI unavailable - accepts special characters in paths for which default run as administrator fails - can copy-paste snippet directly in powershell console then use it manually [USAGE] - First copy-paste RunAsTI snippet before .ps1 script content - Then call it anywhere after to launch programs with arguments as TI RunAsTI regedit RunAsTI powershell '-noprofile -nologo -noexit -c [environment]::Commandline' RunAsTI cmd '/k "whoami /all & color e0"' RunAsTI "C:\System Volume Information" - Or just relaunch the script once if not already running as TI: if (((whoami /user)-split' ')[-1]-ne'S-1-5-18') { RunAsTI powershell "-f $($MyInvocation.MyCommand.Path) $($args[0]) $($args[1..99])"; return } 2022.01.28: workaround for 11 release (22000) hindering explorer as TI #> ######################################################### # copy-paste RunAsTI snippet before .ps1 script content # ######################################################### function RunAsTI ($cmd,$arg) { $id='RunAsTI'; $key="Registry::HKU\$(((whoami /user)-split' ')[-1])\Volatile Environment"; $code=@' $I=[int32]; $M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal"); $P=$I.module.gettype("System.Int`Ptr"); $S=[string] $D=@(); $T=@(); $DM=[AppDomain]::CurrentDomain."DefineDynami`cAssembly"(1,1)."DefineDynami`cModule"(1); $Z=[uintptr]::size 0..5|% {$D += $DM."Defin`eType"("AveYo_$_",1179913,[ValueType])}; $D += [uintptr]; 4..6|% {$D += $D[$_]."MakeByR`efType"()} $F='kernel','advapi','advapi', ($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), ([uintptr],$S,$I,$I,$D[9]),([uintptr],$S,$I,$I,[byte[]],$I) 0..2|% {$9=$D[0]."DefinePInvok`eMethod"(('CreateProcess','RegOpenKeyEx','RegSetValueEx')[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)} $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I) 1..5|% {$k=$_; $n=1; $DF[$_-1]|% {$9=$D[$k]."Defin`eField"('f' + $n++, $_, 6)}}; 0..5|% {$T += $D[$_]."Creat`eType"()} 0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -fo}; function F ($1,$2) {$T[0]."G`etMethod"($1).invoke(0,$2)} $TI=(whoami /groups)-like'*1-16-16384*'; $As=0; if(!$cmd) {$cmd='control';$arg='admintools'}; if ($cmd-eq'This PC'){$cmd='file:'} if (!$TI) {'TrustedInstaller','lsass','winlogon'|% {if (!$As) {$9=sc.exe start $_; $As=@(get-process -name $_ -ea 0|% {$_})[0]}} function M ($1,$2,$3) {$M."G`etMethod"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H += M "AllocHG`lobal" $I $_} M "WriteInt`Ptr" ($P,$P) ($H[0],$As.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=1; $A2.f2=1; $A2.f3=1; $A2.f4=1 $A2.f6=$A1; $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false) $Run=@($null, "powershell -win 1 -nop -c iex `$env:R; # $id", 0, 0, 0, 0x0E080600, 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5])) F 'CreateProcess' $Run; return}; $env:R=''; rp $key $id -force; $priv=[diagnostics.process]."GetM`ember"('SetPrivilege',42)[0] 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$priv.Invoke($null, @("$_",2))} $HKU=[uintptr][uint32]2147483651; $NT='S-1-5-18'; $reg=($HKU,$NT,8,2,($HKU -as $D[9])); F 'RegOpenKeyEx' $reg; $LNK=$reg[4] function L ($1,$2,$3) {sp 'HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' 'RunAs' $3 -force -ea 0 $b=[Text.Encoding]::Unicode.GetBytes("\Registry\User\$1"); F 'RegSetValueEx' @($2,'SymbolicLinkValue',0,6,[byte[]]$b,$b.Length)} function Q {[int](gwmi win32_process -filter 'name="explorer.exe"'|?{$_.getownersid().sid-eq$NT}|select -last 1).ProcessId} $11bug=($((gwmi Win32_OperatingSystem).BuildNumber)-eq'22000')-AND(($cmd-eq'file:')-OR(test-path -lit $cmd -PathType Container)) if ($11bug) {'System.Windows.Forms','Microsoft.VisualBasic' |% {[Reflection.Assembly]::LoadWithPartialName("'$_")}} if ($11bug) {$path='^(l)'+$($cmd -replace '([\+\^\%\~\(\)\[\]])','{$1}')+'{ENTER}'; $cmd='control.exe'; $arg='admintools'} L ($key-split'\\')[1] $LNK ''; $R=[diagnostics.process]::start($cmd,$arg); if ($R) {$R.PriorityClass='High'; $R.WaitForExit()} if ($11bug) {$w=0; do {if($w-gt40){break}; sleep -mi 250;$w++} until (Q); [Microsoft.VisualBasic.Interaction]::AppActivate($(Q))} if ($11bug) {[Windows.Forms.SendKeys]::SendWait($path)}; do {sleep 7} while(Q); L '.Default' $LNK 'Interactive User' '@; $V='';'cmd','arg','id','key'|%{$V+="`n`$$_='$($(gv $_ -val)-replace"'","''")';"}; sp $key $id $($V,$code) -type 7 -force -ea 0 start powershell -args "-win 1 -nop -c `n$V `$env:R=(gi `$key -ea 0).getvalue(`$id)-join''; iex `$env:R" -verb runas } # lean & mean snippet by AveYo, 2022.01.28 ####################### # .ps1 script content # ####################### # call RunAsTI snippet with default commandline args - if none provided, defaults to opening This PC as TI RunAsTI $args[0] $args[1..99] write-host args: $args #$(whoami) #timeout /t 7 # done return 2022.01.28: workaround for 11 release (22000) hindering explorer as TI; fix 7 args; fix non-breaking typo $path=$path= Q & A: Q: what is the deal with the back`quotes? A: to silence lame powershell keyword-based event-log warnings that include the whole snippet and slows down processing Q: pretty sure reflection is used, single-letter vars for types, then.. any hints about those magic constants and arrays? A: $Ai instance of $T type of $D structure of $DF fields; $D[4] StartupInfoEx, $D[3] StartupInfo, $D[2] lpAttribute.. $D[0] for pinvoke definitions; numbers mostly calling flags or premade struct sizes; check microsoft docs ^,^
Reg_Own - change registry security via scripts supports Windows 7 - Windows 10 - Windows 11 release - Windows 11 dev reg_own.bat snippet showcase - updated 2022.01.15 Code: @echo off& color 07& title reg_own - lean and mean snippet by AveYo, 2018-2022 goto :nfo [FEATURES] - parameters after key are optional; if -owner if ommited, try to preserve existing - enable inherited rights / disable / delete entries with -recurse Inherit / Replace / Delete - add -list to show summary even when regedit fails; no low-level registry functions used - can copy-paste snippet directly in powershell (admin) console then use it manually [USAGE] - First copy-paste reg_own snippet after .bat script content - Then call it anywhere (after elevation) to change registry security: call :reg_own "key" -recurse Replace -user S-1-5-32-545 -owner S-1-1-0 -acc Allow -perm FullControl :nfo ::::::::::::::::::::::::: :: .bat script content :: ::::::::::::::::::::::::: :::: Define TI sid (TrustedInstaller) for /f "tokens=3" %%a in ('sc.exe showsid TrustedInstaller') do set TI=%%a >nul :::: Define USER sid before asking for elevation since it gets replaced for limited accounts if "%USER%"=="" for /f "tokens=2" %%u in ('whoami /user /fo list') do (set USER=%%u) :::: Ask for elevation passing USER and any batch arguments fltmc >nul || (set _=set USER=%USER%^& call "%~f0" %*& powershell -nop -c start cmd -args '/d/x/r',$env:_ -verb runas& exit) ::# lean xp+ color macros by AveYo: %<%:af " hello "%>>% & %<%:cf " w\"or\"ld "%>% for single \ / " use .%|%\ .%|%/ \"%|%\" for /f "delims=:" %%s in ('echo;prompt $h$s$h:^|cmd /d') do set "|=%%s"&set ">>=\..\c nul&set /p s=%%s%%s%%s%%s%%s%%s%%s<nul&popd" set "<=pushd "%public%"&2>nul findstr /c:\ /a" &set ">=%>>%&echo;" &set "|=%|:~0,1%" &set /p s=\<nul>"%public%\c" :: Setup a test key reg delete HKLM\SOFTWARE\REG_OWN /f >nul 2>nul& reg add HKLM\SOFTWARE\REG_OWN\DEL\ME\NOW /f >nul 2>nul & prompt $E >nul %<%:af " Allow FullControl from Administrators "%>>% & %<%:f0 " default, just this key "%>% echo;call :reg_own "HKEY_LOCAL_MACHINE\SOFTWARE\REG_OWN" -list call :reg_own "HKEY_LOCAL_MACHINE\SOFTWARE\REG_OWN" -list %<%:8f " Allow READ from Users "%>>% & %<%:f0 " recursive, enable inheritance [no -list to hide output] "%>% echo;call :reg_own "HKLM:\SOFTWARE\REG_OWN\DEL" -recurse Inherit -user S-1-5-32-545 -acc Allow -perm ReadKey call :reg_own "HKLM:\SOFTWARE\REG_OWN\DEL" -recurse Inherit -user S-1-5-32-545 -acc Allow -perm ReadKey echo; %<%:5f " Allow WriteKey from %%USER%% and set owner to SYSTEM "%>>% & %<%:f0 " just this key "%>% echo;call :reg_own "HKLM\SOFTWARE\REG_OWN\DEL" -user %%USER%% -owner S-1-5-18 -acc Allow -perm WriteKey -list call :reg_own "HKLM\SOFTWARE\REG_OWN\DEL" -user %USER% -owner S-1-5-18 -acc Allow -perm WriteKey -list %<%:cf " Deny changes from Everyone and set owner to TrustedInstaller "%>>% & %<%:f0 " recursive, disable inheritance "%>% set nochanges="SetValue,Delete,ChangePermissions,TakeOwnership" echo;call :reg_own "HKLM\SOFTWARE\REG_OWN\DEL" -recurse Replace -user S-1-1-0 -owner %%TI%% -acc Deny -perm %nochanges% -list call :reg_own "HKLM\SOFTWARE\REG_OWN\DEL" -recurse Replace -user S-1-1-0 -owner %TI% -acc Deny -perm %nochanges% -list echo; %<%:0e "TO WRITE LOCKED VALUES WHILE TRYING TO PRESERVE EXISTING OWNER AND RIGHTS I RECOMMEND THE FOLLOWING:"%>% echo; %<%:e0 "0. DO WHATEVER MODIFICATIONS NEEDED IN THE TARGET REGKEY - SHOULD FAIL NOW "%>% echo;reg add "HKLM\SOFTWARE\REG_OWN\DEL" /v somevalue /d somedata /f reg add "HKLM\SOFTWARE\REG_OWN\DEL" /v somevalue /d somedata /f echo; %<%:9e "1. Allow FullControl from Everyone "%>>% & %<%:f0 " recursive, disable inheritance "%>% echo;call :reg_own "HKLM\SOFTWARE\REG_OWN\DEL" -recurse Replace -user S-1-1-0 -list call :reg_own "HKLM\SOFTWARE\REG_OWN\DEL" -recurse Replace -user S-1-1-0 -list %<%:e0 "2. DO WHATEVER MODIFICATIONS NEEDED IN THE TARGET REGKEY - SHOULD SUCCEED NOW "%>% echo;reg add "HKLM\SOFTWARE\REG_OWN\DEL" /v somevalue /d somedata /f reg add "HKLM\SOFTWARE\REG_OWN\DEL" /v somevalue /d somedata /f echo; %<%:9e "3. Remove non-inherited rules from Everyone "%>>% & %<%:f0 " recursive, delete "%>% echo;call :reg_own "HKLM\SOFTWARE\REG_OWN\DEL" -recurse Delete -user S-1-1-0 -list call :reg_own "HKLM\SOFTWARE\REG_OWN\DEL" -recurse Delete -user S-1-1-0 -list :: Delete test key reg delete HKLM\SOFTWARE\REG_OWN /f >nul 2>nul echo; %<%:bf " Done! "%>% choice /c EX1T exit /b :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: .bat script content end - copy-paste reg_own snippet :: :::::::::::::::::::::::::::::::::::::::::::::::::::::::::: #:reg_own "HKCU\Key" -recurse Inherit / Replace / Delete -user S-1-5-32-545 -owner '' -acc Allow -perm ReadKey set ^ #=&set "0=%~f0"&set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split'#\:reg_own .*')[1]); # --%% %*&exit/b function reg_own { param ( $key, $recurse='', $user='S-1-5-32-544', $owner='', $acc='Allow', $perm='FullControl', [switch]$list ) $D1=[uri].module.gettype('System.Diagnostics.Process')."GetM`ember"('SetPrivilege',42)[0]; $u=$user; $o=$owner; $p=524288 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$D1.Invoke($null, @("$_",2))} $reg=$key-split':?\\',2; $key=$reg-join'\'; $HK=gi -lit Registry::$($reg[0]) -force; $re=$recurse; $in=(1,0)[$re-eq'Inherit'] $own=$o-eq''; if($own){$o=$u}; $sid=[Security.Principal.SecurityIdentifier]; $w='S-1-1-0',$u,$o |% {new-object $sid($_)} $r=($w[0],$p,1,0,0),($w[1],$perm,1,0,$acc) |% {new-object Security.AccessControl.RegistryAccessRule($_)}; function _own($k,$l) { $t=$HK.OpenSubKey($k,2,'TakeOwnership'); if($t) { try {$n=$t.GetAccessControl(4)} catch {$n=$HK.GetAccessControl(4)} $u=$n.GetOwner($sid); if($own-and $u) {$w[2]=$u}; $n.SetOwner($w[0]); $t.SetAccessControl($n); $d=$HK.GetAccessControl(2) $c=$HK.OpenSubKey($k,2,'ChangePermissions'); $b=$c.GetAccessControl(2); $d.RemoveAccessRuleAll($r[1]); $d.ResetAccessRule($r[0]) $c.SetAccessControl($d); if($re-ne'') {$sk=$HK.OpenSubKey($k).GetSubKeyNames(); foreach($i in $sk) {_own "$k\$i" $false}} if($re-ne'') {$b.SetAccessRuleProtection($in,1)}; $b.ResetAccessRule($r[1]); if($re-eq'Delete') {$b.RemoveAccessRuleAll($r[1])} $c.SetAccessControl($b); $b,$n |% {$_.SetOwner($w[2])}; $t.SetAccessControl($n)}; if($l) {return $b|fl} }; _own $reg[1] $list }; iex "reg_own $(([environment]::get_CommandLine()-split'-[-]%+ ?')[1])" #:reg_own lean & mean snippet by AveYo, 2022.01.15 reg_own.ps1 or copy-paste function code in powershell (admin) console - updated 2022.01.15 Code: $host.ui.RawUI.WindowTitle = 'reg_own - lean and mean snippet by AveYo, 2018-2022' <# [FEATURES] - parameters after key are optional; if -owner if ommited, try to preserve existing - enable inherited rights / disable / delete entries with -recurse Inherit / Replace / Delete - add -list to show summary even when regedit fails; no low-level registry functions used - can copy-paste snippet directly in powershell (admin) console then use it manually [USAGE] - First copy-paste reg_own snippet before .ps1 script content - Then call it anywhere (after elevation) to change registry security: reg_own "key" -recurse Replace -user S-1-5-32-545 -owner S-1-1-0 -acc Allow -perm FullControl #> ######################################################### # copy-paste reg_own snippet before .ps1 script content # ######################################################### function reg_own { param ( $key, $recurse='', $user='S-1-5-32-544', $owner='', $acc='Allow', $perm='FullControl', [switch]$list ) $D1=[uri].module.gettype('System.Diagnostics.Process')."GetM`ember"('SetPrivilege',42)[0]; $u=$user; $o=$owner; $p=524288 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$D1.Invoke($null, @("$_",2))} $reg=$key-split':?\\',2; $key=$reg-join'\'; $HK=gi -lit Registry::$($reg[0]) -force; $re=$recurse; $in=(1,0)[$re-eq'Inherit'] $own=$o-eq''; if($own){$o=$u}; $sid=[Security.Principal.SecurityIdentifier]; $w='S-1-1-0',$u,$o |% {new-object $sid($_)} $r=($w[0],$p,1,0,0),($w[1],$perm,1,0,$acc) |% {new-object Security.AccessControl.RegistryAccessRule($_)}; function _own($k,$l) { $t=$HK.OpenSubKey($k,2,'TakeOwnership'); if($t) { try {$n=$t.GetAccessControl(4)} catch {$n=$HK.GetAccessControl(4)} $u=$n.GetOwner($sid); if($own-and $u) {$w[2]=$u}; $n.SetOwner($w[0]); $t.SetAccessControl($n); $d=$HK.GetAccessControl(2) $c=$HK.OpenSubKey($k,2,'ChangePermissions'); $b=$c.GetAccessControl(2); $d.RemoveAccessRuleAll($r[1]); $d.ResetAccessRule($r[0]) $c.SetAccessControl($d); if($re-ne'') {$sk=$HK.OpenSubKey($k).GetSubKeyNames(); foreach($i in $sk) {_own "$k\$i" $false}} if($re-ne'') {$b.SetAccessRuleProtection($in,1)}; $b.ResetAccessRule($r[1]); if($re-eq'Delete') {$b.RemoveAccessRuleAll($r[1])} $c.SetAccessControl($b); $b,$n |% {$_.SetOwner($w[2])}; $t.SetAccessControl($n)}; if($l) {return $b|fl} }; _own $reg[1] $list } # lean & mean snippet by AveYo, 2022.01.15 ####################### # .ps1 script content # ####################### ## Define TI sid (TrustedInstaller) $TI = (sc.exe showsid TrustedInstaller)-split': '|?{$_-like'*S-1-*'} ## Define USER sid before asking for elevation since it gets replaced for limited accounts if ($null -eq $USER) {$USER = ((whoami /user)-split' ')[-1]} ## Ask for elevation passing USER $admin = fltmc; if ($LASTEXITCODE) { $arg = "-nop -c `$USER='$USER'; iex((gc '$($MyInvocation.MyCommand.Path-replace'''','''''')')-join'`n')" start powershell -verb runas -args $arg; exit } ## Setup a test key reg delete HKLM\SOFTWARE\REG_OWN /f >$null 2>$null; reg add HKLM\SOFTWARE\REG_OWN\DEL\ME\NOW /f >$null 2>$null; function prompt {} write-host " Allow FullControl from Administrators " -back 0xa -fore 0xf -nonew write-host " default, just this key " -back 0xf -fore 0x0 write-host "reg_own 'HKEY_LOCAL_MACHINE\SOFTWARE\REG_OWN' -list" reg_own 'HKEY_LOCAL_MACHINE\SOFTWARE\REG_OWN' -list write-host " Allow READ from Users " -back 0x8 -fore 0xf -nonew write-host " recursive, enable inheritance [no -list to hide output] " -back 0xf -fore 0x0 write-host "reg_own 'HKLM:\SOFTWARE\REG_OWN\DEL' -recurse Inherit -user S-1-5-32-545 -acc Allow -perm ReadKey" reg_own 'HKLM:\SOFTWARE\REG_OWN\DEL' -recurse Inherit -user S-1-5-32-545 -acc Allow -perm ReadKey write-host write-host " Allow WriteKey from `$USER and set owner to SYSTEM " -back 0xd -fore 0xf -nonew write-host " just this key " -back 0xf -fore 0x0 write-host "reg_own 'HKLM\SOFTWARE\REG_OWN\DEL' -user `$USER -owner S-1-5-18 -acc Allow -perm WriteKey -list" reg_own 'HKLM\SOFTWARE\REG_OWN\DEL' -user $USER -owner S-1-5-18 -acc Allow -perm WriteKey -list write-host " Deny changes from Everyone and set owner to TrustedInstaller " -back 0xc -fore 0xf -nonew write-host " recursive, disable inheritance " -back 0xf -fore 0x0 $nochanges = "SetValue,Delete,ChangePermissions,TakeOwnership" write-host "reg_own 'HKLM\SOFTWARE\REG_OWN\DEL' -recurse Replace -user S-1-1-0 -owner `$TI -acc Deny -perm `$nochanges -list" reg_own 'HKLM\SOFTWARE\REG_OWN\DEL' -recurse Replace -user S-1-1-0 -owner $TI -acc Deny -perm $nochanges -list write-host write-host "TO WRITE LOCKED VALUES WHILE TRYING TO PRESERVE EXISTING OWNER AND RIGHTS I RECOMMEND THE FOLLOWING:" -back 0x0 -fore 0xe write-host write-host "0. DO WHATEVER MODIFICATIONS NEEDED IN THE TARGET REGKEY - SHOULD FAIL NOW " -back 0xe -fore 0x0 write-host "reg add 'HKLM\SOFTWARE\REG_OWN\DEL' /v somevalue /d somedata /f" reg add 'HKLM\SOFTWARE\REG_OWN\DEL' /v somevalue /d somedata /f write-host write-host "1. Allow FullControl from Everyone " -back 0x9 -fore 0xe -nonew write-host " recursive, disable inheritance " -back 0xf -fore 0x0 write-host "reg_own 'HKLM\SOFTWARE\REG_OWN\DEL' -recurse Replace -user S-1-1-0 -list" reg_own 'HKLM\SOFTWARE\REG_OWN\DEL' -recurse Replace -user S-1-1-0 -list write-host "2. DO WHATEVER MODIFICATIONS NEEDED IN THE TARGET REGKEY - SHOULD SUCCEED NOW " -back 0xe -fore 0x0 write-host "reg add 'HKLM\SOFTWARE\REG_OWN\DEL' /v somevalue /d somedata /f" reg add 'HKLM\SOFTWARE\REG_OWN\DEL' /v somevalue /d somedata /f write-host write-host "3. Remove non-inherited rules from Everyone " -back 0x9 -fore 0xe -nonew write-host " recursive, delete " -back 0xf -fore 0x0 write-host "reg_own 'HKLM\SOFTWARE\REG_OWN\DEL' -recurse Delete -user S-1-1-0 -list" reg_own 'HKLM\SOFTWARE\REG_OWN\DEL' -recurse Delete -user S-1-1-0 -list ## Delete test key reg delete HKLM\SOFTWARE\REG_OWN /f >$null 2>$null write-host write-host " Done! " choice /c EX1T return
ToggleDefender - without it re-enabling itself at the worst moment supports Windows 7 - Windows 10 - Windows 11 release - Windows 11 dev NO LONGER WORKS WHEN TAMPER PROTECTION IS ON, SEE ANNOUNCEMENT ToggleDefender.bat or ToggleDefender.ps1 or copy-paste code in powershell console - updated 2022.01.15 Code: @(set "0=%~f0"^)#) & powershell -win 1 -nop -c iex([io.file]::ReadAllText($env:0)) & exit /b ## Toggle Defender, AveYo 2022.01.15 ## changed: comment personal configuration tweaks sp 'HKCU:\Volatile Environment' 'ToggleDefender' @' if ($(sc.exe qc windefend) -like '*TOGGLE*') {$TOGGLE=7;$KEEP=6;$A='Enable';$S='OFF'}else{$TOGGLE=6;$KEEP=7;$A='Disable';$S='ON'} ## Comment to hide dialog prompt with Yes, No, Cancel (6,7,2) if ($env:1 -ne 6 -and $env:1 -ne 7) { $choice=(new-object -ComObject Wscript.Shell).Popup($A + ' Windows Defender?', 0, 'Defender is: ' + $S, 0x1033) if ($choice -eq 2) {break} elseif ($choice -eq 6) {$env:1=$TOGGLE} else {$env:1=$KEEP} } ## Without the dialog prompt above will toggle automatically if ($env:1 -ne 6 -and $env:1 -ne 7) { $env:1=$TOGGLE } ## Cascade elevation $u=0;$w=whoami /groups;if($w-like'*1-5-32-544*'){$u=1};if($w-like'*1-16-12288*'){$u=2};if($w-like'*1-16-16384*'){$u=3} ## Comment to not hide per-user toggle notifications $notif='HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance' ni $notif -ea 0|out-null; ri $notif.replace('Settings','Current') -Recurse -Force -ea 0 sp $notif Enabled 0 -Type Dword -Force -ea 0; if ($TOGGLE -eq 7) {rp $notif Enabled -Force -ea 0} ## Comment to not relaunch systray icon $L="$env:ProgramFiles\Windows Defender\MSASCuiL.exe"; if (!(test-path $L)) {$L='SecurityHealthSystray'} if ($u -eq 2) {start $L -win 1} ## Reload from volatile registry as needed $script='-win 1 -nop -c & {$AveYo='+"'`r`r"+' A LIMITED ACCOUNT PROTECTS YOU FROM UAC EXPLOITS '+"`r`r'"+';$env:1='+$env:1 $script+=';$k=@();$k+=gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0;iex($k[0].ToggleDefender)}' $cmd='powershell '+$script; $env:__COMPAT_LAYER='Installer' ## 0: limited-user: must runas / 1: admin-user non-elevated: must runas [built-in lame uac bpass removed] if ($u -lt 2) { start powershell -args $script -verb runas -win 1; break } ## 2: admin-user elevated: get ti/system via runasti lean and mean snippet [$window hide:0x0E080600 show:0x0E080610] if ($u -eq 2) { $A=[AppDomain]::CurrentDomain."DefineDynami`cAssembly"(1,1)."DefineDynami`cModule"(1);$D=@();0..5|%{$D+=$A."Defin`eType"('A'+$_, 1179913,[ValueType])} ;4,5|%{$D+=$D[$_]."MakeByR`efType"()} ;$I=[Int32];$J="Int`Ptr";$P=$I.module.GetType("System.$J"); $F=@(0) $F+=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$P,$P,$P,$I,$I,$I,$I,$I,$I,$I,$I,[Int16],[Int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I) $S=[String]; $9=$D[0]."DefinePInvok`eMethod"('CreateProcess',"kernel`32",8214,1,$I,@($S,$S,$I,$I,$I,$I,$I,$S,$D[6],$D[7]),1,4) 1..5|%{$k=$_;$n=1;$F[$_]|%{$9=$D[$k]."DefineFie`ld"('f'+$n++,$_,6)}};$T=@();0..5|%{$T+=$D[$_]."CreateT`ype"();$Z=[uintptr]::size nv ('T'+$_)([Activator]::CreateInstance($T[$_]))}; $H=$I.module.GetType("System.Runtime.Interop`Services.Mar`shal"); $WP=$H."GetMeth`od"("Write$J",[type[]]($J,$J)); $HG=$H."GetMeth`od"("AllocHG`lobal",[type[]]'int32'); $v=$HG.invoke($null,$Z) 'TrustedInstaller','lsass'|%{if(!$pn){net1 start $_ 2>&1 >$null;$pn=[Diagnostics.Process]::GetProcessesByName($_)[0];}} $WP.invoke($null,@($v,$pn.Handle)); $SZ=$H."GetMeth`od"("SizeOf",[type[]]'type'); $T1.f1=131072; $T1.f2=$Z; $T1.f3=$v; $T2.f1=1 $T2.f2=1;$T2.f3=1;$T2.f4=1;$T2.f6=$T1;$T3.f1=$SZ.invoke($null,$T[4]);$T4.f1=$T3;$T4.f2=$HG.invoke($null,$SZ.invoke($null,$T[2])) $H."GetMeth`od"("StructureTo`Ptr",[type[]]($D[2],$J,'boolean')).invoke($null,@(($T2-as $D[2]),$T4.f2,$false));$window=0x0E080600 $9=$T[0]."GetMeth`od"('CreateProcess').Invoke($null,@($null,$cmd,0,0,0,$window,0,$null,($T4-as $D[4]),($T5-as $D[5]))); break } ## Cleanup rp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0 ## Create registry paths $wdp='HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' ' Security Center\Notifications','\UX Configuration','\MpEngine','\Spynet','\Real-Time Protection' |% {ni ($wdp+$_)-ea 0|out-null} ## Toggle Defender if ($env:1 -eq 7) { ## enable notifications rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications -Force -ea 0 rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' Notification_Suppress -Force -ea 0 rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' UILockdown -Force -ea 0 rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications -Force -ea 0 rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' Notification_Suppress -Force -ea 0 rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' UILockdown -Force -ea 0 ## enable shell smartscreen and set to warn rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen -Force -ea 0 sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' ShellSmartScreenLevel 'Warn' -Force -ea 0 ## enable store smartscreen and set to warn gp Registry::HKEY_Users\S-1-5-21*\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost -ea 0 |% { sp $_.PSPath 'EnableWebContentEvaluation' 1 -Type Dword -Force -ea 0 sp $_.PSPath 'PreventOverride' 0 -Type Dword -Force -ea 0 } ## enable chredge smartscreen + pua gp Registry::HKEY_Users\S-1-5-21*\SOFTWARE\Microsoft\Edge\SmartScreenEnabled -ea 0 |% { sp $_.PSPath '(Default)' 1 -Type Dword -Force -ea 0 } gp Registry::HKEY_Users\S-1-5-21*\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled -ea 0 |% { sp $_.PSPath '(Default)' 1 -Type Dword -Force -ea 0 } ## enable legacy edge smartscreen ri 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' -Force -ea 0 ## enable av rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' DisableRealtimeMonitoring -Force -ea 0 rp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware -Force -ea 0 rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' DisableAntiSpyware -Force -ea 0 sc.exe config windefend depend= RpcSs net1 start windefend kill -Force -Name MpCmdRun -ea 0 start ($env:ProgramFiles+'\Windows Defender\MpCmdRun.exe') -Arg '-EnableService' -win 1 } else { ## disable notifications sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications 1 -Type Dword -ea 0 sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' Notification_Suppress 1 -Type Dword -Force -ea 0 sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration' UILockdown 0 -Type Dword -Force -ea 0 sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender Security Center\Notifications' DisableNotifications 1 -Type Dword -ea 0 sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' Notification_Suppress 1 -Type Dword -Force -ea 0 sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender\UX Configuration' UILockdown 0 -Type Dword -Force -ea 0 ## disable shell smartscreen and set to warn sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' EnableSmartScreen 0 -Type Dword -Force -ea 0 sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\System' ShellSmartScreenLevel 'Warn' -Force -ea 0 ## disable store smartscreen and set to warn gp Registry::HKEY_Users\S-1-5-21*\SOFTWARE\Microsoft\Windows\CurrentVersion\AppHost -ea 0 |% { sp $_.PSPath 'EnableWebContentEvaluation' 0 -Type Dword -Force -ea 0 sp $_.PSPath 'PreventOverride' 0 -Type Dword -Force -ea 0 } ## disable chredge smartscreen + pua gp Registry::HKEY_Users\S-1-5-21*\SOFTWARE\Microsoft\Edge\SmartScreenEnabled -ea 0 |% { sp $_.PSPath '(Default)' 0 -Type Dword -Force -ea 0 } gp Registry::HKEY_Users\S-1-5-21*\SOFTWARE\Microsoft\Edge\SmartScreenPuaEnabled -ea 0 |% { sp $_.PSPath '(Default)' 0 -Type Dword -Force -ea 0 } ## disable legacy edge smartscreen sp 'HKLM:\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter' EnabledV9 0 -Type Dword -Force -ea 0 ## disable av sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' DisableRealtimeMonitoring 1 -Type Dword -Force sp 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware 1 -Type Dword -Force -ea 0 sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' DisableAntiSpyware 1 -Type Dword -Force -ea 0 net1 stop windefend sc.exe config windefend depend= RpcSs-TOGGLE kill -Name MpCmdRun -Force -ea 0 start ($env:ProgramFiles+'\Windows Defender\MpCmdRun.exe') -Arg '-DisableService' -win 1 del ($env:ProgramData+'\Microsoft\Windows Defender\Scans\mpenginedb.db') -Force -ea 0 ## Commented = keep scan history del ($env:ProgramData+'\Microsoft\Windows Defender\Scans\History\Service') -Recurse -Force -ea 0 } ## PERSONAL CONFIGURATION TWEAK - COMMENT OR UNCOMMENT ENTRIES TO TWEAK OR REVERT #sp $wdp DisableRoutinelyTakingAction 1 -Type Dword -Force -ea 0 ## Auto Actions off #rp $wdp DisableRoutinelyTakingAction -Force -ea 0 ## Auto Actions ON [default] #sp ($wdp+'\MpEngine') MpCloudBlockLevel 2 -Type Dword -Force -ea 0 ## Cloud blocking level HIGH #rp ($wdp+'\MpEngine') MpCloudBlockLevel -Force -ea 0 ## Cloud blocking level low [default] #sp ($wdp+'\Spynet') SpyNetReporting 2 -Type Dword -Force -ea 0 ## Cloud protection ADVANCED #rp ($wdp+'\Spynet') SpyNetReporting -Force -ea 0 ## Cloud protection basic [default] #sp ($wdp+'\Spynet') SubmitSamplesConsent 0 -Type Dword -Force -ea 0 ## Sample Submission ALWAYS-PROMPT #rp ($wdp+'\Spynet') SubmitSamplesConsent -Force -ea 0 ## Sample Submission automatic [default] #sp ($wdp+'\Real-Time Protection') RealtimeScanDirection 1 -Type Dword -Force -ea 0 ## Scan incoming file only #rp ($wdp+'\Real-Time Protection') RealtimeScanDirection -Force -ea 0 ## Scan INCOMING, OUTGOING file [default] #sp $wdp PUAProtection 1 -Type Dword -Force -ea 0 ## Potential Unwanted Apps on [policy] #rp $wdp PUAProtection -Force -ea 0 ## Potential Unwanted Apps off [default] #sp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' PUAProtection 1 -Type Dword -Force -ea 0 ## Potential Unwanted Apps ON [user] #rp 'HKLM:\SOFTWARE\Microsoft\Windows Defender' PUAProtection -Force -ea 0 ## Potential Unwanted Apps off [default] $env:1=$null # done! '@ -Force -ea 0; $k=@();$k+=gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0;iex($k[0].ToggleDefender) #-_-# hybrid script, can be pasted directly into powershell console
Run as Admin with native shell any path, commandline arguments, loop guard, minimal i/o - no powershell or vbscript Code: :::: Run as Admin with native shell, any path, params, loop guard, minimal i/o, by AveYo >nul reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%%2\" &call \"%%2\" %%3" &set _= %* >nul fltmc || if "%f0%" neq "%~f0" ( cd.>"%tmp%\runas.Admin" &start "%~n0" /high "%tmp%\runas.Admin" "%~f0" "%_:"=""%" &exit /b ) initially posted here If your script already uses powershell stuff, then I still advise elevating via powershell one-liner: Code: fltmc >nul || (set Admin=/x /d /c call "%~f0" %* & powershell -nop -c start cmd $env:Admin -verb runas; & exit /b)
Edge_Removal.bat The harder it gets pushed, the less incentive to see it. Now with OpenWebSearch innovative redirect Code: @(set "0=%~f0"^)#) & powershell -nop -c iex([io.file]::ReadAllText($env:0)) & exit /b #:: double-click to run or just copy-paste into powershell - it's a standalone hybrid script sp 'HKCU:\Volatile Environment' 'Edge_Removal' @' $also_remove_webview = 1 $host.ui.RawUI.WindowTitle = 'Edge Removal - AveYo, 2022.10.03' ## targets $remove_win32 = @("Microsoft Edge","Microsoft Edge Update"); $remove_appx = @("MicrosoftEdge") if ($also_remove_webview -eq 1) {$remove_win32 += "Microsoft EdgeWebView"; $remove_appx += "Win32WebViewHost"} ## enable admin privileges $D1=[uri].module.gettype('System.Diagnostics.Process')."GetM`ethods"(42) |where {$_.Name -eq 'SetPrivilege'} #`:no-ev-warn 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege'|foreach {$D1.Invoke($null, @("$_",2))} ## set useless policies foreach ($p in 'HKLM\SOFTWARE\Policies','HKLM\SOFTWARE') { cmd /c "reg add ""$p\Microsoft\EdgeUpdate"" /f /v InstallDefault /d 0 /t reg_dword >nul 2>nul" cmd /c "reg add ""$p\Microsoft\EdgeUpdate"" /f /v Install{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} /d 0 /t reg_dword >nul 2>nul" cmd /c "reg add ""$p\Microsoft\EdgeUpdate"" /f /v Install{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5} /d 1 /t reg_dword >nul 2>nul" cmd /c "reg add ""$p\Microsoft\EdgeUpdate"" /f /v DoNotUpdateToEdgeWithChromium /d 1 /t reg_dword >nul 2>nul" } ## clear win32 uninstall block foreach ($hk in 'HKCU','HKLM') {foreach ($wow in '','\Wow6432Node') {foreach ($i in $remove_win32) { cmd /c "reg delete ""$hk\SOFTWARE${wow}\Microsoft\Windows\CurrentVersion\Uninstall\$i"" /f /v NoRemove >nul 2>nul" }}} ## find all Edge setup.exe and gather BHO paths $setup = @(); $bho = @(); $bho += "$env:ProgramData\ie_to_edge_stub.exe"; $bho += "$env:Public\ie_to_edge_stub.exe" "LocalApplicationData","ProgramFilesX86","ProgramFiles" |foreach { $setup += dir $($([Environment]::GetFolderPath($_)) + '\Microsoft\Edge*\setup.exe') -rec -ea 0 $bho += dir $($([Environment]::GetFolderPath($_)) + '\Microsoft\Edge*\ie_to_edge_stub.exe') -rec -ea 0 } ## shut edge down foreach ($p in 'MicrosoftEdgeUpdate','chredge','msedge','edge','msedgewebview2','Widgets') { kill -name $p -force -ea 0 } ## use dedicated C:\Scripts path due to Sigma rules FUD $DIR = "$env:SystemDrive\Scripts"; $null = mkdir $DIR -ea 0 ## export OpenWebSearch innovative redirector foreach ($b in $bho) { if (test-path $b) { try {copy $b "$DIR\ie_to_edge_stub.exe" -force -ea 0} catch{} } } ## clear appx uninstall block and remove $provisioned = get-appxprovisionedpackage -online; $appxpackage = get-appxpackage -allusers $store = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore'; $store_reg = $store.replace(':','') $users = @('S-1-5-18'); if (test-path $store) {$users += $((dir $store |where {$_ -like '*S-1-5-21*'}).PSChildName)} foreach ($choice in $remove_appx) { if ('' -eq $choice.Trim()) {continue} foreach ($appx in $($provisioned |where {$_.PackageName -like "*$choice*"})) { $PackageFamilyName = ($appxpackage |where {$_.Name -eq $appx.DisplayName}).PackageFamilyName; $PackageFamilyName cmd /c "reg add ""$store_reg\Deprovisioned\$PackageFamilyName"" /f >nul 2>nul" cmd /c "dism /online /remove-provisionedappxpackage /packagename:$($appx.PackageName) >nul 2>nul" #powershell -nop -c remove-appxprovisionedpackage -packagename "'$($appx.PackageName)'" -online 2>&1 >'' } foreach ($appx in $($appxpackage |where {$_.PackageFullName -like "*$choice*"})) { $inbox = (gp "$store\InboxApplications\*$($appx.Name)*" Path).PSChildName $PackageFamilyName = $appx.PackageFamilyName; $PackageFullName = $appx.PackageFullName; $PackageFullName foreach ($app in $inbox) {cmd /c "reg delete ""$store_reg\InboxApplications\$app"" /f >nul 2>nul" } cmd /c "reg add ""$store_reg\Deprovisioned\$PackageFamilyName"" /f >nul 2>nul" foreach ($sid in $users) {cmd /c "reg add ""$store_reg\EndOfLife\$sid\$PackageFullName"" /f >nul 2>nul"} cmd /c "dism /online /set-nonremovableapppolicy /packagefamily:$PackageFamilyName /nonremovable:0 >nul 2>nul" powershell -nop -c "remove-appxpackage -package '$PackageFullName' -AllUsers" 2>&1 >'' foreach ($sid in $users) {cmd /c "reg delete ""$store_reg\EndOfLife\$sid\$PackageFullName"" /f >nul 2>nul"} } } ## shut edge down, again foreach ($p in 'MicrosoftEdgeUpdate','chredge','msedge','edge','msedgewebview2','Widgets') { kill -name $p -force -ea 0 } ## brute-run found Edge setup.exe with uninstall args $purge = '--uninstall --system-level --force-uninstall' if ($also_remove_webview -eq 1) { foreach ($s in $setup) { try{ start -wait $s -args "--msedgewebview $purge" } catch{} } } foreach ($s in $setup) { try{ start -wait $s -args "--msedge $purge" } catch{} } ## prevent latest cumulative update (LCU) failing due to non-matching EndOfLife Edge entries foreach ($i in $remove_appx) { dir "$store\EndOfLife" -rec -ea 0 |where {$_ -like "*${i}*"} |foreach {cmd /c "reg delete ""$($_.Name)"" /f >nul 2>nul"} dir "$store\Deleted\EndOfLife" -rec -ea 0 |where {$_ -like "*${i}*"} |foreach {cmd /c "reg delete ""$($_.Name)"" /f >nul 2>nul"} } ## extra cleanup $desktop = $([Environment]::GetFolderPath('Desktop')); $appdata = $([Environment]::GetFolderPath('ApplicationData')) del "$appdata\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Tombstones\Microsoft Edge.lnk" -force -ea 0 del "$appdata\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk" -force -ea 0 del "$desktop\Microsoft Edge.lnk" -force -ea 0 ## add OpenWebSearch to redirect microsoft-edge: anti-competitive links to the default browser $IFEO = 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options' $MSEP = ($env:ProgramFiles,${env:ProgramFiles(x86)})[[Environment]::Is64BitOperatingSystem] + '\Microsoft\Edge\Application' $MIN = ('--headless','--width 1 --height 1')[([environment]::OSVersion.Version.Build) -gt 25179] $CMD = "$env:systemroot\system32\conhost.exe $MIN" # AveYo: minimize prompt - see Terminal issue #13914 cmd /c "reg add HKCR\microsoft-edge /f /ve /d URL:microsoft-edge >nul" cmd /c "reg add HKCR\microsoft-edge /f /v ""URL Protocol"" /d """" >nul" cmd /c "reg add HKCR\microsoft-edge /f /v NoOpenWith /d """" >nul" cmd /c "reg add HKCR\microsoft-edge\shell\open\command /f /ve /d ""$DIR\ie_to_edge_stub.exe %1"" >nul" cmd /c "reg add HKCR\MSEdgeHTM /f /v NoOpenWith /d """" >nul" cmd /c "reg add HKCR\MSEdgeHTM\shell\open\command /f /ve /d ""$DIR\ie_to_edge_stub.exe %1"" >nul" cmd /c "reg add ""$IFEO\ie_to_edge_stub.exe"" /f /v UseFilter /d 1 /t reg_dword >nul >nul" cmd /c "reg add ""$IFEO\ie_to_edge_stub.exe\0"" /f /v FilterFullPath /d ""$DIR\ie_to_edge_stub.exe"" >nul" cmd /c "reg add ""$IFEO\ie_to_edge_stub.exe\0"" /f /v Debugger /d ""$CMD $DIR\OpenWebSearch.cmd"" >nul" cmd /c "reg add ""$IFEO\msedge.exe"" /f /v UseFilter /d 1 /t reg_dword >nul" cmd /c "reg add ""$IFEO\msedge.exe\0"" /f /v FilterFullPath /d ""$MSEP\msedge.exe"" >nul" cmd /c "reg add ""$IFEO\msedge.exe\0"" /f /v Debugger /d ""$CMD $DIR\OpenWebSearch.cmd"" >nul" $OpenWebSearch = @$ @title OpenWebSearch Redux & echo off & set ?= open start menu web search, widgets links or help in your chosen browser - by AveYo for /f %%E in ('"prompt $E$S& for %%e in (1) do rem"') do echo;%%E[2t 2>nul & rem AveYo: minimize prompt call :reg_var "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice" ProgID ProgID if /i "%ProgID%" equ "MSEdgeHTM" echo;Default browser is set to Edge! Change it or remove OpenWebSearch script. & pause & exit /b call :reg_var "HKCR\%ProgID%\shell\open\command" "" Browser set Choice=& for %%. in (%Browser%) do if not defined Choice set "Choice=%%~." call :reg_var "HKCR\MSEdgeMHT\shell\open\command" "" FallBack set "Edge=" & for %%. in (%FallBack%) do if not defined Edge set "Edge=%%~." set "URI=" & set "URL=" & set "NOOP=" & set "PassTrough=%Edge:msedge=edge%" set "CLI=%CMDCMDLINE:"=``% " if defined CLI set "CLI=%CLI:*ie_to_edge_stub.exe`` =%" if defined CLI set "CLI=%CLI:*ie_to_edge_stub.exe =%" if defined CLI set "CLI=%CLI:*msedge.exe`` =%" if defined CLI set "CLI=%CLI:*msedge.exe =%" set "FIX=%CLI:~-1%" if defined CLI if "%FIX%"==" " set "CLI=%CLI:~0,-1%" if defined CLI set "RED=%CLI:microsoft-edge=%" if defined CLI set "URL=%CLI:http=%" if defined CLI set "ARG=%CLI:``="%" if "%CLI%" equ "%RED%" (set NOOP=1) else if "%CLI%" equ "%URL%" (set NOOP=1) if defined NOOP if exist "%PassTrough%" start "" "%PassTrough%" %ARG% if defined NOOP exit /b set "URL=%CLI:*microsoft-edge=%" set "URL=http%URL:*http=%" set "FIX=%URL:~-2%" if defined URL if "%FIX%"=="``" set "URL=%URL:~0,-2%" call :dec_url start "" "%Choice%" "%URL%" exit :reg_var [USAGE] call :reg_var "HKCU\Volatile Environment" value-or-"" variable [extra options] set {var}=& set {reg}=reg query "%~1" /v %2 /z /se "," /f /e& if %2=="" set {reg}=reg query "%~1" /ve /z /se "," /f /e for /f "skip=2 tokens=* delims=" %%V in ('%{reg}% %4 %5 %6 %7 %8 %9 2^>nul') do if not defined {var} set "{var}=%%V" if not defined {var} (set {reg}=& set "%~3="& exit /b) else if %2=="" set "{var}=%{var}:*) =%"& rem AveYo: v3 if not defined {var} (set {reg}=& set "%~3="& exit /b) else set {reg}=& set "%~3=%{var}:*) =%"& set {var}=& exit /b :dec_url brute url percent decoding by AveYo set ".=%URL:!=}%"&setlocal enabledelayedexpansion& rem brute url percent decoding set ".=!.:%%={!" &set ".=!.:{3A=:!" &set ".=!.:{2F=/!" &set ".=!.:{3F=?!" &set ".=!.:{23=#!" &set ".=!.:{5B=[!" &set ".=!.:{5D=]!" set ".=!.:{40=@!"&set ".=!.:{21=}!" &set ".=!.:{24=$!" &set ".=!.:{26=&!" &set ".=!.:{27='!" &set ".=!.:{28=(!" &set ".=!.:{29=)!" set ".=!.:{2A=*!"&set ".=!.:{2B=+!" &set ".=!.:{2C=,!" &set ".=!.:{3B=;!" &set ".=!.:{3D==!" &set ".=!.:{25=%%!"&set ".=!.:{20= !" set ".=!.:{=%%!" &rem set ",=!.:%%=!" & if "!,!" neq "!.!" endlocal& set "URL=%.:}=!%" & call :dec_url endlocal& set "URL=%.:}=!%" & exit /b rem done $@ [io.file]::WriteAllText("$DIR\OpenWebSearch.cmd", $OpenWebSearch) >'' ## cleanup $cleanup = gp 'Registry::HKEY_Users\S-1-5-21*\Volatile*' Edge_Removal -ea 0 if ($cleanup) {rp $cleanup.PSPath Edge_Removal -force -ea 0} function global:getfirefox { $ffsetup='https://download.mozilla.org/?product=firefox-latest&os=win'; $firefox="$([Environment]::GetFolderPath('Desktop'))\FirefoxSetup.exe"; Invoke-WebRequest $ffsetup -OutFile $firefox; start $firefox } $getfirefox = "$([char]27)[38;2;255;165;0m getfirefox " write-host -nonew -fore green -back black "`n EDGE REMOVED! NEED ANOTHER BROWSER? ENTER:"; write-host -back black "$getfirefox" ## ask to run script as admin '@.replace("$@","'@").replace("@$","@'") -force -ea 0; $A = '-nop -noe -c & {iex((gp ''Registry::HKEY_Users\S-1-5-21*\Volatile*'' Edge_Removal -ea 0)[0].Edge_Removal)}' start powershell -args $A -verb runas $_Press_Enter #:: https://github.com/AveYo/fox/blob/main/Edge_Removal.bat edit: include the full ChrEdgeFkOff v4 so that redirecting still works after a new build update that adds back Edge update 2022.06.21: - fix visual studio not being allowed to install webview2 (the irony..) update 2022.08.17: - fix ChrEdgeFkOff.vbs export update 2022.08.19: - workaround for PoS Defender ultra-lame False Positive that means vbs-less, cmd window will briefly flash - fix ChrEdgeFkOff reg entries so it works out-of-the-box update 2022.08.20: - the monster strikes again: cmd window briefly flash - no more update 2022.08.21: - open /WS/redirect/ search results directly - revised dec_url64 snippet for speed update 2022.08.22: - switched hybrid script layout - using only the bare minimum ChrEdgeFkOff update 2022.08.23: stable - retired dec_url64 update 2022.10.02: - extra cleanup; use rebranded OpenWebSearch update 2022.10.03: Redux - use C:\Scripts to save the script (due to Sigma rules FUD) - include OpenWebSearch Redux OpenWebSearch Redux innovative redirect microsoft-edge: anti-competitive links to the default browser, even if Edge is uninstalled! Code: @(set '(=)||' <# lean and mean cmd / powershell hybrid #> @' ::# OpenWebSearch Redux - open desktop & start menu web search, widgets links or help in your chosen default browser - by AveYo ::# if Edge is already removed, try installing Edge Stable, then remove it via Edge_Removal.bat @echo off & title OpenWebSearch || AveYo 2022.10.03 yes, this is a rebrand of ChrEdgeFkOff ::# elevate with native shell by AveYo >nul reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%%2\"& call \"%%2\" %%3"& set _= %* >nul fltmc|| if "%f0%" neq "%~f0" (cd.>"%temp%\runas.Admin" & start "%~n0" /high "%temp%\runas.Admin" "%~f0" "%_:"=""%" & exit /b) ::# lean xp+ color macros by AveYo: %<%:af " hello "%>>% & %<%:cf " w\"or\"ld "%>% for single \ / " use .%|%\ .%|%/ \"%|%\" for /f "delims=:" %%s in ('echo;prompt $h$s$h:^|cmd /d') do set "|=%%s"&set ">>=\..\c nul&set /p s=%%s%%s%%s%%s%%s%%s%%s<nul&popd" set "<=pushd "%appdata%"&2>nul findstr /c:\ /a" &set ">=%>>%&echo;" &set "|=%|:~0,1%" &set /p s=\<nul>"%appdata%\c" ::# use dedicated C:\Scripts path due to Sigma rules FUD for %%W in ("%SystemDrive%\Scripts") do set DIR=%%~W& mkdir %%W >nul 2>nul ::# toggle when launched without arguments, else jump to arguments: "install" or "remove" set CLI=%*&(set IFEO=HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options&set MSE=&set BHO=&set ProgID=) call :reg_var "HKCR\MSEdgeMHT\shell\open\command" "" ProgID for %%. in (%ProgID%) do if not defined MSE set "MSE=%%~."& set "MSEPath=%%~dp." set "PF=(x86)" & if "%PROCESSOR_ARCHITECTURE:~-2%" equ "86" if not defined PROCESSOR_ARCHITEW6432 set "PF=" if not defined MSEPath call set "MSEPath=%%ProgramFiles%PF%%%\Microsoft\Edge\Application\" if not defined MSE set "MSE=%MSEPath%msedge.exe" if /i "%CLI%"=="" reg query "%IFEO%\ie_to_edge_stub.exe\0" /v Debugger >nul 2>nul && goto remove || goto install if /i "%~1"=="install" (goto install) else if /i "%~1"=="remove" goto remove :install if defined MSEPath for /f "delims=" %%W in ('dir /o:D /b /s "%MSEPath%*ie_to_edge_stub.exe" 2^>nul') do set "BHO=%%~fW" if not exist "%MSEPath%edge.exe" if exist "%MSE%" mklink /h "%MSEPath%edge.exe" "%MSE%" >nul for %%W in (ie_to_edge_stub.exe) do if exist "%ProgramData%\%%W" copy /y "%ProgramData%\%%W" "%DIR%\" >nul 2>nul for %%W in (ie_to_edge_stub.exe) do if exist "%Public%\%%W" copy /y "%Public%\%%W" "%DIR%\" >nul 2>nul if defined BHO copy /y "%BHO%" "%DIR%\ie_to_edge_stub.exe" >nul 2>nul call :export OpenWebSearch_cmd > "%DIR%\OpenWebSearch.cmd" set MIN=--headless& for /f "tokens=6 delims=[]. " %%b in ('ver') do if %%b gtr 25179 set MIN=--width 1 --height 1 set CMD=%systemroot%\system32\conhost.exe %MIN%& rem AveYo: minimize prompt - see Terminal issue #13914 reg add "HKCR\microsoft-edge" /f /ve /d URL:microsoft-edge >nul reg add "HKCR\microsoft-edge" /f /v "URL Protocol" /d "" >nul reg add "HKCR\microsoft-edge" /f /v "NoOpenWith" /d "" >nul reg add "HKCR\microsoft-edge\shell\open\command" /f /ve /d "%DIR%\ie_to_edge_stub.exe %%1" >nul reg add "HKCR\MSEdgeHTM" /f /v "NoOpenWith" /d "" >nul reg add "HKCR\MSEdgeHTM\shell\open\command" /f /ve /d "%DIR%\ie_to_edge_stub.exe %%1" >nul reg add "%IFEO%\ie_to_edge_stub.exe" /f /v UseFilter /d 1 /t reg_dword >nul >nul reg add "%IFEO%\ie_to_edge_stub.exe\0" /f /v FilterFullPath /d "%DIR%\ie_to_edge_stub.exe" >nul reg add "%IFEO%\ie_to_edge_stub.exe\0" /f /v Debugger /d "%CMD% %DIR%\OpenWebSearch.cmd" >nul reg add "%IFEO%\msedge.exe" /f /v UseFilter /d 1 /t reg_dword >nul reg add "%IFEO%\msedge.exe\0" /f /v FilterFullPath /d "%MSE%" >nul reg add "%IFEO%\msedge.exe\0" /f /v Debugger /d "%CMD% %DIR%\OpenWebSearch.cmd" >nul if "%CLI%" neq "" exit /b echo;& %<%:f0 " OpenWebSearch Redux "%>>% & %<%:2f " INSTALLED "%>>% & %<%:f0 " run again to remove "%>% timeout /t 7 exit /b :remove del /f /q "%DIR%\OpenWebSearch.*" "%MSEPath%edge.exe" "%ProgramData%\ChrEdgeFkOff.*" "%MSEPath%chredge.exe" >nul 2>nul reg delete HKCR\microsoft-edge /f /v "NoOpenWith" >nul 2>nul reg add HKCR\microsoft-edge\shell\open\command /f /ve /d "\"%MSE%\" --single-argument %%1" >nul reg delete HKCR\MSEdgeHTM /f /v "NoOpenWith" >nul 2>nul reg add HKCR\MSEdgeHTM\shell\open\command /f /ve /d "\"%MSE%\" --single-argument %%1" >nul reg delete "%IFEO%\ie_to_edge_stub.exe" /f >nul 2>nul reg delete "%IFEO%\msedge.exe" /f >nul 2>nul if "%CLI%" neq "" exit /b echo;& %<%:f0 " OpenWebSearch Redux "%>>% & %<%:df " REMOVED "%>>% & %<%:f0 " run again to install "%>% timeout /t 7 exit /b :export: [USAGE] call :export NAME setlocal enabledelayedexpansion || Prints all text between lines starting with :NAME:[ and :NAME:] - A pure batch snippet by AveYo set [=&for /f "delims=:" %%s in ('findstr /nbrc:":%~1:\[" /c:":%~1:\]" "%~f0"')do if defined [ (set /a ]=%%s-3)else set /a [=%%s-1 <"%~f0" ((for /l %%i in (0 1 %[%) do set /p =)&for /l %%i in (%[% 1 %]%) do (set txt=&set /p txt=&echo(!txt!)) &endlocal &exit /b :OpenWebSearch_cmd:[ @title OpenWebSearch Redux & echo off & set ?= open start menu web search, widgets links or help in your chosen browser - by AveYo for /f %%E in ('"prompt $E$S& for %%e in (1) do rem"') do echo;%%E[2t 2>nul & rem AveYo: minimize prompt call :reg_var "HKCU\SOFTWARE\Microsoft\Windows\Shell\Associations\UrlAssociations\https\UserChoice" ProgID ProgID if /i "%ProgID%" equ "MSEdgeHTM" echo;Default browser is set to Edge! Change it or remove OpenWebSearch script. & pause & exit /b call :reg_var "HKCR\%ProgID%\shell\open\command" "" Browser set Choice=& for %%. in (%Browser%) do if not defined Choice set "Choice=%%~." call :reg_var "HKCR\MSEdgeMHT\shell\open\command" "" FallBack set "Edge=" & for %%. in (%FallBack%) do if not defined Edge set "Edge=%%~." set "URI=" & set "URL=" & set "NOOP=" & set "PassTrough=%Edge:msedge=edge%" set "CLI=%CMDCMDLINE:"=``% " if defined CLI set "CLI=%CLI:*ie_to_edge_stub.exe`` =%" if defined CLI set "CLI=%CLI:*ie_to_edge_stub.exe =%" if defined CLI set "CLI=%CLI:*msedge.exe`` =%" if defined CLI set "CLI=%CLI:*msedge.exe =%" set "FIX=%CLI:~-1%" if defined CLI if "%FIX%"==" " set "CLI=%CLI:~0,-1%" if defined CLI set "RED=%CLI:microsoft-edge=%" if defined CLI set "URL=%CLI:http=%" if defined CLI set "ARG=%CLI:``="%" if "%CLI%" equ "%RED%" (set NOOP=1) else if "%CLI%" equ "%URL%" (set NOOP=1) if defined NOOP if exist "%PassTrough%" start "" "%PassTrough%" %ARG% if defined NOOP exit /b set "URL=%CLI:*microsoft-edge=%" set "URL=http%URL:*http=%" set "FIX=%URL:~-2%" if defined URL if "%FIX%"=="``" set "URL=%URL:~0,-2%" call :dec_url start "" "%Choice%" "%URL%" exit :reg_var [USAGE] call :reg_var "HKCU\Volatile Environment" value-or-"" variable [extra options] set {var}=& set {reg}=reg query "%~1" /v %2 /z /se "," /f /e& if %2=="" set {reg}=reg query "%~1" /ve /z /se "," /f /e for /f "skip=2 tokens=* delims=" %%V in ('%{reg}% %4 %5 %6 %7 %8 %9 2^>nul') do if not defined {var} set "{var}=%%V" if not defined {var} (set {reg}=& set "%~3="& exit /b) else if %2=="" set "{var}=%{var}:*) =%"& rem AveYo: v3 if not defined {var} (set {reg}=& set "%~3="& exit /b) else set {reg}=& set "%~3=%{var}:*) =%"& set {var}=& exit /b :dec_url brute url percent decoding by AveYo set ".=%URL:!=}%"&setlocal enabledelayedexpansion& rem brute url percent decoding set ".=!.:%%={!" &set ".=!.:{3A=:!" &set ".=!.:{2F=/!" &set ".=!.:{3F=?!" &set ".=!.:{23=#!" &set ".=!.:{5B=[!" &set ".=!.:{5D=]!" set ".=!.:{40=@!"&set ".=!.:{21=}!" &set ".=!.:{24=$!" &set ".=!.:{26=&!" &set ".=!.:{27='!" &set ".=!.:{28=(!" &set ".=!.:{29=)!" set ".=!.:{2A=*!"&set ".=!.:{2B=+!" &set ".=!.:{2C=,!" &set ".=!.:{3B=;!" &set ".=!.:{3D==!" &set ".=!.:{25=%%!"&set ".=!.:{20= !" set ".=!.:{=%%!" &rem set ",=!.:%%=!" & if "!,!" neq "!.!" endlocal& set "URL=%.:}=!%" & call :dec_url endlocal& set "URL=%.:}=!%" & exit /b rem done :OpenWebSearch_cmd:] '@); $0 = "$env:temp\OpenWebSearch.cmd"; ${(=)||} -split "\r?\n" | out-file $0 -encoding default -force; & $0 # press enter https://github.com/AveYo/fox/blob/main/OpenWebSearch.cmd Works in latest 11 Some Settings app links will not open due to MS sneaky hard-coded IFEO escape via sihost. Once again, a solution that works with Edge fully uninstalled! (if done via Edge_Removal.bat) If Edge was already uninstalled / not included in the setup media, install Edge Stable, then remove it via Edge_Removal.bat PS: You can install an addon in your default browser to further redirect bing links to google or whatever that's why I won't be adding such features to the script 2022.07.17: - use cmd /c for reg commands to prevent quotes parsing / localization issues - fix slavic localization issue with reg query 2022.08.17: - fix ChrEdgeFkOff.vbs export 2022.08.19: - workaround for PoS Defender ultra-lame False Positive that means vbs-less, cmd window will briefly flash Q: why should anyone trust Defender doing a better job with actual malware?! 2022.08.20: - the monster strikes again: cmd window briefly flash - no more 2022.08.21: - open /WS/redirect/ search results directly - revised dec_url64 snippet for speed 2022.08.22: - address case where the toggle script got used after removal script causing a blank path that is throwing off MSEdgeRedirect - CLI parse correction - fix dec_url64 alphabet / instead of _ - fix manually opening edge, again - fix copy-paste in powershell, again 2022.08.23: V9 stable - retired dec_url64 2022.10.02: V1 rebranded - use %Public% directory instead of %Programdata% - rebranded to OpenWebSearch! 2022.10.03: Redux - also get BHO from ProgramData if found - use C:\Scripts to save the script (due to Sigma rules FUD) - redo workaround Terminal issue #13914 still present in 11 dev builds
Я Вам благодарен, за выложенный скрипт. Он помог в написании системного скрипта для управления компом по удалёнке. Если заинтересует, могу выложить
What has happened to @BAU . why he is not seen visible anywhere on MDL since a Long . His Snippets were very powerfull useful for scripting people.
Я благодарен вам за опубликованный сценарий. Помогал в написании системного скрипта для удаленного управления компьютером. Если интересно, могу выложить
Please use english. I went ahead and translated for you https://translate.google.com/?hl=en&tab=TT I am grateful to you for the script posted. Helped in writing a system script for remote computer control. If interested, I can post
Я благодарен вам за опубликованный сценарий. Он помог написать системный сценарий для удаленного управления компьютером. Если интересно, могу выложить
I am grateful to you for the published script. He helped in writing a system script for remote computer management. If you are interested, I can post it
thanks. sure, you can link it or publish it in a new thread for those interested and an update to ToggleDefender because ChrEdge is getting on my nerves lately now also toggle self-claimed "smartscreen" filter and preset it to warn, and unblock exe since it still blocks downloads despite "smartscreen" being off via yet another policy + a tip for those using another browser but keeping chredge around in a semi-portable way: taskschd.msc - disable the 3 Microsoft Edge * tasks services.msc - disable the 3 Microsoft Edge * services (elevation + 2 x update) I don't think these are protected but if they are, just use runasti script to open a ti/system explorer, then menu - powershell.. or enter directly in the address bar taskschd.msc or whatever Don't forget to turn off Edge - Settings - System - Startup boost & Continue running in the background.. ChrEdge is gaining users though. Microsoft's anti-competitive practices are working, just like in the 90's. Does not work on me, even the speed is a lie as Firefox is way more potato-friendly