Similar if not the exact same way I do. It will be limited to doing whatever the account being impersonated can do. For instance, if we copy the token of a limited account, the spawned process would also be limited. But we will focus on impersonating the service account that runs the aasimov, that is the token with the permissions we'll need (i assume)
There is an alternative solution which is less pretty. I forgot to mention this but icacls is no longer working on the files. We could rename the dwmappushsvc.dll to disable it from access.
be careful, regedits to HKCU inside this shell are applied to the system account, not your personal account. Keep that in mind. NO HKCU.
Ok so that means that we are applying changes to the System Hive of the registry located in System32/config I just want to make sure of this because if correct that means we can apply licensing changes in previous versions of windows such as Windows XP. Aka files normally locked down in the registry that cannot be deleted no matter what you do. I guess the next question is what registry values are modified when you are the nt system?
As long as you're not modifying any HKCU settings, the registry will function the same, just with higher permissions than admin.
Quick someone try to edit the WGA settings in Windows XP SP3 then. The ones we couldn't mess with like at all. I'm just curious what would happen lol Also Attempted to run under windows 10 without success but that hardly matters its running well on win 8.1
not sure about this, but i'll ask anyways. my assumption is you are trying to stop the dmwapppushsvc service. if this is the case i've stopped the service manually using regedit and services.msc. if this is not the case sorry to have bothered you. only trying to help.
Yah he needs trustedinstaller permissions to stop the service, but jinje's exe only brings it up to system permissions. At least, that is my understanding of the situation.
ok restarting my system now after disabling it to see if it stuck. i did it in a regular administrator account. edit system is restarted and it is disabled. got to do a few more things ( retrace steps ), before i can say it is done.
Ya that's not the issue we are trying to do it without a restart. So that means we need Super User Privileges for an account that does not exist. That means we need to force a System account with all privileges enabled then create a user from that to make it all stick. We could do it in Windows or hack the Install process to give ourselves it. Yes I actually am tempted to do it.
i did it without a restart. stopped the service first. and then disabled it. only reason i'm restarting is to see if anything changes it.
ok keep in mind i was doing this on a whim while creating an adminisrator account via sysprep, so i have to make sure it works with a regular account, but after running it through sysprep it is still disabled. so now i'll try it on a regular account and report my findings.
Yes we can disable it with a registry command then a restart. However the goal atm is to disable it without a reboot.
Apparently the diagtrack one we can just stop with a "net stop diagtrack" or a "sc stop diagtrack" (net stop is preferred since it will wait for it to finish) but the other one 'dmwappushsvc' requires some super permissions to stop. An 'sc query' says that it's stoppable. We still don't know much about this dmwappushsvc. I have a hunch it's just the tracking service that monitors exe files and such. I could be wrong. It could be the keylogger. I doubt it. Typically the more robust service would handle the harder duties such as monitoring every exe file and setting. A keylogger, although annoying to us, is less useful to MS. I still think the keylogger is just an IE plugin.