Lean And Mean snippets for power users RunAsTI / reg_own / ToggleDefender / Edge removal / redirect

Discussion in 'Scripting' started by AveYo, May 7, 2021.

  1. geepnozeex

    geepnozeex MDL Junior Member

    Oct 21, 2014
    69
    61
    0
    #81 geepnozeex, Feb 15, 2022
    Last edited: Jun 25, 2022
    del
     
  2. Alexa120

    Alexa120 MDL Novice

    Aug 16, 2020
    32
    6
    0
    Hello. Please, if you can ask what registry key should be changed or inserted to disable SignatureFallbackOrder: MicrosoftUpdateServer|MMPC, it was like you showed zero 0. Thank you.

    LowThreatDefaultAction : 0
    MAPSReporting : 0
    ModerateThreatDefaultAction : 0
    PUAProtection : 0
    QuarantinePurgeItemsAfterDelay : 0
    RandomizeScheduleTaskTimes : False
    RealTimeScanDirection : 0
    RemediationScheduleDay : 8
    RemediationScheduleTime : 00:00:00
    ReportingAdditionalActionTimeOut : 0
    ReportingCriticalFailureTimeOut : 0
    ReportingNonCriticalTimeOut : 0
    ScanAvgCPULoadFactor : 5
    ScanOnlyIfIdleEnabled : False
    ScanParameters : 0
    ScanPurgeItemsAfterDelay : 0
    ScanScheduleDay : 8
    ScanScheduleQuickScanTime : 00:00:00
    ScanScheduleTime : 00:00:00
    SevereThreatDefaultAction : 0
    SharedSignaturesPath :
    SignatureAuGracePeriod : 0
    SignatureDefinitionUpdateFileSharesSources :
    SignatureDisableUpdateOnStartupWithoutEngine : True
    SignatureFallbackOrder : MicrosoftUpdateServer|MMPC
    SignatureFirstAuGracePeriod : 0
    SignatureScheduleDay : 8
    SignatureScheduleTime : 00:00:00
    SignatureUpdateCatchupInterval : 0
    SignatureUpdateInterval : 0
    SubmitSamplesConsent : 2
    ThreatIDDefaultAction_Actions :
    ThreatIDDefaultAction_Ids :
    UILockdown : False
    UnknownThreatDefaultAction : 0
    PSComputerName :

    Windows 10 Pro 21H2 19044.1469 x64 License
     
  3. reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates" /v "FallbackOrder" /t REG_SZ /d "Reg Value" /f

    Accepted Reg Values as follows : "InternalDefinitionUpdateServer", "MicrosoftUpdateServer", "MMPC", and "FileShares"

    Use any from among reg values.
    [ Impressed & you did a good job ]
    kind regards
    COIN INDIA
     
  4. Alexa120

    Alexa120 MDL Novice

    Aug 16, 2020
    32
    6
    0
    Now everything is as it should be. Thank you for efficiency.


    ==========================================================
    Windows 10 Pro 21H2 19044.1469 x64 License
    ==========================================================
     
  5. Kindly share the reg tweaks you applied to make it same as me for others to get 100% benefits from it :)
     
  6. Alexa120

    Alexa120 MDL Novice

    Aug 16, 2020
    32
    6
    0
    #86 Alexa120, Feb 20, 2022
    Last edited: Feb 20, 2022
    You are welcome!:)

     
  7. #87 Deleted member 1385001, Feb 20, 2022
    Last edited by a moderator: Feb 20, 2022
    Awesome More then Awesome . Thanks & Credits Goes to you | Pleasure reamins always mine :)

    Edit : Added WD Services to Permanently Disable WD Using Your REG Tweaks as if we apply these reg tweaks without disabling WD services they will change automaticaly after reboot as per WD svcs triggers set by M$ ====>

    Code:
    Windows Registry Editor Version 5.00
    
    [HKLM\SYSTEM\ControlSet001\Services\MsSecFlt]
    "Start"=dword:00000004
    
    [HKLM\SYSTEM\ControlSet001\Services\Sense]
    "Start"=dword:00000004
    
    [HKLM\SYSTEM\ControlSet001\Services\WdBoot]
    "Start"=dword:00000004
    
    "HKLM\SYSTEM\ControlSet001\Services\WdFilter]
    "Start"=dword:00000004
    
    "HKLM\SYSTEM\ControlSet001\Services\WdNisDrv]
    "Start"=dword:00000004
    
    "HKLM\SYSTEM\ControlSet001\Services\WdNisSvc]
    "Start"=dword:00000004
    
    "HKLM\SYSTEM\ControlSet001\Services\WinDefend]
    "Start"=dword:00000004
    
    "HKLM\SYSTEM\ControlSet001\Services\wscsvc]
    "Start"=dword:00000004
    
    "HKLM\SYSTEM\ControlSet001\Services\SecurityHealthService]
    "Start"=dword:00000004
    
    [HKLM\SYSTEM\CurrentControlSet\Services\MsSecFlt]
    "Start"=dword:00000004
    
    [HKLM\SYSTEM\CurrentControlSet\Services\Sense]
    "Start"=dword:00000004
    
    [HKLM\SYSTEM\CurrentControlSet\Services\WdBoot]
    "Start"=dword:00000004
    
    [HKLM\SYSTEM\CurrentControlSet\Services\WdFilter]
    "Start"=dword:00000004
    
    [HKLM\SYSTEM\CurrentControlSet\Services\WdNisDrv]
    "Start"=dword:00000004
    
    [HKLM\SYSTEM\CurrentControlSet\Services\WdNisSvc]
    "Start"=dword:00000004
    
    [HKLM\SYSTEM\CurrentControlSet\Services\WinDefend]
    "Start"=dword:00000004
    
    [HKLM\SYSTEM\CurrentControlSet\Services\wscsvc]
    "Start"=dword:00000004
    
    [HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService]
    "Start"=dword:00000004
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]
    "PUAProtection"=dword:00000000
    "RandomizeScheduleTaskTimes"=dword:00000000
    "ServiceKeepAlive"=dword:00000000
    "DisableAntiSpyware"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions]
    "DisableAutoExclusions"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine]
    "MpEnablePus"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Quarantine]
    "LocalSettingOverridePurgeItemsAfterDelay"=dword:00000000
    "PurgeItemsAfterDelay"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
    "DisableBehaviorMonitoring"=dword:00000001
    "DisableIOAVProtection"=dword:00000001
    "DisableOnAccessProtection"=dword:00000001
    "DisableRoutinelyTakingAction"=dword:00000001
    "DisableScanOnRealtimeEnable"=dword:00000001
    "DisableScriptScanning"=dword:00000001
    "DisableRawWriteNotification"=dword:00000001
    "DisableRealtimeMonitoring"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Remediation]
    "Scan_ScheduleDay"=dword:00000008
    "Scan_ScheduleTime"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Reporting]
    "AdditionalActionTimeOut"=dword:00000000
    "CriticalFailureTimeOut"=dword:00000000
    "DisableGenericRePorts"=dword:00000001
    "NonCriticalTimeOut"=dword:00000000
    "DisableEnhancedNotifications"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Scan]
    "AvgCPULoadFactor"=dword:00000005
    "DisableArchiveScanning"=dword:00000001
    "DisableCatchupFullScan"=dword:00000001
    "DisableCatchupQuickScan"=dword:00000001
    "DisableRemovableDriveScanning"=dword:00000001
    "DisableRestorePoint"=dword:00000001
    "DisableScanningMappedNetworkDrivesForFullScan"=dword:00000001
    "DisableScanningNetworkFiles"=dword:00000001
    "PurgeItemsAfterDelay"=dword:00000000
    "ScanOnlyIfIdle"=dword:00000000
    "ScanParameters"=dword:00000000
    "ScheduleDay"=dword:00000008
    "ScheduleTime"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Signature Updates]
    "DisableUpdateOnStartupWithoutEngine"=dword:00000001
    "ScheduleDay"=dword:00000008
    "ScheduleTime"=dword:00000000
    "SignatureUpdateCatchupInterval"=dword:00000000
    "DisableScanOnUpdate"=dword:00000001
    "DisableScheduledSignatureUpdateOnBattery"=dword:00000001
    "RealtimeSignatureDelivery"=dword:00000000
    "UpdateOnStartUp"=dword:00000000
    "FallbackOrder"="0"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen]
    "ConfigureAppInstallControl"="Anywhere"
    "ConfigureAppInstallControlEnabled"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\SpyNet]
    "DisableBlockAtFirstSeen"=dword:00000001
    "LocalSettingOverrideSpynetReporting"=dword:00000000
    "SpyNetReportingLocation"=hex(7):30,00,00,00,00,00
    "SpynetReporting"=dword:00000000
    "SubmitSamplesConsent"=dword:00000002
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\UX Configuration]
    "Notification_Suppress"=dword:00000001
    "UILockdown"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
    "DisableAntiSpyware"=dword:00000001
    "DisableAntiVirus"=dword:00000001
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features]
    "TamperProtection"=dword:00000004
    "TamperProtectionSource"=dword:00000002
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Signature Updates]
    "DisableDefaultSigs"=dword:00000000
    "FirstAuGracePeriod"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet]
    "SpyNetReporting"=dword:00000000
    "SubmitSamplesConsent"=dword:00000002
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\UX Configuration]
    "DisablePrivacyMode"=dword:00000001
    "Notification_Suppress"=dword:00000001
    "UILockdown"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System]
    "EnableSmartScreen"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter]
    "EnabledV9"=dword:00000000
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter]
    "PreventOverride"=dword:00000000
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Settings\OnlineSpeechPrivacy]
    "HasAccepted"=dword:00000000
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps]
    "AgentActivationEnabled"=dword:00000000
    
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Speech_OneCore\Settings\VoiceActivation\UserPreferenceForAllApps]
    "AgentActivationOnLockScreenEnabled"=dword:00000000
    
    
    Plus i suggest to apply this reg using TI rights :)
     
  8. geepnozeex

    geepnozeex MDL Junior Member

    Oct 21, 2014
    69
    61
    0
    there 90% unnecessary
     
  9. OK
     
  10. xCyBx

    xCyBx MDL Senior Member

    Aug 6, 2018
    315
    598
    10
    #90 xCyBx, Mar 5, 2022
    Last edited: Mar 5, 2022
    One question please.
    When i delete folder "%SystemRoot%\servicing\LCU" needs privileges as SYSTEM user, Not as Administrators.
    This script can help me? :g:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    Yes, TI (TrustedInstaller) = SYSTEM + extra group that owns pretty much all windows files and registry keys
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. xCyBx

    xCyBx MDL Senior Member

    Aug 6, 2018
    315
    598
    10
    Thanks @BAU for this script.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. delMicron

    delMicron MDL Junior Member

    Dec 28, 2021
    52
    24
    0
    #93 delMicron, Mar 9, 2022
    Last edited: Mar 10, 2022
    Thanks @BAU

    upload_2022-3-9_11-4-1.png

    Code:
    Windows Registry Editor Version 5.00
    
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\RunAsTI]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\RunAsTI]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\background\shell\RunAsTI]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RunAsTI]
    
    ;On MyPC
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\RunAsTI]
    "SubCommands"=""
    "MUIVerb"="Run As TI"
    "Icon"="powershell.exe,1"
    "Position"="Bottom"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\RunAsTI\shell\RegAsTI]
    "MUIVerb"="Regedit as TI"
    "Icon"="regedit.exe"
    "Position"="Top"
    "HasLUAShield"=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\RunAsTI\shell\RegAsTI\command]
    @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..39|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% regedit.exe"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\RunAsTI\shell\ExpAsTI]
    "MUIVerb"="Explorer as TI"
    "Icon"="explorer.exe,1"
    "Position"="Bottom"
    "HasLUAShield"=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\RunAsTI\shell\ExpAsTI\command]
    @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..39|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% explorer.exe"
    
    ;On Folder name
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\RunAsTI]
    "SubCommands"=""
    "MUIVerb"="Run as TI"
    "Icon"="powershell.exe,1"
    "Position"="Bottom"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\RunAsTI\shell\RegAsTI]
    "MUIVerb"="Regedit as TI"
    "Icon"="regedit.exe"
    "Position"="Top"
    "HasLUAShield"=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\RunAsTI\shell\RegAsTI\command]
    @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..39|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% regedit.exe"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\RunAsTI\shell\ExpAsTI]
    "MUIVerb"="Explorer as TI"
    "Icon"="explorer.exe,1"
    "Position"="Bottom"
    "HasLUAShield"=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shell\RunAsTI\shell\ExpAsTI\command]
    @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..39|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% explorer.exe \"1=%V\""
    
    ;On Folder
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\background\shell\RunAsTI]
    "SubCommands"=""
    "MUIVerb"="Run as TI"
    "Icon"="powershell.exe,1"
    "Position"="Bottom"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\background\shell\RunAsTI\shell\RegAsTI]
    "MUIVerb"="Regedit as TI"
    "Icon"="regedit.exe"
    "Position"="Top"
    "HasLUAShield"=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\background\shell\RunAsTI\shell\RegAsTI\command]
    @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..39|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% regedit.exe"
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\background\shell\RunAsTI\shell\ExpAsTI]
    "MUIVerb"="Explorer as TI"
    "Icon"="explorer.exe,1"
    "Position"="Bottom"
    "HasLUAShield"=""
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\background\shell\RunAsTI\shell\ExpAsTI\command]
    @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..39|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% explorer.exe \"1=%V\""
    
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\RunAsTI]
    "10"="function RunAsTI ($cmd,$arg) { $id='RunAsTI'; $key=\"Registry::HKU\\$(((whoami /user)-split' ')[-1])\\Volatile Environment\"; $code=@'"
    "11"=" $I=[int32]; $M=$I.module.gettype(\"System.Runtime.Interop`Services.Mar`shal\"); $P=$I.module.gettype(\"System.Int`Ptr\"); $S=[string]"
    "12"=" $D=@(); $T=@(); $DM=[AppDomain]::CurrentDomain.\"DefineDynami`cAssembly\"(1,1).\"DefineDynami`cModule\"(1); $Z=[uintptr]::size "
    "13"=" 0..5|% {$D += $DM.\"Defin`eType\"(\"AveYo_$_\",1179913,[ValueType])}; $D += [uintptr]; 4..6|% {$D += $D[$_].\"MakeByR`efType\"()}"
    "14"=" $F='kernel','advapi','advapi', ($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), ([uintptr],$S,$I,$I,$D[9]),([uintptr],$S,$I,$I,[byte[]],$I)"
    "15"=" 0..2|% {$9=$D[0].\"DefinePInvok`eMethod\"(('CreateProcess','RegOpenKeyEx','RegSetValueEx')[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}"
    "16"=" $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)"
    "17"=" 1..5|% {$k=$_; $n=1; $DF[$_-1]|% {$9=$D[$k].\"Defin`eField\"('f' + $n++, $_, 6)}}; 0..5|% {$T += $D[$_].\"Creat`eType\"()}"
    "18"=" 0..5|% {nv \"A$_\" ([Activator]::CreateInstance($T[$_])) -fo}; function F ($1,$2) {$T[0].\"G`etMethod\"($1).invoke(0,$2)}"
    "19"=" $TI=(whoami /groups)-like'*1-16-16384*'; $As=0; if(!$cmd) {$cmd='control';$arg='admintools'}; if ($cmd-eq'This PC'){$cmd='file:'}"
    "20"=" if (!$TI) {'TrustedInstaller','lsass','winlogon'|% {if (!$As) {$9=sc.exe start $_; $As=@(get-process -name $_ -ea 0|% {$_})[0]}}"
    "21"=" function M ($1,$2,$3) {$M.\"G`etMethod\"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H += M \"AllocHG`lobal\" $I $_}"
    "22"=" M \"WriteInt`Ptr\" ($P,$P) ($H[0],$As.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=1; $A2.f2=1; $A2.f3=1; $A2.f4=1"
    "23"=" $A2.f6=$A1; $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M \"StructureTo`Ptr\" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false)"
    "24"=" $Run=@($null, \"powershell -win 1 -nop -c iex `$env:R; # $id\", 0, 0, 0, 0x0E080600, 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5]))"
    "25"=" F 'CreateProcess' $Run; return}; $env:R=''; rp $key $id -force; $priv=[diagnostics.process].\"GetM`ember\"('SetPrivilege',42)[0]"
    "26"=" 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$priv.Invoke($null, @(\"$_\",2))}"
    "27"=" $HKU=[uintptr][uint32]2147483651; $NT='S-1-5-18'; $reg=($HKU,$NT,8,2,($HKU -as $D[9])); F 'RegOpenKeyEx' $reg; $LNK=$reg[4]"
    "28"=" function L ($1,$2,$3) {sp 'Registry::HKCR\\AppID\\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' 'RunAs' $3 -force -ea 0"
    "29"="  $b=[Text.Encoding]::Unicode.GetBytes(\"\\Registry\\User\\$1\"); F 'RegSetValueEx' @($2,'SymbolicLinkValue',0,6,[byte[]]$b,$b.Length)}"
    "30"=" function Q {[int](gwmi win32_process -filter 'name=\"explorer.exe\"'|?{$_.getownersid().sid-eq$NT}|select -last 1).ProcessId}"
    "31"=" $11bug=($((gwmi Win32_OperatingSystem).BuildNumber)-eq'22000')-AND(($cmd-eq'file:')-OR(test-path -lit $cmd -PathType Container))"
    "32"=" if ($11bug) {'System.Windows.Forms','Microsoft.VisualBasic' |% {$9=[Reflection.Assembly]::LoadWithPartialName(\"'$_\")}}"
    "33"=" if ($11bug) {$path='^(l)'+$($cmd -replace '([\\+\\^\\%\\~\\(\\)\\[\\]])','{$1}')+'{ENTER}'; $cmd='control.exe'; $arg='admintools'}"
    "34"=" L ($key-split'\\\\')[1] $LNK ''; $R=[diagnostics.process]::start($cmd,$arg); if ($R) {$R.PriorityClass='High'; $R.WaitForExit()}"
    "35"=" if ($11bug) {$w=0; do {if($w-gt40){break}; sleep -mi 250;$w++} until (Q); [Microsoft.VisualBasic.Interaction]::AppActivate($(Q))}"
    "36"=" if ($11bug) {[Windows.Forms.SendKeys]::SendWait($path)}; do {sleep 7} while(Q); L '.Default' $LNK 'Interactive User'"
    "37"="'@; $V='';'cmd','arg','id','key'|%{$V+=\"`n`$$_='$($(gv $_ -val)-replace\"'\",\"''\")';\"}; sp $key $id $($V,$code) -type 7 -force -ea 0"
    "38"=" start powershell -args \"-win 1 -nop -c `n$V `$env:R=(gi `$key -ea 0).getvalue(`$id)-join''; iex `$env:R\" -verb runas"
    "39"="}; $A=([environment]::commandline-split'-[-]%+ ?',2)[1]-split'\"([^\"]+)\"|([^ ]+)',2|%{$_.Trim(' \"')}; RunAsTI $A[1] $A[2]; # AveYo, 2022.01.28"
    ;
    
     
  14. Famingpunk

    Famingpunk MDL Novice

    May 20, 2021
    32
    9
    0
    Hi is there any update to RunAsTi.reg to use the new Terminal in Dev channel builds instead of native PowerShell?
     
  15. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    Did I not give you solutions in the last conversation? Working new Terminal profile as TI, working RunAsTI Terminal entry?
    I won't fix retarded windows behavior because that could spiral into something worse.
    %USERPROFILE%\AppData\Local\Microsoft\WindowsApps\ is where the wt.exe hard-link resides and is unusable with TI rights. It's not a matter of method, wt.exe without full path probably fails with any solution - by asshole design.
    Anyway, I've updated RunAsTI.reg 'Powershell as trustedinstaller here' entry (renamed to PowerShell / Terminal) to work dynamically: if Terminal found, launch it, else use PowerShell.
    There's already half the code working around 11 bulls**t..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Famingpunk

    Famingpunk MDL Novice

    May 20, 2021
    32
    9
    0
    you did and it worked.
    The issue is whenever Terminal is updated the path gets altered as the build number keeps changing.
    Now i get why that's happening ms screwed it..
     
  17. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    #97 AveYo, Apr 7, 2022
    Last edited: Apr 7, 2022
    (OP)
    Also showed you how to refresh that :)

    The updated entry should not have that issue, as the executable is searched in Program Files\WindowsApps every time.
    Forgot to share an updated command line for a "TI Terminal" profile:
    Code:
    powershell.exe -nop -c iex($(foreach($l in 10..40){(gp 'Registry::HKCR\RunAsTI' $l -ea 0).$l})-join [char]10); # --% cmd /c %wt%
    TI Terminal.png
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. zbigniew59

    zbigniew59 MDL Senior Member

    May 14, 2016
    374
    171
    10
    #98 zbigniew59, Apr 8, 2022
    Last edited: Apr 9, 2022
    @BAU -
    Server 2022 - 25083.1000 - based win11 - installed - and personalized - terminal - by Chocolatey - works well.
    -
    [​IMG]
    [​IMG]
    [​IMG]

    After your .reg - it opens differently - without settings?
    Does not remember the settings?
     
  19. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    #99 AveYo, Apr 8, 2022
    Last edited: Apr 8, 2022
    (OP)
    Missed the last posts? Terminal is designed in a s**tty way, hybrid win32 and store app - and the store part comes with some security implications that mess the whole thing up when running as system. My clever preserving of HKCU does not help with that.

    But I don't see what's the problem in one-time copy-pasting the non-ti configuration you've made (Settings - open JSON file) into the ti instance default configuration (Settings - open JSON file).

    Your existing one is probably saved in; %USERPROFILE%\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\LocalState\settings.json
    The RunAsTI one is probably saved in: %USERPROFILE%\AppData\Local\Microsoft\Windows Terminal\settings.json

    edit: And can you place those 3 large images under a spoiler tag?
    why do you even need so many entries? ain't the proper one enough? ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. zbigniew59

    zbigniew59 MDL Senior Member

    May 14, 2016
    374
    171
    10
    Actually, the terminal is in two locations.
    After replacing Settings.json - it's OK. :worthy:
    And I have entries because I test which are more versatile and more useful for me.
    As for the photos - I will adapt and I will insert them under the spoiler.
    I have 43 inches 4K screen - and although I reduce them before inserting, I do not know how they look on other screens and resolutions. Sorry.:)