Lean And Mean snippets for power users RunAsTI / reg_own / ToggleDefender / Edge removal / redirect

Discussion in 'Scripting' started by AveYo, May 7, 2021.

  1. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,592
    60
    Updated ChrEdgeFkOff (and Edge_Removal since it bundles it).
    Missed the fact that copy-pasting into powershell would export the script via out-file with just LF, not CRLF line endings, and the export snippet uses findstr, expecting CRLF. Fixed with a simple split.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. EaglePC

    EaglePC MDL Addicted

    Feb 13, 2012
    960
    390
    30
    won't work on Windows 11 22621.382 Pro
     
  3. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,592
    60
    That's just because PoS Defender just False-Positive'd it yesterday and started deleting the generated vbs script.
    Updated with a pure batch version - so the command window will briefly flash when doing searches. Let's see if it's just Defender being dumber than a rock, or it's also malicious intent, specifically targeting the redirector.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Super Spartan

    Super Spartan MDL Expert

    May 30, 2014
    1,638
    955
    60
    #144 Super Spartan, Aug 20, 2022
    Last edited: Aug 20, 2022
    @AveYo Hey man, I installed the RunAsTI reg and when I right click on an app, for example CCleaner64.exe and choose RunAsTi from the send to context menu, then accept the UAC prompt, nothing happens, it doesn't run. Then I tried to run something else like another .BAT file such as FlushDNS.bat but again, it gives me the UAC prompt but nothing happens.


    these are the contests of the RunAsTi.bat file that I copied from your site:

    @echo off& title RunAsTI - lean and mean snippet by AveYo, 2018-2022
    goto :nfo
    [FEATURES]
    - innovative HKCU load, no need for reg load / unload ping-pong; programs get the user profile
    - sets ownership privileges, high priority, and explorer support; get System if TI unavailable
    - accepts special characters in paths for which default run as administrator fails
    - adds Send to - RunAsTI right-click menu entry to launch files and folders as TI via explorer
    [USAGE]
    - First copy-paste RunAsTI snippet after .bat script content
    - Then call it anywhere to launch programs with arguments as TI
    call :RunAsTI regedit
    call :RunAsTI powershell -noprofile -nologo -noexit -c [environment]::Commandline
    call :RunAsTI cmd /k "whoami /all & color e0"
    call :RunAsTI "C:\System Volume Information"
    - Or just relaunch the script once if not already running as TI:
    whoami /user | findstr /i /c:S-1-5-18 >nul || ( call :RunAsTI "%~f0" %* & exit /b )
    2022.01.28: workaround for 11 release (22000) hindering explorer as TI; fix 7 args
    :nfo
    :::::::::::::::::::::::::
    :: .bat script content ::
    :::::::::::::::::::::::::
    :: [optional] add Send to - RunAsTI right-click menu entry to launch files and folders as TI via explorer
    set "0=%~f0"& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':SendTo\:.*')[1])& goto :SendTo:
    $SendTo=[Environment]::GetFolderPath('ApplicationData')+'\Microsoft\Windows\SendTo\RunAsTI.bat'; $enc=[Text.Encoding]::UTF8
    if ($env:0 -ne $SendTo) {[IO.File]::WriteAllLines($SendTo, [io.file]::ReadAllLines($env:0,$enc))}
    :SendTo:
    :: call RunAsTI snippet with default commandline args - if none provided, defaults to opening This PC as TI
    call :RunAsTI %*
    echo args: %*
    ::whoami
    ::timeout /t 7
    :: done
    exit /b
    ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
    :: .bat script content end - copy-paste RunAsTI snippet ::
    ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
    #:RunAsTI snippet to run as TI/System, with innovative HKCU load, ownership privileges, high priority, and explorer support
    set ^ #=& set "0=%~f0"& set 1=%*& powershell -c iex(([io.file]::ReadAllText($env:0)-split'#\:RunAsTI .*')[1])& exit /b
    function RunAsTI ($cmd,$arg) { $id='RunAsTI'; $key="Registry::HKU\$(((whoami /user)-split' ')[-1])\Volatile Environment"; $code=@'
    $I=[int32]; $M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal"); $P=$I.module.gettype("System.Int`Ptr"); $S=[string]
    $D=@(); $T=@(); $DM=[AppDomain]::CurrentDomain."DefineDynami`cAssembly"(1,1)."DefineDynami`cModule"(1); $Z=[uintptr]::size
    0..5|% {$D += $DM."Defin`eType"("AveYo_$_",1179913,[ValueType])}; $D += [uintptr]; 4..6|% {$D += $D[$_]."MakeByR`efType"()}
    $F='kernel','advapi','advapi', ($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), ([uintptr],$S,$I,$I,$D[9]),([uintptr],$S,$I,$I,[byte[]],$I)
    0..2|% {$9=$D[0]."DefinePInvok`eMethod"(('CreateProcess','RegOpenKeyEx','RegSetValueEx')[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}
    $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
    1..5|% {$k=$_; $n=1; $DF[$_-1]|% {$9=$D[$k]."Defin`eField"('f' + $n++, $_, 6)}}; 0..5|% {$T += $D[$_]."Creat`eType"()}
    0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -fo}; function F ($1,$2) {$T[0]."G`etMethod"($1).invoke(0,$2)}
    $TI=(whoami /groups)-like'*1-16-16384*'; $As=0; if(!$cmd) {$cmd='control';$arg='admintools'}; if ($cmd-eq'This PC'){$cmd='file:'}
    if (!$TI) {'TrustedInstaller','lsass','winlogon'|% {if (!$As) {$9=sc.exe start $_; $As=@(get-process -name $_ -ea 0|% {$_})[0]}}
    function M ($1,$2,$3) {$M."G`etMethod"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H += M "AllocHG`lobal" $I $_}
    M "WriteInt`Ptr" ($P,$P) ($H[0],$As.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=1; $A2.f2=1; $A2.f3=1; $A2.f4=1
    $A2.f6=$A1; $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false)
    $Run=@($null, "powershell -win 1 -nop -c iex `$env:R; # $id", 0, 0, 0, 0x0E080600, 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5]))
    F 'CreateProcess' $Run; return}; $env:R=''; rp $key $id -force; $priv=[diagnostics.process]."GetM`ember"('SetPrivilege',42)[0]
    'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$priv.Invoke($null, @("$_",2))}
    $HKU=[uintptr][uint32]2147483651; $NT='S-1-5-18'; $reg=($HKU,$NT,8,2,($HKU -as $D[9])); F 'RegOpenKeyEx' $reg; $LNK=$reg[4]
    function L ($1,$2,$3) {sp 'HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' 'RunAs' $3 -force -ea 0
    $b=[Text.Encoding]::Unicode.GetBytes("\Registry\User\$1"); F 'RegSetValueEx' @($2,'SymbolicLinkValue',0,6,[byte[]]$b,$b.Length)}
    function Q {[int](gwmi win32_process -filter 'name="explorer.exe"'|?{$_.getownersid().sid-eq$NT}|select -last 1).ProcessId}
    $11bug=($((gwmi Win32_OperatingSystem).BuildNumber)-eq'22000')-AND(($cmd-eq'file:')-OR(test-path -lit $cmd -PathType Container))
    if ($11bug) {'System.Windows.Forms','Microsoft.VisualBasic' |% {[Reflection.Assembly]::LoadWithPartialName("'$_")}}
    if ($11bug) {$path='^(l)'+$($cmd -replace '([\+\^\%\~\(\)\[\]])','{$1}')+'{ENTER}'; $cmd='control.exe'; $arg='admintools'}
    L ($key-split'\\')[1] $LNK ''; $R=[diagnostics.process]::start($cmd,$arg); if ($R) {$R.PriorityClass='High'; $R.WaitForExit()}
    if ($11bug) {$w=0; do {if($w-gt40){break}; sleep -mi 250;$w++} until (Q); [Microsoft.VisualBasic.Interaction]::AppActivate($(Q))}
    if ($11bug) {[Windows.Forms.SendKeys]::SendWait($path)}; do {sleep 7} while(Q); L '.Default' $LNK 'Interactive User'
    '@; $V='';'cmd','arg','id','key'|%{$V+="`n`$$_='$($(gv $_ -val)-replace"'","''")';"}; sp $key $id $($V,$code) -type 7 -force -ea 0
    start powershell -args "-win 1 -nop -c `n$V `$env:R=(gi `$key -ea 0).getvalue(`$id)-join''; iex `$env:R" -verb runas
    }; $A=$env:1-split'"([^"]+)"|([^ ]+)',2|%{$_.Trim(' "')}; RunAsTI $A[1] $A[2]; #:RunAsTI lean & mean snippet by AveYo, 2022.01.28

    Also, is there a .BAT file I can use to reverse all this?
    PS: I am on Windows 11 build 21H2 22000.856

    EDIT: NEVERMIND, it was my Panda Antivirus, I disabled it and the script ran just fine! I will add it to the exclusions. Thanks for your awesome work!

    Any idea where can I add it to the exclusions in the Antivirus? What path?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,592
    60
    @Super Spartan, maybe even report a False Positive to them.

    Not anymore ;) the flashing, that is. Without external programs, without vbs, without hta, without powershell. Native. How do I keep coming up with this stuff? M o n s t e r
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Super Spartan

    Super Spartan MDL Expert

    May 30, 2014
    1,638
    955
    60
    Will do, but for now, what path do I need to exclude in the AV to make it work without having to disable it?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,592
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Super Spartan

    Super Spartan MDL Expert

    May 30, 2014
    1,638
    955
    60
    I reported the false positive on their Twitter Account. I love Panda because it's like the only free AV with no toolbars and bloatware and is the lightest.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,592
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Windows_Addict

    Windows_Addict MDL Expert

    Jul 19, 2018
    1,128
    2,826
    60
    Code:
    net stop NanoServiceMain /y
    and that's all it takes to kill it.
    Now the malicious tool can do anything it want.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    2,443
    2,952
    90
    defender no. 2 :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,592
    60
    #152 AveYo, Aug 20, 2022
    Last edited: Aug 20, 2022
    (OP)
    For real?! WTF. It used to be more resilient few years back, and they shared definitions with the top (Avira at that time). Definitely need to see this for myself, I need a loud laugh!
    It's for real!!! :roflmao: Amateur hour. So WatchGuard bought Panda to make it worse.. another one bites de_dust

    @Super Spartan, Panda is basically useless if you're using an admin account (dozens of UAC bypasses). And even if you use a limited account, it does not inspire much confidence. Uninstall ASAP, can't believe I say this, but you're better off with built-in Defender..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Super Spartan

    Super Spartan MDL Expert

    May 30, 2014
    1,638
    955
    60
    Done chief!

    2022-08-20_13h33_14.png
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,592
    60
    #154 AveYo, Aug 21, 2022
    Last edited: Aug 22, 2022
    (OP)
    Updated ChrEdgeFkOff (and Edge_Removal since it bundles it).
    - open /WS/redirect/ search results directly
    If microsoft bing team fixes their s**tty /WS/redirect/ eating the input and opening just the search homepage I'll be happy to revert to passing everything as-is. Edit2: turns out it was a parsing bug!
    But until then, I could either open bing with the query terms - but that would forget the specific clicked result - OR - decode the base64-encoded url and open it directly.
    I've chosen the latter, done via pure-batch, as certutil / vbs / powershell would open the av-false-positive can of worms again. So it's gonna open a bit slower vs. the non-redirect urls. But privacy++ ;)

    Edit: was not content with the delay for opening windows search redirected urls,
    so I have revised dec_url64 snippet for speed - is now pretty fast for native batch.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,592
    60
    #155 AveYo, Aug 22, 2022
    Last edited: Aug 23, 2022
    (OP)
    ChrEdgeFkOff V8: address case where the toggle script got used after removal script causing a blank path that is throwing off MSEdgeRedirect

    & CLI parse correction - turns out it was not bing windows search redirector fault, but will keep direct url launch anyway since the redirector is superfluous and takes about the same time to refresh in browser anyway

    & fix manually opening edge again
    & fix dec_url64 alphabet / instead of _

    I'm done with it ;)

    ChrEdgeFkOff V9 stable. Now I'm really done with it. I hope ;)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. MDeaks

    MDeaks MDL Junior Member

    Aug 25, 2017
    96
    46
    0
    #156 MDeaks, Aug 24, 2022
    Last edited: Aug 27, 2022
    @AveYo ;
    Quote: ChrEdgeFkOff V9 stable. Now I'm really done with it. I hope

    Tested via Win11- Entp (22H2)....
    a) installed latest Edge x64 - Business,
    b) rebooted ; settings updated also to suit - ie set all - privacy & security etc to max possible
    c) reboot PC.
    d) download "ChrEdgeFkOff V9"...
    e) un-install..... ie "FKoff ChrEdge ":p - sticking to my preferred Firefox x64

    worked well :D:clap::clap: <hope: confirmed>;)

    Thanks again @AveYo :worthy::worthy:
     
  17. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,592
    60
    Rebranded ChrEdgeFkOff.cmd to OpenWebSearch.cmd
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,837
    5,592
    60
    #158 AveYo, Oct 3, 2022
    Last edited: Oct 3, 2022
    (OP)
    And a workaround for the ChrEdgeFkOff / OpenWebSearch headless mode being completely broken (crashes cmd) in latest 11 dev builds. It has been inconspicuous on a gen 3 potato but a minimized window can show briefly if under cpu pressure.
    And use windir C:\Scripts to save the script (due to Sigma rules FUD - virustotal even "detects" things not part of the script but from their own sandbox - go figure).
    And finally, redone the workaround above, as conhost cmd /c start /min loses parts of the full commandline to be parsed. So use instead VT100 escape codes to minimize the window ;)
    Lot of work for something that's only broken in 11 Dev..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. Super Spartan

    Super Spartan MDL Expert

    May 30, 2014
    1,638
    955
    60
    I just uninstalled Edge thanks to your script but the shortcut remains in the start menu so I manually deleted it from:

    C:\ProgramData\Microsoft\Windows\Start Menu\Programs

    Can you please have it deleted as part of the script in the next update?

    Thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...