Lean And Mean snippets for power users RunAsTI / reg_own / ToggleDefender / Edge removal / redirect

rustynails · Sep 8, 2021

BAU said: ↑

pff get off my lawn

I've been toying lately with some downloaded custom drivers and since there are so many binaries to check manually for digital signatures, I've adapted the verify defender update cabs thingy to work for any file(s) or folder(s) selected via right-click - Send to menu
Verify Digital Signatures.bat

Code:

@(echo off% <#%) &color 07 &title Verify Digital Signatures - Files/Folders SendTo menu entry by AveYo
set "0=%~f0" &set 1=%*& powershell -nop -c iex ([io.file]::ReadAllText($env:0)) &pause &exit/b ||#>)[1]

#,# Install to SendTo menu when run from another location
if (!$env:1) { write-host "`n No input files or folders to verify! use 'Send to' context menu ...`n" -fore Yellow }
$SendTo = [Environment]::GetFolderPath('ApplicationData') + '\Microsoft\Windows\SendTo'
if (!$env:1 -and $env:0 -and $(Split-Path $env:0) -ne $SendTo) { copy $env:0 "$SendTo\Verify Digital Signatures.bat" -force }
if (!$env:1) { return }

#,# Process command line arguments - supports multiple files and folders
  $arg = ([regex]'"[^"]+"|[^ ]+').Matches($env:1)
  $val = Get-Item -force -lit ($arg[0].Value.Trim('"'))
  $dir = Split-Path $val; cd -lit $dir
#,# Grab target files names
  $files = @()
  foreach ($a in $arg) {
    $f = gi -force -lit $a.Value.Trim('"')
    if ($f.PSTypeNames -match 'FileInfo') { $files += $f }
    else { dir -lit $f -rec -force |? { !$_.PSIsContainer } |% { $files += $_ } }
  }
#,# Verify digital signatures via built-in powershell
$err = @(); $filter = '.exe','.dll','.ocx','.sys','.cpl','.scr','.msi','.Msix','.appx','.appxbundle','.cab','.cat'
$files | foreach-object {
  if ($filter -contains $_.Extension) {
    $sig = Get-AuthenticodeSignature $_.FullName
    if ($sig.status -eq 0) { write-output $sig ($sig.SignerCertificate.Subject-split'"')[1] '' }
    else { $err += $_ | select-object FullName,LastWriteTime,Length,@{Name='Status';Expression={("Not signed / Invalid")}} }
  }
}
write-host
if ($err.length -eq 0) { write-host -fore yellow -back darkgreen " OK! " }
else { write-output $err; write-host -fore yellow -back darkred " ERR! " }
#,# Done

Run once, and it will copy itself to Send to menu. Only scans active binaries (should I add more formats?)

Click to expand...

Wow nice, very cool script

rustynails · Sep 8, 2021

BAU said: ↑

#1: RunAsTI - git

Usage video:

RunAsTI.bat

Code:

@(set `" <#=")& echo off& title RunAsTI - lean and mean snippet by AveYo, 2018-2021

:: can use custom args: cmdline with %* [opens "C:\" if empty]; folder/program/oneliners like: cmd /c "whoami & timeout 7"
call :RunAsTI %*

:: add Send to - RunAsTI right-click menu entry to launch files and folders as TI via explorer [optional]
set "0=%~f0"& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':SendTo\:.*')[1])& goto :SendTo:
$SendTo=[Environment]::GetFolderPath('ApplicationData')+'\Microsoft\Windows\SendTo\RunAsTI.bat'; $enc=[Text.Encoding]::UTF8
if ($env:0 -and !(test-path -lit $SendTo)) {[IO.File]::WriteAllLines($SendTo, [io.file]::ReadAllLines($env:0,$enc))}
:SendTo:

EXIT/b ::batch section done

:: ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
#:: [info] to integrate in .bat files, add RunAsTI snippet on bottom and this line before main code
whoami|findstr /i /c:"nt authority\system" >nul || ( call :RunAsTI "%~f0" %* & exit/b )

#:: [info] to integrate in .ps1 files, add RunAsTI snippet and this line on bottom and wrap main code as $main = { code }
if ((whoami)-ne"nt authority\system") {RunAsTI "powershell -file ""$($MyInvocation.MyCommand.Path)"" $args";return}; & $main $args

#:: [info] hybrid script, can paste whole text in powershell to execute, or just the function to do RunAsTI "somecmd"
:: ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~  ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~#>)

#:RunAsTI: #1 snippet to run as TI/System, with /high priority, /priv ownership, explorer and HKCU load
set ^ #=& set "0=%~f0"& set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':RunAsTI\:.*')[1])& exit/b
$_CAN_PASTE_DIRECTLY_IN_POWERSHELL='^,^'; function RunAsTI ($cmd) { $id='RunAsTI'; $sid=((whoami /user)-split' ')[-1]; $code=@'
$ti=(whoami /groups)-like"*1-16-16384*"; $DM=[AppDomain]::CurrentDomain."DefineDynamicAss`embly"(1,1)."DefineDynamicMod`ule"(1)
$D=@(); 0..5|% {$D+=$DM."DefineT`ype"("M$_",1179913,[ValueType])}; $I=[int32];$P=$I.module.gettype("System.Int`Ptr"); $U=[uintptr]
$D+=$U; 4..6|% {$D+=$D[$_]."MakeB`yRefType"()};$M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal");$Z=[uintptr]::size
$S=[string]; $F="kernel","advapi","advapi",($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),($U,$S,$I,$I,$D[9]),($U,$S,$I,$I,[byte[]],$I)
0..2|% {$9=$D[0]."DefinePInvokeMeth`od"(("CreateProcess","RegOpenKeyEx","RegSetValueEx")[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}
$DF=0,($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
1..5|% {$k=$_;$n=1;$AveYo=1; $DF[$_]|% {$9=$D[$k]."DefineFie`ld"('f'+$n++,$_,6)}}; $T=@(); 0..5|% {$T+=$D[$_]."CreateT`ype"()}
0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -force}; function F ($1,$2) {$T[0]."GetMeth`od"($1).invoke(0,$2)};
if (!$ti) { $g=0; "TrustedInstaller","lsass"|% {if (!$g) {net1 start $_ 2>&1 >$null; $g=@(get-process -name $_ -ea 0|% {$_})[0]}}
 function M($1,$2,$3){$M."GetMeth`od"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H+=M "AllocHG`lobal" $I $_};
 M "WriteInt`Ptr" ($P,$P) ($H[0],$g.Handle); $A1.f1=131072;$A1.f2=$Z;$A1.f3=$H[0];$A2.f1=1;$A2.f2=1;$A2.f3=1;$A2.f4=1;$A2.f6=$A1
 $A3.f1=10*$Z+32;$A4.f1=$A3;$A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false); $w=0x0E080600
 $out=@($null,"powershell -win 1 -nop -c iex `$env:A",0,0,0,$w,0,$null,($A4 -as $T[4]),($A5 -as $T[5])); F "CreateProcess" $out
} else { $env:A=''; $PRIV=[uri].module.gettype("System.Diagnostics.Process")."GetMeth`ods"(42) |? {$_.Name -eq "SetPrivilege"}
 "SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeBackupPrivilege","SeRestorePrivilege" |% {$PRIV.Invoke(0, @("$_",2))}
 $HKU=[uintptr][uint32]2147483651; $LNK=$HKU; $reg=@($HKU,"S-1-5-18",8,2,($LNK -as $D[9])); F "RegOpenKeyEx" $reg; $LNK=$reg[4]
 function SYM($1,$2){$b=[Text.Encoding]::Unicode.GetBytes("\Registry\User\$1");@($2,"SymbolicLinkValue",0,6,[byte[]]$b,$b.Length)}
 F "RegSetValueEx" (SYM $(($key-split'\\')[1]) $LNK); $EXP="HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}"
 $r="explorer"; if (!$cmd) {$cmd='C:\'}; $dir=test-path -lit ((($cmd -split '^("[^"]+")|^([^\s]+)') -ne'')[0].trim('"')) -type 1
 if (!$dir) {$r="start `"$id`" /high /w"}; sp $EXP RunAs '' -force; start cmd -args ("/q/x/d/r title $id && $r",$cmd) -wait -win 1
 do {sleep 7} while ((gwmi win32_process -filter 'name="explorer.exe"'|? {$_.getownersid().sid -eq "S-1-5-18"}))
 F "RegSetValueEx" (SYM ".Default" $LNK); sp $EXP RunAs "Interactive User" -force } # lean and mean snippet by AveYo, 2018-2021
'@; $key="Registry::HKEY_USERS\$sid\Volatile Environment"; $a1="`$id='$id';`$key='$key';";$a2="`$cmd='$($cmd-replace"'","''")';`n"
sp $key $id $($a1,$a2,$code) -type 7 -force; $arg="$a1 `$env:A=(gi `$key).getvalue(`$id)-join'';rp `$key `$id -force; iex `$env:A"
$_PRESS_ENTER='^,^'; start powershell -args "-win 1 -nop -c $arg" -verb runas }; <#,#>  RunAsTI $env:1;  #:RunAsTI:

- scripting of file management or registry editing without altering permissions, with innovative HKCU load
- no external tools needed! still works on win7 powershell 2.0; just 18 - 28 lines in intelligible-ish plain-text
- adds a Send to - RunAsTI right-click menu entry to launch files and folders as TI via explorer
- can paste whole text in powershell to open C:\ as TI (def) - or just function {..}; RunAsTI "somecmd"

Variants:

Code:

#:RunAsTI: #1 snippet to run as TI/System, with /high priority, /priv ownership, explorer and HKCU load
set ^ #=& set "0=%~f0"& set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':RunAsTI\:.*')[1])& exit/b
$_CAN_PASTE_DIRECTLY_IN_POWERSHELL='^,^'; function RunAsTI ($cmd) { $id='RunAsTI'; $sid=((whoami /user)-split' ')[-1]; $code=@'
$ti=(whoami /groups)-like"*1-16-16384*"; $DM=[AppDomain]::CurrentDomain."DefineDynamicAss`embly"(1,1)."DefineDynamicMod`ule"(1)
$D=@(); 0..5|% {$D+=$DM."DefineT`ype"("M$_",1179913,[ValueType])}; $I=[int32];$P=$I.module.gettype("System.Int`Ptr"); $U=[uintptr]
$D+=$U; 4..6|% {$D+=$D[$_]."MakeB`yRefType"()};$M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal");$Z=[uintptr]::size
$S=[string]; $F="kernel","advapi","advapi",($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),($U,$S,$I,$I,$D[9]),($U,$S,$I,$I,[byte[]],$I)
0..2|% {$9=$D[0]."DefinePInvokeMeth`od"(("CreateProcess","RegOpenKeyEx","RegSetValueEx")[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}
$DF=0,($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
1..5|% {$k=$_;$n=1;$AveYo=1; $DF[$_]|% {$9=$D[$k]."DefineFie`ld"('f'+$n++,$_,6)}}; $T=@(); 0..5|% {$T+=$D[$_]."CreateT`ype"()}
0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -force}; function F ($1,$2) {$T[0]."GetMeth`od"($1).invoke(0,$2)};
if (!$ti) { $g=0; "TrustedInstaller","lsass"|% {if (!$g) {net1 start $_ 2>&1 >$null; $g=@(get-process -name $_ -ea 0|% {$_})[0]}}
 function M($1,$2,$3){$M."GetMeth`od"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H+=M "AllocHG`lobal" $I $_};
 M "WriteInt`Ptr" ($P,$P) ($H[0],$g.Handle); $A1.f1=131072;$A1.f2=$Z;$A1.f3=$H[0];$A2.f1=1;$A2.f2=1;$A2.f3=1;$A2.f4=1;$A2.f6=$A1
 $A3.f1=10*$Z+32;$A4.f1=$A3;$A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false); $w=0x0E080600
 $out=@($null,"powershell -win 1 -nop -c iex `$env:A",0,0,0,$w,0,$null,($A4 -as $T[4]),($A5 -as $T[5])); F "CreateProcess" $out
} else { $env:A=''; $PRIV=[uri].module.gettype("System.Diagnostics.Process")."GetMeth`ods"(42) |? {$_.Name -eq "SetPrivilege"}
 "SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeBackupPrivilege","SeRestorePrivilege" |% {$PRIV.Invoke(0, @("$_",2))}
 $HKU=[uintptr][uint32]2147483651; $LNK=$HKU; $reg=@($HKU,"S-1-5-18",8,2,($LNK -as $D[9])); F "RegOpenKeyEx" $reg; $LNK=$reg[4]
 function SYM($1,$2){$b=[Text.Encoding]::Unicode.GetBytes("\Registry\User\$1");@($2,"SymbolicLinkValue",0,6,[byte[]]$b,$b.Length)}
 F "RegSetValueEx" (SYM $(($key-split'\\')[1]) $LNK); $EXP="HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}"
 $r="explorer"; if (!$cmd) {$cmd='C:\'}; $dir=test-path -lit ((($cmd -split '^("[^"]+")|^([^\s]+)') -ne'')[0].trim('"')) -type 1
 if (!$dir) {$r="start `"$id`" /high /w"}; sp $EXP RunAs '' -force; start cmd -args ("/q/x/d/r title $id && $r",$cmd) -wait -win 1
 do {sleep 7} while ((gwmi win32_process -filter 'name="explorer.exe"'|? {$_.getownersid().sid -eq "S-1-5-18"}))
 F "RegSetValueEx" (SYM ".Default" $LNK); sp $EXP RunAs "Interactive User" -force } # lean and mean snippet by AveYo, 2018-2021
'@; $key="Registry::HKEY_USERS\$sid\Volatile Environment"; $a1="`$id='$id';`$key='$key';";$a2="`$cmd='$($cmd-replace"'","''")';`n"
sp $key $id $($a1,$a2,$code) -type 7 -force; $arg="$a1 `$env:A=(gi `$key).getvalue(`$id)-join'';rp `$key `$id -force; iex `$env:A"
$_PRESS_ENTER='^,^'; start powershell -args "-win 1 -nop -c $arg" -verb runas }; <#,#>  RunAsTI $env:1;  #:RunAsTI:

Code:

#:RunAsTI: #2 snippet to run as TI/System, with /high priority and /priv ownership
set ^ #=& set "0=%~f0"& set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':RunAsTI\:.*')[1])& exit/b
$_CAN_PASTE_DIRECTLY_IN_POWERSHELL='^,^'; function RunAsTI ($cmd) { $id='RunAsTI'; $sid=((whoami /user)-split' ')[-1]; $code=@'
$ti=(whoami /groups)-like"*1-16-16384*"; $DM=[AppDomain]::CurrentDomain."DefineDynamicAss`embly"(1,1)."DefineDynamicMod`ule"(1)
$D=@(); 0..5|% {$D+=$DM."DefineT`ype"("M$_",1179913,[ValueType])}; $I=[int32];$P=$I.module.gettype("System.Int`Ptr"); $U=[uintptr]
$D+=$U; 4..6|% {$D+=$D[$_]."MakeB`yRefType"()};$M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal");$Z=[uintptr]::size
$S=[String]; $9=$D[0]."DefinePInvokeMeth`od"("CreateProcess","kernel`32",8214,1,$I,@($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),1,4)
$DF=0,($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
1..5|% {$k=$_;$n=1;$AveYo=1; $DF[$_]|% {$9=$D[$k]."DefineFie`ld"('f'+$n++,$_,6)}}; $T=@(); 0..5|% {$T+=$D[$_]."CreateT`ype"()}
0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -force}; function F ($1,$2) {$T[0]."GetMeth`od"($1).invoke(0,$2)};
if (!$ti) { $g=0; "TrustedInstaller","lsass"|% {if (!$g) {net1 start $_ 2>&1 >$null; $g=@(get-process -name $_ -ea 0|% {$_})[0]}}
 function M($1,$2,$3){$M."GetMeth`od"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H+=M "AllocHG`lobal" $I $_};
 M "WriteInt`Ptr" ($P,$P) ($H[0],$g.Handle); $A1.f1=131072;$A1.f2=$Z;$A1.f3=$H[0];$A2.f1=1;$A2.f2=1;$A2.f3=1;$A2.f4=1;$A2.f6=$A1
 $A3.f1=10*$Z+32;$A4.f1=$A3;$A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false); $w=0x0E080600
 $out=@($null,"powershell -win 1 -nop -c iex `$env:A",0,0,0,$w,0,$null,($A4 -as $T[4]),($A5 -as $T[5])); F "CreateProcess" $out
} else { $env:A=''; $PRIV=[uri].module.gettype("System.Diagnostics.Process")."GetMeth`ods"(42) |? {$_.Name -eq "SetPrivilege"}
 "SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeBackupPrivilege","SeRestorePrivilege" |% {$PRIV.Invoke(0, @("$_",2))}
 if (!$cmd) {$cmd='cmd'}; start cmd -args ("/q/x/d/r title $id && start `"$id`" /high",$cmd) -win 1} # AveYo 2021
'@; $key="Registry::HKEY_USERS\$sid\Volatile Environment"; $a1="`$id='$id';`$key='$key';";$a2="`$cmd='$($cmd-replace"'","''")';`n"
sp $key $id $($a1,$a2,$code) -type 7 -force; $arg="$a1 `$env:A=(gi `$key).getvalue(`$id)-join'';rp `$key `$id -force; iex `$env:A"
$_PRESS_ENTER='^,^'; start powershell -args "-win 1 -nop -c $arg" -verb runas }; <#,#>  RunAsTI $env:1;  #:RunAsTI:

Code:

#:RunAsTI: #3 snippet to run as TI/System, with defaults
set ^ #=& set "0=%~f0"& set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':RunAsTI\:.*')[1])& exit/b
$_CAN_PASTE_DIRECTLY_IN_POWERSHELL='^,^'; function RunAsTI ($cmd) { $id='RunAsTI'; $sid=((whoami /user)-split' ')[-1]; $code=@'
$ti=(whoami /groups)-like"*1-16-16384*"; $DM=[AppDomain]::CurrentDomain."DefineDynamicAss`embly"(1,1)."DefineDynamicMod`ule"(1)
$D=@(); 0..5|% {$D+=$DM."DefineT`ype"("M$_",1179913,[ValueType])}; $I=[int32];$P=$I.module.gettype("System.Int`Ptr"); $U=[uintptr]
$D+=$U; 4..6|% {$D+=$D[$_]."MakeB`yRefType"()};$M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal");$Z=[uintptr]::size
$S=[String]; $9=$D[0]."DefinePInvokeMeth`od"("CreateProcess","kernel`32",8214,1,$I,@($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),1,4)
$DF=0,($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
1..5|% {$k=$_;$n=1;$AveYo=1; $DF[$_]|% {$9=$D[$k]."DefineFie`ld"('f'+$n++,$_,6)}}; $T=@(); 0..5|% {$T+=$D[$_]."CreateT`ype"()}
0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -force}; function F ($1,$2) {$T[0]."GetMeth`od"($1).invoke(0,$2)};
if (!$ti) { $g=0; "TrustedInstaller","lsass"|% {if (!$g) {net1 start $_ 2>&1 >$null; $g=@(get-process -name $_ -ea 0|% {$_})[0]}}
 function M($1,$2,$3){$M."GetMeth`od"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H+=M "AllocHG`lobal" $I $_};
 M "WriteInt`Ptr" ($P,$P) ($H[0],$g.Handle); $A1.f1=131072;$A1.f2=$Z;$A1.f3=$H[0];$A2.f1=1;$A2.f2=1;$A2.f3=1;$A2.f4=1;$A2.f6=$A1
 $A3.f1=10*$Z+32;$A4.f1=$A3;$A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false); $w=0x0E080610
 if (!$cmd) {$cmd='cmd'}; $out=@($null,$cmd,0,0,0,$w,0,$null,($A4 -as $T[4]),($A5 -as $T[5])); F "CreateProcess" $out}
'@; $key="Registry::HKEY_USERS\$sid\Volatile Environment"; $a1="`$id='$id';`$key='$key';";$a2="`$cmd='$($cmd-replace"'","''")';`n"
sp $key $id $($a1,$a2,$code) -type 7 -force; $arg="$a1 `$A=(gi `$key).getvalue(`$id)-join'';rp `$key `$id -force; iex `$A"
$_PRESS_ENTER='^,^'; start powershell -args "-win 1 -nop -c $arg" -verb runas }; <#,#>  RunAsTI $env:1;  #:RunAsTI:

Integration in .bat and .ps1 scripts:

Code:

@echo off & title TEST

:: setup
set "key=HKLM\SOFTWARE\Classes\AppID\{0868DC9B-D9A2-4f64-9362-133CEA201299}"
powershell -nop -c "(get-acl '%key:HKLM=HKLM:%').AccessToString"
reg query "%key%" /v RunAs

:: modify
reg add "%key%" /v RunAs /d "TEST-%~1-TEST" /f

:: result
reg query "%key%" /v RunAs

:: restore
reg add "%key%" /v RunAs /d "Interactive User" /f >nul 2>&1

:: done
choice /c EX1T
exit

Code:

@echo off & title TEST

:: [info] to integrate in .bat files, add this line before main code then RunAsTI snippet on bottom
whoami|findstr /i /c:"nt authority\system" >nul || ( call :RunAsTI "%~f0" %* & exit/b )

:: setup
set "key=HKLM\SOFTWARE\Classes\AppID\{0868DC9B-D9A2-4f64-9362-133CEA201299}"
powershell -nop -c "(get-acl '%key:HKLM=HKLM:%').AccessToString"
reg query "%key%" /v RunAs

:: modify
reg add "%key%" /v RunAs /d "TEST-%~1-TEST" /f

:: result
reg query "%key%" /v RunAs

:: restore
reg add "%key%" /v RunAs /d "Interactive User" /f >nul 2>&1

:: done
choice /c EX1T
exit

#:RunAsTI: #1 snippet to run as TI/System, with /high priority, /priv ownership, explorer and HKCU load
set ^ #=& set "0=%~f0"& set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':RunAsTI\:.*')[1])& exit/b
$_CAN_PASTE_DIRECTLY_IN_POWERSHELL='^,^'; function RunAsTI ($cmd) { $id='RunAsTI'; $sid=((whoami /user)-split' ')[-1]; $code=@'
$ti=(whoami /groups)-like"*1-16-16384*"; $DM=[AppDomain]::CurrentDomain."DefineDynamicAss`embly"(1,1)."DefineDynamicMod`ule"(1)
$D=@(); 0..5|% {$D+=$DM."DefineT`ype"("M$_",1179913,[ValueType])}; $I=[int32];$P=$I.module.gettype("System.Int`Ptr"); $U=[uintptr]
$D+=$U; 4..6|% {$D+=$D[$_]."MakeB`yRefType"()};$M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal");$Z=[uintptr]::size
$S=[string]; $F="kernel","advapi","advapi",($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),($U,$S,$I,$I,$D[9]),($U,$S,$I,$I,[byte[]],$I)
0..2|% {$9=$D[0]."DefinePInvokeMeth`od"(("CreateProcess","RegOpenKeyEx","RegSetValueEx")[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}
$DF=0,($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
1..5|% {$k=$_;$n=1;$AveYo=1; $DF[$_]|% {$9=$D[$k]."DefineFie`ld"('f'+$n++,$_,6)}}; $T=@(); 0..5|% {$T+=$D[$_]."CreateT`ype"()}
0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -force}; function F ($1,$2) {$T[0]."GetMeth`od"($1).invoke(0,$2)};
if (!$ti) { $g=0; "TrustedInstaller","lsass"|% {if (!$g) {net1 start $_ 2>&1 >$null; $g=@(get-process -name $_ -ea 0|% {$_})[0]}}
 function M($1,$2,$3){$M."GetMeth`od"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H+=M "AllocHG`lobal" $I $_};
 M "WriteInt`Ptr" ($P,$P) ($H[0],$g.Handle); $A1.f1=131072;$A1.f2=$Z;$A1.f3=$H[0];$A2.f1=1;$A2.f2=1;$A2.f3=1;$A2.f4=1;$A2.f6=$A1
 $A3.f1=10*$Z+32;$A4.f1=$A3;$A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false); $w=0x0E080600
 $out=@($null,"powershell -win 1 -nop -c iex `$env:A",0,0,0,$w,0,$null,($A4 -as $T[4]),($A5 -as $T[5])); F "CreateProcess" $out
} else { $env:A=''; $PRIV=[uri].module.gettype("System.Diagnostics.Process")."GetMeth`ods"(42) |? {$_.Name -eq "SetPrivilege"}
 "SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeBackupPrivilege","SeRestorePrivilege" |% {$PRIV.Invoke(0, @("$_",2))}
 $HKU=[uintptr][uint32]2147483651; $LNK=$HKU; $reg=@($HKU,"S-1-5-18",8,2,($LNK -as $D[9])); F "RegOpenKeyEx" $reg; $LNK=$reg[4]
 function SYM($1,$2){$b=[Text.Encoding]::Unicode.GetBytes("\Registry\User\$1");@($2,"SymbolicLinkValue",0,6,[byte[]]$b,$b.Length)}
 F "RegSetValueEx" (SYM $(($key-split'\\')[1]) $LNK); $EXP="HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}"
 $r="explorer"; if (!$cmd) {$cmd='C:\'}; $dir=test-path -lit ((($cmd -split '^("[^"]+")|^([^\s]+)') -ne'')[0].trim('"')) -type 1
 if (!$dir) {$r="start `"$id`" /high /w"}; sp $EXP RunAs '' -force; start cmd -args ("/q/x/d/r title $id && $r",$cmd) -wait -win 1
 do {sleep 7} while ((gwmi win32_process -filter 'name="explorer.exe"'|? {$_.getownersid().sid -eq "S-1-5-18"}))
 F "RegSetValueEx" (SYM ".Default" $LNK); sp $EXP RunAs "Interactive User" -force } # lean and mean snippet by AveYo, 2018-2021
'@; $key="Registry::HKEY_USERS\$sid\Volatile Environment"; $a1="`$id='$id';`$key='$key';";$a2="`$cmd='$($cmd-replace"'","''")';`n"
sp $key $id $($a1,$a2,$code) -type 7 -force; $arg="$a1 `$env:A=(gi `$key).getvalue(`$id)-join'';rp `$key `$id -force; iex `$env:A"
$_PRESS_ENTER='^,^'; start powershell -args "-win 1 -nop -c $arg" -verb runas }; <#,#>  RunAsTI $env:1;  #:RunAsTI:

Code:

$host.ui.rawui.windowtitle = “TEST"

# setup
  $key = 'HKLM:\SOFTWARE\Classes\AppID\{0868DC9B-D9A2-4f64-9362-133CEA201299}'
  (get-acl $key).AccessToString
  gp $key RunAs

# modify
  sp $key RunAs "TEST-$($args[0])-TEST" -force

# result
  gp $key RunAs

# restore
  sp $key RunAs "Interactive User" -force >$null 2>&1

# done
  choice /c EX1T
  return

Code:

$main = { $host.ui.rawui.windowtitle = “TEST"

# setup
  $key = 'HKLM:\SOFTWARE\Classes\AppID\{0868DC9B-D9A2-4f64-9362-133CEA201299}'
  (get-acl $key).AccessToString
  gp $key RunAs

# modify
  sp $key RunAs "TEST-$($args[0])-TEST" -force

# result
  gp $key RunAs

# restore
  sp $key RunAs "Interactive User" -force >$null 2>&1

# done
  choice /c EX1T
  return
}

#:RunAsTI: #1 snippet to run as TI/System, with /high priority, /priv ownership, explorer and HKCU load
set ^ #=& set "0=%~f0"& set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':RunAsTI\:.*')[1])& exit/b
$_CAN_PASTE_DIRECTLY_IN_POWERSHELL='^,^'; function RunAsTI ($cmd) { $id='RunAsTI'; $sid=((whoami /user)-split' ')[-1]; $code=@'
$ti=(whoami /groups)-like"*1-16-16384*"; $DM=[AppDomain]::CurrentDomain."DefineDynamicAss`embly"(1,1)."DefineDynamicMod`ule"(1)
$D=@(); 0..5|% {$D+=$DM."DefineT`ype"("M$_",1179913,[ValueType])}; $I=[int32];$P=$I.module.gettype("System.Int`Ptr"); $U=[uintptr]
$D+=$U; 4..6|% {$D+=$D[$_]."MakeB`yRefType"()};$M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal");$Z=[uintptr]::size
$S=[string]; $F="kernel","advapi","advapi",($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),($U,$S,$I,$I,$D[9]),($U,$S,$I,$I,[byte[]],$I)
0..2|% {$9=$D[0]."DefinePInvokeMeth`od"(("CreateProcess","RegOpenKeyEx","RegSetValueEx")[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}
$DF=0,($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
1..5|% {$k=$_;$n=1;$AveYo=1; $DF[$_]|% {$9=$D[$k]."DefineFie`ld"('f'+$n++,$_,6)}}; $T=@(); 0..5|% {$T+=$D[$_]."CreateT`ype"()}
0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -force}; function F ($1,$2) {$T[0]."GetMeth`od"($1).invoke(0,$2)};
if (!$ti) { $g=0; "TrustedInstaller","lsass"|% {if (!$g) {net1 start $_ 2>&1 >$null; $g=@(get-process -name $_ -ea 0|% {$_})[0]}}
 function M($1,$2,$3){$M."GetMeth`od"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H+=M "AllocHG`lobal" $I $_};
 M "WriteInt`Ptr" ($P,$P) ($H[0],$g.Handle); $A1.f1=131072;$A1.f2=$Z;$A1.f3=$H[0];$A2.f1=1;$A2.f2=1;$A2.f3=1;$A2.f4=1;$A2.f6=$A1
 $A3.f1=10*$Z+32;$A4.f1=$A3;$A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false); $w=0x0E080600
 $out=@($null,"powershell -win 1 -nop -c iex `$env:A",0,0,0,$w,0,$null,($A4 -as $T[4]),($A5 -as $T[5])); F "CreateProcess" $out
} else { $env:A=''; $PRIV=[uri].module.gettype("System.Diagnostics.Process")."GetMeth`ods"(42) |? {$_.Name -eq "SetPrivilege"}
 "SeSecurityPrivilege","SeTakeOwnershipPrivilege","SeBackupPrivilege","SeRestorePrivilege" |% {$PRIV.Invoke(0, @("$_",2))}
 $HKU=[uintptr][uint32]2147483651; $LNK=$HKU; $reg=@($HKU,"S-1-5-18",8,2,($LNK -as $D[9])); F "RegOpenKeyEx" $reg; $LNK=$reg[4]
 function SYM($1,$2){$b=[Text.Encoding]::Unicode.GetBytes("\Registry\User\$1");@($2,"SymbolicLinkValue",0,6,[byte[]]$b,$b.Length)}
 F "RegSetValueEx" (SYM $(($key-split'\\')[1]) $LNK); $EXP="HKLM:\Software\Classes\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}"
 $r="explorer"; if (!$cmd) {$cmd='C:\'}; $dir=test-path -lit ((($cmd -split '^("[^"]+")|^([^\s]+)') -ne'')[0].trim('"')) -type 1
 if (!$dir) {$r="start `"$id`" /high /w"}; sp $EXP RunAs '' -force; start cmd -args ("/q/x/d/r title $id && $r",$cmd) -wait -win 1
 do {sleep 7} while ((gwmi win32_process -filter 'name="explorer.exe"'|? {$_.getownersid().sid -eq "S-1-5-18"}))
 F "RegSetValueEx" (SYM ".Default" $LNK); sp $EXP RunAs "Interactive User" -force } # lean and mean snippet by AveYo, 2018-2021
'@; $key="Registry::HKEY_USERS\$sid\Volatile Environment"; $a1="`$id='$id';`$key='$key';";$a2="`$cmd='$($cmd-replace"'","''")';`n"
sp $key $id $($a1,$a2,$code) -type 7 -force; $arg="$a1 `$env:A=(gi `$key).getvalue(`$id)-join'';rp `$key `$id -force; iex `$env:A"
$_PRESS_ENTER='^,^'; start powershell -args "-win 1 -nop -c $arg" -verb runas }; <#,#>

#:: [info] to integrate in .ps1 files, wrap main code as $main={code} then add RunAsTI function and this line on bottom
if ((whoami)-ne'nt authority\system') {RunAsTI "powershell -file ""$($MyInvocation.MyCommand.Path)"" $args";return}; & $main $args

Q & A:
Q: what is the deal with the back`quotes?
A: to silence lame powershell keyword-based event-log warnings that include the whole snippet and slows down processing
Q: pretty sure reflection is used, single-letter vars for types, then.. any hints about those magic constants and arrays?
A: $Aj instance of $T[j] type of $D[j] structure of $DF[j] fields; $D[4] StartupInfoEx, $D[3] StartupInfo, $D[2] lpAttribute..
$D[0] for pinvoke definitions; numbers mostly calling flags or premade struct sizes; check microsoft docs ^,^

Changelog:
2021.05.08: !$dir hotfix

Whats next: TBD

Click to expand...

This is very cool script. It will be useful so I dont have to change permissions

) thanks

AveYo · Sep 8, 2021

rustynails said: ↑

This is very cool script. It will be useful so I dont have to change permissions ) thanks
Click to expand...

indeed, that is it's primary purpose - not having to change permissions of files or registry keys, either from the convenience of explorer, or imported into your own cmd and powershell scripts
and it's innovative feature being able to run tweaking scripts with HKCU entries normally (any other solutions - psexec, nsudo etc. would have system HKCU loaded instead of actual user's)

Dark Dinosaur · Sep 11, 2021

may I suggest something.
use >nul chcp 437 in your PS scripts
to prevent from us lot of suffering
it prevent consolas font change to raster fonts

AveYo · Sep 11, 2021

ain't that the worst codepage ever? horrible in europe, at least

Dark Dinosaur · Sep 11, 2021

its the original English OEM code page
if you like other code page, try this
Code:
With NNN = 437, 1252, 1251, 1253, 850, 852, 869, 857, 737 - no font change

geepnozeex · Sep 26, 2021

BAU said: ↑

RunAsTI
Click to expand...

(I write through Google translator.)
thanks, this is interesting.
help me use my .ps1 file with trustedinstaller permissions -

now this code is used with the utility PowerRun - which gives not only trustedinstaller permissions, but also completely hides execution windows.
Is it impossible to completely hide the powershell command execution windows?

AveYo · Sep 26, 2021

geepnozeex said: ↑

(I write through Google translator.)
thanks, this is interesting.
help me use my .ps1 file with trustedinstaller permissions -

Code:

$a=Get-Process MsMpEng -ErrorAction SilentlyContinue
if(!$a){
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiVirus
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name SettingsPageVisibility
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 5
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" -Name SmartScreenEnabled -Value On
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name SecurityHealth -PropertyType ExpandString -Value $env:SystemRoot\system32\SecurityHealthSystray.exe
Get-Service WinDefend,WdBoot,WdFilter,Sense,WdNisDrv,WdNisSvc|Set-Service -StartupType Automatic
New-Service -Name SecurityHealthService -BinaryPathName $env:SystemRoot\system32\SecurityHealthService.exe
Start-Service WinDefend
& $env:SystemRoot\system32\SecurityHealthSystray.exe
}
if($a){
gwmi Win32_Service|? Name -Match 'WinDefend|WdBoot|WdFilter|Sense|WdNisDrv|WdNisSvc'|%{$_.StopService()}
gwmi Win32_Process|? Name -Match 'SecurityHealthService.exe|SecurityHealthSystray.exe|smartscreen.exe|MpCmdRun.exe'|%{$_.Terminate()}
gwmi Win32_Service|? Name -Match 'SecurityHealthService'|%{$_.delete()}
Get-Service WinDefend,WdBoot,WdFilter,Sense,WdNisDrv,WdNisSvc|Set-Service -StartupType Disabled
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" -Name SmartScreenEnabled -Value Off
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name SettingsPageVisibility -PropertyType String -Value hide:windowsdefender
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -PropertyType DWord -Value 1
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -PropertyType DWord -Value 1
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiVirus -PropertyType DWord -Value 1
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name SecurityHealth
}
exit

now this code is used with the utility PowerRun - which gives not only trustedinstaller permissions, but also completely hides execution windows.
Is it impossible to completely hide the powershell command execution windows?

Click to expand...

I seem to have misplaced along the way the comment I had to hide the runasTI resulting window
in the script there's a $w=0x0E080610 to set process creation flags - to not create a console window just replace the 1 with a 0 i.e. $w=0x0E080600
following the integration in ps1 scripts guide, it would be something like this:

Code:

$main = {
################################

$a=Get-Process MsMpEng -ErrorAction SilentlyContinue
if(!$a){
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiVirus
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name SettingsPageVisibility
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 5
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" -Name SmartScreenEnabled -Value On
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name SecurityHealth -PropertyType ExpandString -Value $env:SystemRoot\system32\SecurityHealthSystray.exe
Get-Service WinDefend,WdBoot,WdFilter,Sense,WdNisDrv,WdNisSvc|Set-Service -StartupType Automatic
New-Service -Name SecurityHealthService -BinaryPathName $env:SystemRoot\system32\SecurityHealthService.exe
Start-Service WinDefend
& $env:SystemRoot\system32\SecurityHealthSystray.exe
}
if($a){
gwmi Win32_Service|? Name -Match 'WinDefend|WdBoot|WdFilter|Sense|WdNisDrv|WdNisSvc'|%{$_.StopService()}
gwmi Win32_Process|? Name -Match 'SecurityHealthService.exe|SecurityHealthSystray.exe|smartscreen.exe|MpCmdRun.exe'|%{$_.Terminate()}
gwmi Win32_Service|? Name -Match 'SecurityHealthService'|%{$_.delete()}
Get-Service WinDefend,WdBoot,WdFilter,Sense,WdNisDrv,WdNisSvc|Set-Service -StartupType Disabled
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" -Name SmartScreenEnabled -Value Off
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name SettingsPageVisibility -PropertyType String -Value hide:windowsdefender
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -PropertyType DWord -Value 1
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -PropertyType DWord -Value 1
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiVirus -PropertyType DWord -Value 1
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name SecurityHealth
}
exit

################################
}

#:RunAsTI: #3 snippet to run as TI/System, with defaults
set ^ #=& set "0=%~f0"& set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':RunAsTI\:.*')[1])& exit/b
$_CAN_PASTE_DIRECTLY_IN_POWERSHELL='^,^'; function RunAsTI ($cmd) { $id='RunAsTI'; $sid=((whoami /user)-split' ')[-1]; $code=@'
$ti=(whoami /groups)-like"*1-16-16384*"; $DM=[AppDomain]::CurrentDomain."DefineDynamicAss`embly"(1,1)."DefineDynamicMod`ule"(1)
$D=@(); 0..5|% {$D+=$DM."DefineT`ype"("M$_",1179913,[ValueType])}; $I=[int32];$P=$I.module.gettype("System.Int`Ptr"); $U=[uintptr]
$D+=$U; 4..6|% {$D+=$D[$_]."MakeB`yRefType"()};$M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal");$Z=[uintptr]::size
$S=[String]; $9=$D[0]."DefinePInvokeMeth`od"("CreateProcess","kernel`32",8214,1,$I,@($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),1,4)
$DF=0,($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
1..5|% {$k=$_;$n=1;$AveYo=1; $DF[$_]|% {$9=$D[$k]."DefineFie`ld"('f'+$n++,$_,6)}}; $T=@(); 0..5|% {$T+=$D[$_]."CreateT`ype"()}
0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -force}; function F ($1,$2) {$T[0]."GetMeth`od"($1).invoke(0,$2)};
if (!$ti) { $g=0; "TrustedInstaller","lsass"|% {if (!$g) {net1 start $_ 2>&1 >$null; $g=@(get-process -name $_ -ea 0|% {$_})[0]}}
 function M($1,$2,$3){$M."GetMeth`od"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H+=M "AllocHG`lobal" $I $_};
 M "WriteInt`Ptr" ($P,$P) ($H[0],$g.Handle); $A1.f1=131072;$A1.f2=$Z;$A1.f3=$H[0];$A2.f1=1;$A2.f2=1;$A2.f3=1;$A2.f4=1;$A2.f6=$A1
 $A3.f1=10*$Z+32;$A4.f1=$A3;$A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false); $w=0x0E080600
 if (!$cmd) {$cmd='cmd'}; $out=@($null,$cmd,0,0,0,$w,0,$null,($A4 -as $T[4]),($A5 -as $T[5])); F "CreateProcess" $out}
'@; $key="Registry::HKEY_USERS\$sid\Volatile Environment"; $a1="`$id='$id';`$key='$key';";$a2="`$cmd='$($cmd-replace"'","''")';`n"
sp $key $id $($a1,$a2,$code) -type 7 -force; $arg="$a1 `$A=(gi `$key).getvalue(`$id)-join'';rp `$key `$id -force; iex `$A"
$_PRESS_ENTER='^,^'; start powershell -args "-win 1 -nop -c $arg" -verb runas }; <#,#>

#:: [info] to integrate in .ps1 files, wrap main code as $main={code} then add RunAsTI function and this line on bottom
if ((whoami)-ne'nt authority\system') {RunAsTI "powershell -file ""$($MyInvocation.MyCommand.Path)"" $args";return}; & $main $args

then just right-click - Run with Powershell would suffice (note that for elevation powershell would still show a window briefly that's unavoidable unless you do even more hocus-pocus with wscript)

but why would you reinvent the wheel and not just use the awesome ToggleDefender script right here?
the prompt to toggle can be commented out so it can function the same way
(only better, imho. because your script is still gonna let defender run a scan after a while, and it disables the firewall feature as well which is a huge no-go)

geepnozeex · Sep 27, 2021

BAU said: ↑

your script is still gonna let defender run a scan after a while
Click to expand...

no.

BAU said: ↑

the integration in ps1 scripts guide, it would be something like this:
Click to expand...

I did it - it doesn't work, that's why I asked for help.

AveYo · Sep 27, 2021

what did you do exactly. because it definitely works verbatim as I've posted it
ofc to call it from something else you would use like powershell -win 1 -nop -exec bypass -file path\to\script.ps1

..how is that a built-in tool when it's a sfx exe with yet another 3rd party exe tool for ti elevation
that's already 2 huge no-go's - no exe should ever go near configuring your av.. specially when a fully plain-text script is available
and working depending on the state.. ToggleDefender does that as well if you #comment lines 8 - 11, it was changed to show a prompt for convenience, by popular request
also works without rebooting and does a bit more configuring and safeguarding, while not disabling the firewall (like..wtf disabling defender to regain performance without interruption for a while is understandable, but why do that to the firewall as well and be left butt naked on the network when at every other millisecond somebody runs a penetration scan)
I guess the winx shortcut is useful, but then again I would not bloat that already large menu with such entries
I find it much more convenient to run a script directly or even just copy paste the code in powershell once in a blue moon when I install stuff and need defender back on
at least the other popular tool is digitally signed (tho it has been reported broken several times already, while ToggleDefender script simply worked fine)

Deleted member 1385001 · Sep 27, 2021

BAU said: ↑

what did you do exactly. because it definitely works verbatim as I've posted it
ofc to call it from something else you would use like powershell -win 1 -nop -exec bypass -file path\to\script.ps1

..how is that a built-in tool when it's a sfx exe with yet another 3rd party exe tool for ti elevation
that's already 2 huge no-go's - no exe should ever go near configuring your av.. specially when a fully plain-text script is available
and working depending on the state.. ToggleDefender does that as well if you #comment lines 8 - 11, it was changed to show a prompt for convenience, by popular request
also works without rebooting and does a bit more configuring and safeguarding, while not disabling the firewall (like..wtf disabling defender to regain performance without interruption for a while is understandable, but why do that to the firewall as well and be left butt naked on the network when at every other millisecond somebody runs a penetration scan)
I guess the winx shortcut is useful, but then again I would not bloat that already large menu with such entries
I find it much more convenient to run a script directly or even just copy paste the code in powershell once in a blue moon when I install stuff and need defender back on
at least the other popular tool is digitally signed (tho it has been reported broken several times already, while ToggleDefender script simply worked fine)

Click to expand...

Might be more short commandline params :

powershell -w h -nop -noni -noe -ep bypass -f path\to\script.ps1

AveYo · Sep 27, 2021

mdl052020 said: ↑

Might be more short commandline params :

powershell -w h -nop -noni -noe -ep bypass -f path\to\script.ps1
Click to expand...

obviously in this scenario noexit is unwanted, and for the others not even I go as far to keep it intelligible
tho yours is actually 4 chars longer

Deleted member 1385001 · Sep 27, 2021

BAU said: ↑

obviously in this scenario noexit is unwanted, and for the others not even I go as far
tho yours is actually 4 chars longer
Click to expand...

Yes Absolutely Correct -NOE is unwanted in this

Famingpunk · Oct 8, 2021

Hi @BAU
Thanks for these awesome scripts.
is there any one liner command available to elevate a ps1 script?
i tried this
Code:
set _=call "%~f0" %*& fltmc>nul||(powershell -nop -c start cmd -args'/d/x/r',$env:_ -verb runas &&exit/b ||pause&exit/b)
did not work as i had intended.

fLOW. · Oct 22, 2021

@BAU is RunAsTI running good under Windows 11? Since i've upgraded to it, it takes approximately 1 minute for Explorer to "open".

I will leave this video below so you can see better what i'm trying to say.
I'm using the latest 'version' from here: https://gist.github.com/AveYo/b6b402aa8a83a1c71b780127f13e6957

https://streamable.com/ny9e4b

AveYo · Oct 24, 2021

fLOW. said: ↑

@BAU is RunAsTI running good under Windows 11? Since i've upgraded to it, it takes approximately 1 minute for Explorer to "open".

I will leave this video below so you can see better what i'm trying to say.
I'm using the latest 'version' from here: https://gist.github.com/AveYo/b6b402aa8a83a1c71b780127f13e6957

https://streamable.com/ny9e4b
Click to expand...

Thanks! I'm aware of the issue in 11, will try to find a solution soon.

KedarWolf · Nov 5, 2021

SPOILER: [28L] SNIPPET TO RUN AS TI/SYSTEM, WITH /HIGH PRIORITY, /PRIV OWNERSHIP, EXPLORER AND HKCU LOAD

How do I actually run this in PowerShell?

AveYo · Nov 10, 2021

KedarWolf said: ↑

SPOILER: [28L] SNIPPET TO RUN AS TI/SYSTEM, WITH /HIGH PRIORITY, /PRIV OWNERSHIP, EXPLORER AND HKCU LOAD

How do I actually run this in PowerShell?
Click to expand...

by copy-pasting the code in powershell and pressing enter
if you need to run it in a powershell script, check the integration examples

drew84 · Nov 10, 2021

BAU said: ↑

by copy-pasting the code in powershell and pressing enter
if you need to run it in a powershell script, check the integration examples
Click to expand...

... removed, as apparently misleading... see post below

AveYo · Nov 10, 2021

drew84 said: ↑

especially this one
Click to expand...

no, that one is geared towards that project (does not need explorer load support since it opens powershell directly, so I've removed the lines for it)

Lean And Mean snippets for power users RunAsTI / reg_own / ToggleDefender / Edge removal / redirect

rustynails MDL Junior Member

rustynails MDL Junior Member

AveYo MDL Expert

Dark Dinosaur X Æ A-12

AveYo MDL Expert

Dark Dinosaur X Æ A-12

geepnozeex MDL Junior Member

AveYo MDL Expert

geepnozeex MDL Junior Member

AveYo MDL Expert

Deleted member 1385001 Guest

AveYo MDL Expert

Deleted member 1385001 Guest

Famingpunk MDL Novice

fLOW. MDL Senior Member

AveYo MDL Expert

KedarWolf MDL Addicted

AveYo MDL Expert

drew84 MDL Expert

AveYo MDL Expert