Lean And Mean snippets for power users RunAsTI / reg_own / ToggleDefender / Edge removal / redirect

Discussion in 'Scripting' started by AveYo, May 7, 2021.

  1. rustynails

    rustynails MDL Novice

    Mar 18, 2015
    45
    35
    0

    Wow nice, very cool script :)
     
  2. rustynails

    rustynails MDL Novice

    Mar 18, 2015
    45
    35
    0

    This is very cool script. It will be useful so I dont have to change permissions :)) thanks
     
  3. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    indeed, that is it's primary purpose - not having to change permissions of files or registry keys, either from the convenience of explorer, or imported into your own cmd and powershell scripts
    and it's innovative feature being able to run tweaking scripts with HKCU entries normally (any other solutions - psexec, nsudo etc. would have system HKCU loaded instead of actual user's)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    3,702
    5,104
    120
    #44 Dark Dinosaur, Sep 11, 2021
    Last edited: Sep 11, 2021
    may I suggest something.
    use >nul chcp 437 in your PS scripts
    to prevent from us lot of suffering :(
    it prevent consolas font change to raster fonts
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    ain't that the worst codepage ever? horrible in europe, at least
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. Dark Dinosaur

    Dark Dinosaur X Æ A-12

    Feb 2, 2011
    3,702
    5,104
    120
    #46 Dark Dinosaur, Sep 11, 2021
    Last edited: Sep 11, 2021
    its the original English OEM code page :)
    if you like other code page, try this
    Code:
    With NNN = 437, 1252, 1251, 1253, 850, 852, 869, 857, 737 - no font change
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. geepnozeex

    geepnozeex MDL Junior Member

    Oct 21, 2014
    69
    61
    0
    #47 geepnozeex, Sep 26, 2021
    Last edited: Dec 10, 2021
    (I write through Google translator.)
    thanks, this is interesting.
    help me use my .ps1 file with trustedinstaller permissions -

    now this code is used with the utility PowerRun - which gives not only trustedinstaller permissions, but also completely hides execution windows.
    Is it impossible to completely hide the powershell command execution windows?
     
  8. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    I seem to have misplaced along the way the comment I had to hide the runasTI resulting window
    in the script there's a $w=0x0E080610 to set process creation flags - to not create a console window just replace the 1 with a 0 i.e. $w=0x0E080600
    following the integration in ps1 scripts guide, it would be something like this:
    Code:
    $main = {
    ################################
    
    $a=Get-Process MsMpEng -ErrorAction SilentlyContinue
    if(!$a){
    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware
    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiVirus
    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware
    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name SettingsPageVisibility
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender\Features" -Name TamperProtection -Value 5
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" -Name SmartScreenEnabled -Value On
    New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name SecurityHealth -PropertyType ExpandString -Value $env:SystemRoot\system32\SecurityHealthSystray.exe
    Get-Service WinDefend,WdBoot,WdFilter,Sense,WdNisDrv,WdNisSvc|Set-Service -StartupType Automatic
    New-Service -Name SecurityHealthService -BinaryPathName $env:SystemRoot\system32\SecurityHealthService.exe
    Start-Service WinDefend
    & $env:SystemRoot\system32\SecurityHealthSystray.exe
    }
    if($a){
    gwmi Win32_Service|? Name -Match 'WinDefend|WdBoot|WdFilter|Sense|WdNisDrv|WdNisSvc'|%{$_.StopService()}
    gwmi Win32_Process|? Name -Match 'SecurityHealthService.exe|SecurityHealthSystray.exe|smartscreen.exe|MpCmdRun.exe'|%{$_.Terminate()}
    gwmi Win32_Service|? Name -Match 'SecurityHealthService'|%{$_.delete()}
    Get-Service WinDefend,WdBoot,WdFilter,Sense,WdNisDrv,WdNisSvc|Set-Service -StartupType Disabled
    Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" -Name SmartScreenEnabled -Value Off
    New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" -Name SettingsPageVisibility -PropertyType String -Value hide:windowsdefender
    New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -PropertyType DWord -Value 1
    New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiSpyware -PropertyType DWord -Value 1
    New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows Defender" -Name DisableAntiVirus -PropertyType DWord -Value 1
    Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name SecurityHealth
    }
    exit
    
    ################################
    }
    
    #:RunAsTI: #3 snippet to run as TI/System, with defaults
    set ^ #=& set "0=%~f0"& set 1=%*& powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':RunAsTI\:.*')[1])& exit/b
    $_CAN_PASTE_DIRECTLY_IN_POWERSHELL='^,^'; function RunAsTI ($cmd) { $id='RunAsTI'; $sid=((whoami /user)-split' ')[-1]; $code=@'
    $ti=(whoami /groups)-like"*1-16-16384*"; $DM=[AppDomain]::CurrentDomain."DefineDynamicAss`embly"(1,1)."DefineDynamicMod`ule"(1)
    $D=@(); 0..5|% {$D+=$DM."DefineT`ype"("M$_",1179913,[ValueType])}; $I=[int32];$P=$I.module.gettype("System.Int`Ptr"); $U=[uintptr]
    $D+=$U; 4..6|% {$D+=$D[$_]."MakeB`yRefType"()};$M=$I.module.gettype("System.Runtime.Interop`Services.Mar`shal");$Z=[uintptr]::size
    $S=[String]; $9=$D[0]."DefinePInvokeMeth`od"("CreateProcess","kernel`32",8214,1,$I,@($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),1,4)
    $DF=0,($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
    1..5|% {$k=$_;$n=1;$AveYo=1; $DF[$_]|% {$9=$D[$k]."DefineFie`ld"('f'+$n++,$_,6)}}; $T=@(); 0..5|% {$T+=$D[$_]."CreateT`ype"()}
    0..5|% {nv "A$_" ([Activator]::CreateInstance($T[$_])) -force}; function F ($1,$2) {$T[0]."GetMeth`od"($1).invoke(0,$2)};
    if (!$ti) { $g=0; "TrustedInstaller","lsass"|% {if (!$g) {net1 start $_ 2>&1 >$null; $g=@(get-process -name $_ -ea 0|% {$_})[0]}}
     function M($1,$2,$3){$M."GetMeth`od"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H+=M "AllocHG`lobal" $I $_};
     M "WriteInt`Ptr" ($P,$P) ($H[0],$g.Handle); $A1.f1=131072;$A1.f2=$Z;$A1.f3=$H[0];$A2.f1=1;$A2.f2=1;$A2.f3=1;$A2.f4=1;$A2.f6=$A1
     $A3.f1=10*$Z+32;$A4.f1=$A3;$A4.f2=$H[1]; M "StructureTo`Ptr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false); $w=0x0E080600
     if (!$cmd) {$cmd='cmd'}; $out=@($null,$cmd,0,0,0,$w,0,$null,($A4 -as $T[4]),($A5 -as $T[5])); F "CreateProcess" $out}
    '@; $key="Registry::HKEY_USERS\$sid\Volatile Environment"; $a1="`$id='$id';`$key='$key';";$a2="`$cmd='$($cmd-replace"'","''")';`n"
    sp $key $id $($a1,$a2,$code) -type 7 -force; $arg="$a1 `$A=(gi `$key).getvalue(`$id)-join'';rp `$key `$id -force; iex `$A"
    $_PRESS_ENTER='^,^'; start powershell -args "-win 1 -nop -c $arg" -verb runas }; <#,#>
    
    #:: [info] to integrate in .ps1 files, wrap main code as $main={code} then add RunAsTI function and this line on bottom
    if ((whoami)-ne'nt authority\system') {RunAsTI "powershell -file ""$($MyInvocation.MyCommand.Path)"" $args";return}; & $main $args
    
    
    then just right-click - Run with Powershell would suffice (note that for elevation powershell would still show a window briefly that's unavoidable unless you do even more hocus-pocus with wscript)

    but why would you reinvent the wheel and not just use the awesome ToggleDefender script right here?
    the prompt to toggle can be commented out so it can function the same way
    (only better, imho. because your script is still gonna let defender run a scan after a while, and it disables the firewall feature as well which is a huge no-go)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. geepnozeex

    geepnozeex MDL Junior Member

    Oct 21, 2014
    69
    61
    0
    #49 geepnozeex, Sep 27, 2021
    Last edited: Dec 13, 2021
    no.
    I did it - it doesn't work, that's why I asked for help.
     
  10. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    what did you do exactly. because it definitely works verbatim as I've posted it
    ofc to call it from something else you would use like powershell -win 1 -nop -exec bypass -file path\to\script.ps1

    ..how is that a built-in tool when it's a sfx exe with yet another 3rd party exe tool for ti elevation
    that's already 2 huge no-go's - no exe should ever go near configuring your av.. specially when a fully plain-text script is available
    and working depending on the state.. ToggleDefender does that as well if you #comment lines 8 - 11, it was changed to show a prompt for convenience, by popular request
    also works without rebooting and does a bit more configuring and safeguarding, while not disabling the firewall (like..wtf disabling defender to regain performance without interruption for a while is understandable, but why do that to the firewall as well and be left butt naked on the network when at every other millisecond somebody runs a penetration scan)
    I guess the winx shortcut is useful, but then again I would not bloat that already large menu with such entries
    I find it much more convenient to run a script directly or even just copy paste the code in powershell once in a blue moon when I install stuff and need defender back on
    at least the other popular tool is digitally signed (tho it has been reported broken several times already, while ToggleDefender script simply worked fine)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. Might be more short commandline params :

    powershell -w h -nop -noni -noe -ep bypass -f path\to\script.ps1 ;)
     
  12. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    obviously in this scenario noexit is unwanted, and for the others not even I go as far to keep it intelligible
    tho yours is actually 4 chars longer :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Yes Absolutely Correct -NOE is unwanted in this :D;)
     
  14. Famingpunk

    Famingpunk MDL Novice

    May 20, 2021
    32
    9
    0
    Hi @BAU
    Thanks for these awesome scripts.
    is there any one liner command available to elevate a ps1 script?
    i tried this
    Code:
    set _=call "%~f0" %*& fltmc>nul||(powershell -nop -c start cmd -args'/d/x/r',$env:_ -verb runas &&exit/b ||pause&exit/b)
    
    did not work as i had intended.
     
  15. fLOW.

    fLOW. MDL Senior Member

    Jul 28, 2009
    475
    571
    10
  16. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. KedarWolf

    KedarWolf MDL Addicted

    Mar 17, 2016
    977
    870
    30
    SPOILER: [28L] SNIPPET TO RUN AS TI/SYSTEM, WITH /HIGH PRIORITY, /PRIV OWNERSHIP, EXPLORER AND HKCU LOAD

    How do I actually run this in PowerShell?
     
  18. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    by copy-pasting the code in powershell and pressing enter ;)
    if you need to run it in a powershell script, check the integration examples
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. drew84

    drew84 MDL Expert

    Mar 13, 2014
    1,347
    2,302
    60
    #59 drew84, Nov 10, 2021
    Last edited: Nov 12, 2021
    ... removed, as apparently misleading... see post below
     
  20. AveYo

    AveYo MDL Expert

    Feb 10, 2009
    1,836
    5,685
    60
    no, that one is geared towards that project (does not need explorer load support since it opens powershell directly, so I've removed the lines for it)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...