1. m7ke

    m7ke MDL Novice

    Sep 11, 2020
    8
    6
    0
    This started happening to me today, keep an eye on Windows Defender. It started flagging Trojan:Win32/Mamson.A!ml when trying to remove components. Allow it in defender and whitelist your toolkit folder and you'll be good to go.
     
  2. Yanta

    Yanta MDL Senior Member

    May 21, 2017
    491
    284
    10
    How to add the nogenticket value to a protected registry key? Cannot take ownership and cannot change permissions. On a live system, without having to rebuild the image with toolkit and reinstall

    Registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\slui.exe\
    Value: Nogenticket data: 1
     
  3. S1L3nCe

    S1L3nCe MDL Novice

    Aug 14, 2022
    1
    0
    0
  4. haz367

    haz367 MDL Addicted

    Jan 11, 2020
    843
    1,541
    30
    Hey,

    Try the registry file from AveYo?

    RunAsTI.reg

    Atleast it works fine on a mounted registry hive...


    Code:
    Windows Registry Editor Version 5.00
    
    ; Context Menu entries to use RunAsTI - lean and mean snippet by AveYo, 2018-2022
    ; [FEATURES]
    ; - innovative HKCU load, no need for reg load / unload ping-pong; programs get the user profile
    ; - sets ownership privileges, high priority, and explorer support; get System if TI unavailable    
    ; - accepts special characters in paths for which default run as administrator fails
    ; - show on the new 11 contextmenu via whitelisted id; plenty other available, f**k needing an app!
    ; 2022.04.07: PowerShell / Terminal here (if installed, use Terminal as TI, else use PowerShell as TI)
    
    [-HKEY_CLASSES_ROOT\RunAsTI]
    [-HKEY_CLASSES_ROOT\batfile\shell\setdesktopwallpaper]
    [-HKEY_CLASSES_ROOT\cmdfile\shell\setdesktopwallpaper]
    [-HKEY_CLASSES_ROOT\exefile\shell\setdesktopwallpaper]
    [-HKEY_CLASSES_ROOT\mscfile\shell\setdesktopwallpaper]
    [-HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\shell\setdesktopwallpaper]
    [-HKEY_CLASSES_ROOT\regfile\shell\setdesktopwallpaper]
    [-HKEY_CLASSES_ROOT\Folder\shell\setdesktopwallpaper]
    [-HKEY_CLASSES_ROOT\Directory\background\shell\extract]
    ; To remove entries, copy paste above into undo_RunAsTI.reg file, then import it
    
    ; RunAsTI on .bat
    [HKEY_CLASSES_ROOT\batfile\shell\setdesktopwallpaper]
    "MUIVerb"="Run as trustedinstaller"
    "HasLUAShield"=""
    "Icon"="powershell.exe,0"
    [HKEY_CLASSES_ROOT\batfile\shell\setdesktopwallpaper\command]
    @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\""
    
    ; RunAsTI on .cmd
    [HKEY_CLASSES_ROOT\cmdfile\shell\setdesktopwallpaper]
    "MUIVerb"="Run as trustedinstaller"
    "HasLUAShield"=""
    "Icon"="powershell.exe,0"
    [HKEY_CLASSES_ROOT\cmdfile\shell\setdesktopwallpaper\command]
    @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\""
    
    ; RunAsTI on .exe
    [HKEY_CLASSES_ROOT\exefile\shell\setdesktopwallpaper]
    "MUIVerb"="Run as trustedinstaller"
    "HasLUAShield"=""
    "Icon"="powershell.exe,0"
    [HKEY_CLASSES_ROOT\exefile\shell\setdesktopwallpaper\command]
    @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\""
    
    ; RunAsTI on .msc
    [HKEY_CLASSES_ROOT\mscfile\shell\setdesktopwallpaper]
    "MUIVerb"="Run as trustedinstaller"
    "HasLUAShield"=""
    "Icon"="powershell.exe,0"
    [HKEY_CLASSES_ROOT\mscfile\shell\setdesktopwallpaper\command]
    @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\""
    
    ; RunAsTI on .ps1
    [HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\shell\setdesktopwallpaper]
    "MUIVerb"="Run as trustedinstaller"
    "HasLUAShield"=""
    "Icon"="powershell.exe,0"
    [HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\shell\setdesktopwallpaper\command]
    @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% powershell -nop -c iex((gc -lit '%L')-join[char]10)"
    
    ; RunAsTI on .reg
    [HKEY_CLASSES_ROOT\regfile\shell\setdesktopwallpaper]
    "MUIVerb"="Import as trustedinstaller"
    "HasLUAShield"=""
    "Icon"="powershell.exe,0"
    [HKEY_CLASSES_ROOT\regfile\shell\setdesktopwallpaper\command]
    @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% regedit /s \"%L\""
    
    ; RunAsTI on Folder
    [HKEY_CLASSES_ROOT\Folder\shell\setdesktopwallpaper]
    "MuiVerb"="Open as trustedinstaller"
    "HasLUAShield"=""
    "Icon"="powershell.exe,0"
    "AppliesTo"="NOT System.ParsingName:=\"::{645FF040-5081-101B-9F08-00AA002F954E}\""
    [HKEY_CLASSES_ROOT\Folder\shell\setdesktopwallpaper\command]
    @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\""
    
    ; Open Terminal or Powershell as trustedinstaller here - can spawn another terminal with: cmd /c $env:wt
    [HKEY_CLASSES_ROOT\Directory\background\shell\extract]
    "MuiVerb"="PowerShell / Terminal"
    "HasLUAShield"=""
    "NoWorkingDirectory"=""
    "Position"=-
    "Position"="Middle"
    "Icon"="powershell.exe,0"
    [HKEY_CLASSES_ROOT\Directory\background\shell\extract\command]
    @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% cmd /c pushd \"%V\" & start \"RunAsTI\" %%wt%%"
    
    ; RunAsTI function
    [HKEY_CLASSES_ROOT\RunAsTI]
    "10"="function RunAsTI ($cmd,$arg) { $id='RunAsTI'; $key=\"Registry::HKU\\$(((whoami /user)-split' ')[-1])\\Volatile Environment\"; $code=@'"
    "11"=" $I=[int32]; $M=$I.module.gettype(\"System.Runtime.Interop`Services.Mar`shal\"); $P=$I.module.gettype(\"System.Int`Ptr\"); $S=[string]"
    "12"=" $D=@(); $T=@(); $DM=[AppDomain]::CurrentDomain.\"DefineDynami`cAssembly\"(1,1).\"DefineDynami`cModule\"(1); $Z=[uintptr]::size "
    "13"=" 0..5|% {$D += $DM.\"Defin`eType\"(\"AveYo_$_\",1179913,[ValueType])}; $D += [uintptr]; 4..6|% {$D += $D[$_].\"MakeByR`efType\"()}"
    "14"=" $F='kernel','advapi','advapi', ($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), ([uintptr],$S,$I,$I,$D[9]),([uintptr],$S,$I,$I,[byte[]],$I)"
    "15"=" 0..2|% {$9=$D[0].\"DefinePInvok`eMethod\"(('CreateProcess','RegOpenKeyEx','RegSetValueEx')[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}"
    "16"=" $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)"
    "17"=" 1..5|% {$k=$_; $n=1; $DF[$_-1]|% {$9=$D[$k].\"Defin`eField\"('f' + $n++, $_, 6)}}; 0..5|% {$T += $D[$_].\"Creat`eType\"()}"
    "18"=" 0..5|% {nv \"A$_\" ([Activator]::CreateInstance($T[$_])) -fo}; function F ($1,$2) {$T[0].\"G`etMethod\"($1).invoke(0,$2)}"
    "19"=" $TI=(whoami /groups)-like'*1-16-16384*'; $As=0; if(!$cmd) {$cmd='control';$arg='admintools'}; if ($cmd-eq'This PC'){$cmd='file:'}"
    "20"=" if (!$TI) {'TrustedInstaller','lsass','winlogon'|% {if (!$As) {$9=sc.exe start $_; $As=@(get-process -name $_ -ea 0|% {$_})[0]}}"
    "21"=" function M ($1,$2,$3) {$M.\"G`etMethod\"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H += M \"AllocHG`lobal\" $I $_}"
    "22"=" M \"WriteInt`Ptr\" ($P,$P) ($H[0],$As.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=1; $A2.f2=1; $A2.f3=1; $A2.f4=1"
    "23"=" $A2.f6=$A1; $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M \"StructureTo`Ptr\" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false)"
    "24"=" $Run=@($null, \"powershell -win 1 -nop -c iex `$env:R; # $id\", 0, 0, 0, 0x0E080600, 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5]))"
    "25"=" F 'CreateProcess' $Run; return}; $env:R=''; rp $key $id -force; $priv=[diagnostics.process].\"GetM`ember\"('SetPrivilege',42)[0]"
    "26"=" 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$priv.Invoke($null, @(\"$_\",2))}"
    "27"=" $HKU=[uintptr][uint32]2147483651; $NT='S-1-5-18'; $reg=($HKU,$NT,8,2,($HKU -as $D[9])); F 'RegOpenKeyEx' $reg; $LNK=$reg[4]"
    "28"=" function L ($1,$2,$3) {sp 'Registry::HKCR\\AppID\\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' 'RunAs' $3 -force -ea 0"
    "29"="  $b=[Text.Encoding]::Unicode.GetBytes(\"\\Registry\\User\\$1\"); F 'RegSetValueEx' @($2,'SymbolicLinkValue',0,6,[byte[]]$b,$b.Length)}"
    "30"=" function Q {[int](gwmi win32_process -filter 'name=\"explorer.exe\"'|?{$_.getownersid().sid-eq$NT}|select -last 1).ProcessId}"
    "31"=" $env:wt='powershell'; dir \"$env:ProgramFiles\\WindowsApps\\Microsoft.WindowsTerminal*\\wt.exe\" -rec|% {$env:wt='\"'+$_.FullName+'\" \"-d .\"'}"
    "32"=" $11bug=($((gwmi Win32_OperatingSystem).BuildNumber)-eq'22000')-AND(($cmd-eq'file:')-OR(test-path -lit $cmd -PathType Container))"
    "33"=" if ($11bug) {'System.Windows.Forms','Microsoft.VisualBasic' |% {$9=[Reflection.Assembly]::LoadWithPartialName(\"'$_\")}}"
    "34"=" if ($11bug) {$path='^(l)'+$($cmd -replace '([\\+\\^\\%\\~\\(\\)\\[\\]])','{$1}')+'{ENTER}'; $cmd='control.exe'; $arg='admintools'}"
    "35"=" L ($key-split'\\\\')[1] $LNK ''; $R=[diagnostics.process]::start($cmd,$arg); if ($R) {$R.PriorityClass='High'; $R.WaitForExit()}"
    "36"=" if ($11bug) {$w=0; do {if($w-gt40){break}; sleep -mi 250;$w++} until (Q); [Microsoft.VisualBasic.Interaction]::AppActivate($(Q))}"
    "37"=" if ($11bug) {[Windows.Forms.SendKeys]::SendWait($path)}; do {sleep 7} while(Q); L '.Default' $LNK 'Interactive User'"
    "38"="'@; $V='';'cmd','arg','id','key'|%{$V+=\"`n`$$_='$($(gv $_ -val)-replace\"'\",\"''\")';\"}; sp $key $id $($V,$code) -type 7 -force -ea 0"
    "39"=" start powershell -args \"-win 1 -nop -c `n$V `$env:R=(gi `$key -ea 0).getvalue(`$id)-join''; iex `$env:R\" -verb runas"
    "40"="}; $A=([environment]::commandline-split'-[-]%+ ?',2)[1]-split'\"([^\"]+)\"|([^ ]+)',2|%{$_.Trim(' \"')}; RunAsTI $A[1] $A[2]; # AveYo, 2022.04.07"
    ;
    [code]
    
    
    
    
    [QUOTE="Yanta, post: 1750647, member: 861057"]
    
    Registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\slui.exe\
    Value: Nogenticket data: 1[/QUOTE]
     
  5. inTerActionVRI

    inTerActionVRI MDL Expert

    Sep 23, 2009
    1,770
    3,601
    60
    Yup.

    For our case (use of tools to modify), I am considering custom, only those Images that undergo modifications made by the end user.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. inTerActionVRI

    inTerActionVRI MDL Expert

    Sep 23, 2009
    1,770
    3,601
    60
    #23527 inTerActionVRI, Aug 16, 2022
    Last edited: Aug 16, 2022
    See if it works with mounting hives to apply the tweak commands.

    I think that only the last command can give error as it is applying directly to the Local Machine Registry.

    Save as "NoGenTicket.cmd" and Run as Admin or even as Thrustedinstaller
    Code:
    @echo OFF
    
    cd /d "%~dp0"
    
    setlocal EnableExtensions EnableDelayedExpansion
    
    for /f %%f in ('dir /B /ADH-I /OG "%HomeDRIVE%\Users" ^| findstr.exe /I "Default" 2^>nul') do (
       if exist "%HomeDRIVE%\Users\%%f\NTUSER.dat" (
           set "DU_NTUSERdat=%HomeDRIVE%\Users\%%f\NTUSER.dat"
       )
    )
    if exist "%USERPROFILE%\NTUSER.dat" (
       set "CUP_NTUSERdat=%USERPROFILE%\NTUSER.dat"
    )
    
    TaskKill.exe /F /IM "explorer.exe"
    
    :: Mounting Live Windows Session Image Registry Hive for:
    rem Default USER
    reg.exe load HKLM\HKDU "!DU_NTUSERdat!"
    rem Current USER Profile
    reg.exe load HKLM\HKCUP "!CUP_NTUSERdat!"
    
    reg.exe add "HKLM\HKDU\Software\Classes\AppID\slui.exe" /v "NoGenTicket" /t REG_DWORD /d "1" /f
    reg.exe add "HKLM\HKDU\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t REG_DWORD /d "1" /f
    reg.exe add "HKLM\HKCUP\Software\Classes\AppID\slui.exe" /v "NoGenTicket" /t REG_DWORD /d "1" /f
    reg.exe add "HKLM\HKCUP\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t REG_DWORD /d "1" /f
    
    rem Directly to Classes ROOT entries
    reg.exe add "HKCR\AppID\slui.exe" /v "NoGenTicket" /t REG_DWORD /d "1" /f
    
    rem Directly to Local Machine entries
    reg.exe add "HKLM\SOFTWARE\Classes\AppID\slui.exe" /v "NoGenTicket" /t REG_DWORD /d "1" /f
    reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t REG_DWORD /d "1" /f
    
    
    :: Un-Mounting Image Registry Hive
    reg.exe unload HKLM\HKDU
    reg.exe unload HKLM\HKCUP
    
    start "" /I "explorer.exe"
    
    exit /B 0
    

    EDIT: I put the entrance you mentioned (...\Classes\AppID\slui.exe) in the commands.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. bala1

    bala1 MDL Member

    May 2, 2015
    179
    150
    10
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. 4MySanity

    4MySanity MDL Novice

    Aug 17, 2022
    16
    1
    0
    When trying to remove components from the wim image, I get the generic error "This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information."
    How do I fix this?
     
  9. m7ke

    m7ke MDL Novice

    Sep 11, 2020
    8
    6
    0
    Look up a few posts, it's most likely windows defender blocking the action due to a false positive.
     
  10. inTerActionVRI

    inTerActionVRI MDL Expert

    Sep 23, 2009
    1,770
    3,601
    60
    As I said, "This week I would try with the new update."
    I come to bring the resolution feedback.
    I simply made the new custom iso 19044.1947.
    I did the Inplace Update and everything went well.
    Problem solved.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. xCyBx

    xCyBx MDL Senior Member

    Aug 6, 2018
    368
    747
    10
    #23532 xCyBx, Aug 20, 2022
    Last edited: Sep 1, 2022
    Deleted
     
  12. Yanta

    Yanta MDL Senior Member

    May 21, 2017
    491
    284
    10
    Thanks. Sorry for the delay. Had to wait for the weekend to try it out.

    All of the slui.exe reg commands fail with Access Denied.
    Checked the registry after reboot and none of the slui.exe registry entries have been added.
     
  13. inTerActionVRI

    inTerActionVRI MDL Expert

    Sep 23, 2009
    1,770
    3,601
    60
    #23534 inTerActionVRI, Aug 21, 2022
    Last edited: Aug 21, 2022
    Understood. If even executing the script as Admin, it didn't work out, I don't know another way to help you right now.

    You are not using some of the SPbuilds 1862, 1865 or 1889 right?

    If so, try update to 19044.1947. These previous ones were very bugged.
    In the tests and my daily use, I realized this. In this 1947 fluidity came back.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Feartamixg

    Feartamixg MDL Addicted

    May 15, 2016
    786
    631
    30
    Has anybody heard from @MSMG recently? I suspect he has gone quiet, because he is working hard to help his family, but I wondered if perhaps anybody else knew if he was okay.

    Looking to reinstall Windows 10 19044.1889 on a machine soon, but would rather have a clean install with help from the ToolKit before doing so.
     
  15. doffy90

    doffy90 MDL Novice

    Nov 9, 2015
    46
    5
    0
    Are the apps we remove with MSMG toolkit still supposed to show up under settings > apps in win11? Several of the ones I removed are still showing up and can be "uninstalled".
     
  16. Yanta

    Yanta MDL Senior Member

    May 21, 2017
    491
    284
    10
    #23537 Yanta, Aug 21, 2022
    Last edited: Aug 21, 2022
    No, all PCs here are LTSC 1809

    Nothing useful or worthwhile in later versions, and the issue with bloat being restored was never solved so have stuck with what works.

    I forgot to mention I ran it as TrustedInstaller via nsudo.

    Ok, if it can't be done for a live system, can I integrate the registry tweaks with the toolkit? Only the slui.exe are needed as the software protection platform registry values are able to be added already.
     
  17. inTerActionVRI

    inTerActionVRI MDL Expert

    Sep 23, 2009
    1,770
    3,601
    60
    #23538 inTerActionVRI, Aug 21, 2022
    Last edited: Aug 21, 2022
    At Toolkit, you can integrate as .reg file, but if the system does not support this integration, when starting the system, what you integrated will not be there.


    EDIT:
    What I meant is that there is a protection against obsolete registry inputs in each build.

    I suppose this because, otherwise, we could continue to fill the registry with entries that MS no longer uses. And that doesn't happen. There is no block of attempts to insert registry entries that are no longer considered for a particular build. But there is a filter that cleans these registry entries.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. MSMG

    MSMG MDL Developer

    Jul 15, 2011
    6,414
    15,627
    210
    Was not being well from past week and so the delay, will be uploading the new version once the packs are updated, have uploaded the updated Toolkit.cmd and ToolKitHelper.exe to support the patch Tuesday update, you can use it to remove the components.

    The updated ToolKitHelper.exe supports the source images with the below updates integrated.

    Windows 10 Client v1809/LTSC2019 (v10.0.17763.1/v10.0.17763.3287 [KB5016623])
    Windows 10 Client v1903 (v10.0.18362.1) & v1903/v1909 (v10.0.1836x.2274 [KB5013945])
    Windows 10 Client v2004 (v10.0.19041.1) & v2004/v20H2/v21H1/v21H2 (v10.0.1904x.1889 [KB5016616])
    Windows 10 Enterprise LTSC2021 (v10.0.19044.1288/v10.0.19044.1889 [KB5016616])
    Windows 11 Client v21H2 (v10.0.22000.1/v10.0.22000.856 [KB5016629])
    Windows 11 Client v22H2 (v10.0.22621.1/v10.0.22621.382 [KB5016632])

    Also it supports Windows 10 Enterprise LTSC2021 (v10.0.19044.1947 [KB5016688]) Preview


    Someone was asking about component removal for arm64 source images, right now the ToolkitHelper does not support arm64 builds as I don't have a proper arm64 device to test the image, though I do a Raspberry Pi 3 but it's dead slow to operate.
     
  19. Feartamixg

    Feartamixg MDL Addicted

    May 15, 2016
    786
    631
    30
    I am sorry to hear that you haven't been very well recently. Thank for you keeping us updated and for also taking the time to update those CMD and EXE files. I shall probably do some testing tonight, as I have a 1909 system that keeps trying to do a feature upgrade and desperately needs reinstalling to shut it up.