This started happening to me today, keep an eye on Windows Defender. It started flagging Trojan:Win32/Mamson.A!ml when trying to remove components. Allow it in defender and whitelist your toolkit folder and you'll be good to go.
How to add the nogenticket value to a protected registry key? Cannot take ownership and cannot change permissions. On a live system, without having to rebuild the image with toolkit and reinstall Registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\slui.exe\ Value: Nogenticket data: 1
Hey, Try the registry file from AveYo? RunAsTI.reg Atleast it works fine on a mounted registry hive... Code: Windows Registry Editor Version 5.00 ; Context Menu entries to use RunAsTI - lean and mean snippet by AveYo, 2018-2022 ; [FEATURES] ; - innovative HKCU load, no need for reg load / unload ping-pong; programs get the user profile ; - sets ownership privileges, high priority, and explorer support; get System if TI unavailable ; - accepts special characters in paths for which default run as administrator fails ; - show on the new 11 contextmenu via whitelisted id; plenty other available, f**k needing an app! ; 2022.04.07: PowerShell / Terminal here (if installed, use Terminal as TI, else use PowerShell as TI) [-HKEY_CLASSES_ROOT\RunAsTI] [-HKEY_CLASSES_ROOT\batfile\shell\setdesktopwallpaper] [-HKEY_CLASSES_ROOT\cmdfile\shell\setdesktopwallpaper] [-HKEY_CLASSES_ROOT\exefile\shell\setdesktopwallpaper] [-HKEY_CLASSES_ROOT\mscfile\shell\setdesktopwallpaper] [-HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\shell\setdesktopwallpaper] [-HKEY_CLASSES_ROOT\regfile\shell\setdesktopwallpaper] [-HKEY_CLASSES_ROOT\Folder\shell\setdesktopwallpaper] [-HKEY_CLASSES_ROOT\Directory\background\shell\extract] ; To remove entries, copy paste above into undo_RunAsTI.reg file, then import it ; RunAsTI on .bat [HKEY_CLASSES_ROOT\batfile\shell\setdesktopwallpaper] "MUIVerb"="Run as trustedinstaller" "HasLUAShield"="" "Icon"="powershell.exe,0" [HKEY_CLASSES_ROOT\batfile\shell\setdesktopwallpaper\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\"" ; RunAsTI on .cmd [HKEY_CLASSES_ROOT\cmdfile\shell\setdesktopwallpaper] "MUIVerb"="Run as trustedinstaller" "HasLUAShield"="" "Icon"="powershell.exe,0" [HKEY_CLASSES_ROOT\cmdfile\shell\setdesktopwallpaper\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\"" ; RunAsTI on .exe [HKEY_CLASSES_ROOT\exefile\shell\setdesktopwallpaper] "MUIVerb"="Run as trustedinstaller" "HasLUAShield"="" "Icon"="powershell.exe,0" [HKEY_CLASSES_ROOT\exefile\shell\setdesktopwallpaper\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\"" ; RunAsTI on .msc [HKEY_CLASSES_ROOT\mscfile\shell\setdesktopwallpaper] "MUIVerb"="Run as trustedinstaller" "HasLUAShield"="" "Icon"="powershell.exe,0" [HKEY_CLASSES_ROOT\mscfile\shell\setdesktopwallpaper\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\"" ; RunAsTI on .ps1 [HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\shell\setdesktopwallpaper] "MUIVerb"="Run as trustedinstaller" "HasLUAShield"="" "Icon"="powershell.exe,0" [HKEY_CLASSES_ROOT\Microsoft.PowerShellScript.1\shell\setdesktopwallpaper\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% powershell -nop -c iex((gc -lit '%L')-join[char]10)" ; RunAsTI on .reg [HKEY_CLASSES_ROOT\regfile\shell\setdesktopwallpaper] "MUIVerb"="Import as trustedinstaller" "HasLUAShield"="" "Icon"="powershell.exe,0" [HKEY_CLASSES_ROOT\regfile\shell\setdesktopwallpaper\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% regedit /s \"%L\"" ; RunAsTI on Folder [HKEY_CLASSES_ROOT\Folder\shell\setdesktopwallpaper] "MuiVerb"="Open as trustedinstaller" "HasLUAShield"="" "Icon"="powershell.exe,0" "AppliesTo"="NOT System.ParsingName:=\"::{645FF040-5081-101B-9F08-00AA002F954E}\"" [HKEY_CLASSES_ROOT\Folder\shell\setdesktopwallpaper\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \"%L\"" ; Open Terminal or Powershell as trustedinstaller here - can spawn another terminal with: cmd /c $env:wt [HKEY_CLASSES_ROOT\Directory\background\shell\extract] "MuiVerb"="PowerShell / Terminal" "HasLUAShield"="" "NoWorkingDirectory"="" "Position"=- "Position"="Middle" "Icon"="powershell.exe,0" [HKEY_CLASSES_ROOT\Directory\background\shell\extract\command] @="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% cmd /c pushd \"%V\" & start \"RunAsTI\" %%wt%%" ; RunAsTI function [HKEY_CLASSES_ROOT\RunAsTI] "10"="function RunAsTI ($cmd,$arg) { $id='RunAsTI'; $key=\"Registry::HKU\\$(((whoami /user)-split' ')[-1])\\Volatile Environment\"; $code=@'" "11"=" $I=[int32]; $M=$I.module.gettype(\"System.Runtime.Interop`Services.Mar`shal\"); $P=$I.module.gettype(\"System.Int`Ptr\"); $S=[string]" "12"=" $D=@(); $T=@(); $DM=[AppDomain]::CurrentDomain.\"DefineDynami`cAssembly\"(1,1).\"DefineDynami`cModule\"(1); $Z=[uintptr]::size " "13"=" 0..5|% {$D += $DM.\"Defin`eType\"(\"AveYo_$_\",1179913,[ValueType])}; $D += [uintptr]; 4..6|% {$D += $D[$_].\"MakeByR`efType\"()}" "14"=" $F='kernel','advapi','advapi', ($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), ([uintptr],$S,$I,$I,$D[9]),([uintptr],$S,$I,$I,[byte[]],$I)" "15"=" 0..2|% {$9=$D[0].\"DefinePInvok`eMethod\"(('CreateProcess','RegOpenKeyEx','RegSetValueEx')[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}" "16"=" $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)" "17"=" 1..5|% {$k=$_; $n=1; $DF[$_-1]|% {$9=$D[$k].\"Defin`eField\"('f' + $n++, $_, 6)}}; 0..5|% {$T += $D[$_].\"Creat`eType\"()}" "18"=" 0..5|% {nv \"A$_\" ([Activator]::CreateInstance($T[$_])) -fo}; function F ($1,$2) {$T[0].\"G`etMethod\"($1).invoke(0,$2)}" "19"=" $TI=(whoami /groups)-like'*1-16-16384*'; $As=0; if(!$cmd) {$cmd='control';$arg='admintools'}; if ($cmd-eq'This PC'){$cmd='file:'}" "20"=" if (!$TI) {'TrustedInstaller','lsass','winlogon'|% {if (!$As) {$9=sc.exe start $_; $As=@(get-process -name $_ -ea 0|% {$_})[0]}}" "21"=" function M ($1,$2,$3) {$M.\"G`etMethod\"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H += M \"AllocHG`lobal\" $I $_}" "22"=" M \"WriteInt`Ptr\" ($P,$P) ($H[0],$As.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=1; $A2.f2=1; $A2.f3=1; $A2.f4=1" "23"=" $A2.f6=$A1; $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M \"StructureTo`Ptr\" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false)" "24"=" $Run=@($null, \"powershell -win 1 -nop -c iex `$env:R; # $id\", 0, 0, 0, 0x0E080600, 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5]))" "25"=" F 'CreateProcess' $Run; return}; $env:R=''; rp $key $id -force; $priv=[diagnostics.process].\"GetM`ember\"('SetPrivilege',42)[0]" "26"=" 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$priv.Invoke($null, @(\"$_\",2))}" "27"=" $HKU=[uintptr][uint32]2147483651; $NT='S-1-5-18'; $reg=($HKU,$NT,8,2,($HKU -as $D[9])); F 'RegOpenKeyEx' $reg; $LNK=$reg[4]" "28"=" function L ($1,$2,$3) {sp 'Registry::HKCR\\AppID\\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' 'RunAs' $3 -force -ea 0" "29"=" $b=[Text.Encoding]::Unicode.GetBytes(\"\\Registry\\User\\$1\"); F 'RegSetValueEx' @($2,'SymbolicLinkValue',0,6,[byte[]]$b,$b.Length)}" "30"=" function Q {[int](gwmi win32_process -filter 'name=\"explorer.exe\"'|?{$_.getownersid().sid-eq$NT}|select -last 1).ProcessId}" "31"=" $env:wt='powershell'; dir \"$env:ProgramFiles\\WindowsApps\\Microsoft.WindowsTerminal*\\wt.exe\" -rec|% {$env:wt='\"'+$_.FullName+'\" \"-d .\"'}" "32"=" $11bug=($((gwmi Win32_OperatingSystem).BuildNumber)-eq'22000')-AND(($cmd-eq'file:')-OR(test-path -lit $cmd -PathType Container))" "33"=" if ($11bug) {'System.Windows.Forms','Microsoft.VisualBasic' |% {$9=[Reflection.Assembly]::LoadWithPartialName(\"'$_\")}}" "34"=" if ($11bug) {$path='^(l)'+$($cmd -replace '([\\+\\^\\%\\~\\(\\)\\[\\]])','{$1}')+'{ENTER}'; $cmd='control.exe'; $arg='admintools'}" "35"=" L ($key-split'\\\\')[1] $LNK ''; $R=[diagnostics.process]::start($cmd,$arg); if ($R) {$R.PriorityClass='High'; $R.WaitForExit()}" "36"=" if ($11bug) {$w=0; do {if($w-gt40){break}; sleep -mi 250;$w++} until (Q); [Microsoft.VisualBasic.Interaction]::AppActivate($(Q))}" "37"=" if ($11bug) {[Windows.Forms.SendKeys]::SendWait($path)}; do {sleep 7} while(Q); L '.Default' $LNK 'Interactive User'" "38"="'@; $V='';'cmd','arg','id','key'|%{$V+=\"`n`$$_='$($(gv $_ -val)-replace\"'\",\"''\")';\"}; sp $key $id $($V,$code) -type 7 -force -ea 0" "39"=" start powershell -args \"-win 1 -nop -c `n$V `$env:R=(gi `$key -ea 0).getvalue(`$id)-join''; iex `$env:R\" -verb runas" "40"="}; $A=([environment]::commandline-split'-[-]%+ ?',2)[1]-split'\"([^\"]+)\"|([^ ]+)',2|%{$_.Trim(' \"')}; RunAsTI $A[1] $A[2]; # AveYo, 2022.04.07" ; [code] [QUOTE="Yanta, post: 1750647, member: 861057"] Registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\slui.exe\ Value: Nogenticket data: 1[/QUOTE]
Yup. For our case (use of tools to modify), I am considering custom, only those Images that undergo modifications made by the end user.
See if it works with mounting hives to apply the tweak commands. I think that only the last command can give error as it is applying directly to the Local Machine Registry. Save as "NoGenTicket.cmd" and Run as Admin or even as Thrustedinstaller Code: @echo OFF cd /d "%~dp0" setlocal EnableExtensions EnableDelayedExpansion for /f %%f in ('dir /B /ADH-I /OG "%HomeDRIVE%\Users" ^| findstr.exe /I "Default" 2^>nul') do ( if exist "%HomeDRIVE%\Users\%%f\NTUSER.dat" ( set "DU_NTUSERdat=%HomeDRIVE%\Users\%%f\NTUSER.dat" ) ) if exist "%USERPROFILE%\NTUSER.dat" ( set "CUP_NTUSERdat=%USERPROFILE%\NTUSER.dat" ) TaskKill.exe /F /IM "explorer.exe" :: Mounting Live Windows Session Image Registry Hive for: rem Default USER reg.exe load HKLM\HKDU "!DU_NTUSERdat!" rem Current USER Profile reg.exe load HKLM\HKCUP "!CUP_NTUSERdat!" reg.exe add "HKLM\HKDU\Software\Classes\AppID\slui.exe" /v "NoGenTicket" /t REG_DWORD /d "1" /f reg.exe add "HKLM\HKDU\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t REG_DWORD /d "1" /f reg.exe add "HKLM\HKCUP\Software\Classes\AppID\slui.exe" /v "NoGenTicket" /t REG_DWORD /d "1" /f reg.exe add "HKLM\HKCUP\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t REG_DWORD /d "1" /f rem Directly to Classes ROOT entries reg.exe add "HKCR\AppID\slui.exe" /v "NoGenTicket" /t REG_DWORD /d "1" /f rem Directly to Local Machine entries reg.exe add "HKLM\SOFTWARE\Classes\AppID\slui.exe" /v "NoGenTicket" /t REG_DWORD /d "1" /f reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform" /v "NoGenTicket" /t REG_DWORD /d "1" /f :: Un-Mounting Image Registry Hive reg.exe unload HKLM\HKDU reg.exe unload HKLM\HKCUP start "" /I "explorer.exe" exit /B 0 EDIT: I put the entrance you mentioned (...\Classes\AppID\slui.exe) in the commands.
When trying to remove components from the wim image, I get the generic error "This application has requested the Runtime to terminate it in an unusual way. Please contact the application's support team for more information." How do I fix this?
As I said, "This week I would try with the new update." I come to bring the resolution feedback. I simply made the new custom iso 19044.1947. I did the Inplace Update and everything went well. Problem solved.
Thanks. Sorry for the delay. Had to wait for the weekend to try it out. All of the slui.exe reg commands fail with Access Denied. Checked the registry after reboot and none of the slui.exe registry entries have been added.
Understood. If even executing the script as Admin, it didn't work out, I don't know another way to help you right now. You are not using some of the SPbuilds 1862, 1865 or 1889 right? If so, try update to 19044.1947. These previous ones were very bugged. In the tests and my daily use, I realized this. In this 1947 fluidity came back.
Has anybody heard from @MSMG recently? I suspect he has gone quiet, because he is working hard to help his family, but I wondered if perhaps anybody else knew if he was okay. Looking to reinstall Windows 10 19044.1889 on a machine soon, but would rather have a clean install with help from the ToolKit before doing so.
Are the apps we remove with MSMG toolkit still supposed to show up under settings > apps in win11? Several of the ones I removed are still showing up and can be "uninstalled".
No, all PCs here are LTSC 1809 Nothing useful or worthwhile in later versions, and the issue with bloat being restored was never solved so have stuck with what works. I forgot to mention I ran it as TrustedInstaller via nsudo. Ok, if it can't be done for a live system, can I integrate the registry tweaks with the toolkit? Only the slui.exe are needed as the software protection platform registry values are able to be added already.
At Toolkit, you can integrate as .reg file, but if the system does not support this integration, when starting the system, what you integrated will not be there. EDIT: What I meant is that there is a protection against obsolete registry inputs in each build. I suppose this because, otherwise, we could continue to fill the registry with entries that MS no longer uses. And that doesn't happen. There is no block of attempts to insert registry entries that are no longer considered for a particular build. But there is a filter that cleans these registry entries.
Was not being well from past week and so the delay, will be uploading the new version once the packs are updated, have uploaded the updated Toolkit.cmd and ToolKitHelper.exe to support the patch Tuesday update, you can use it to remove the components. The updated ToolKitHelper.exe supports the source images with the below updates integrated. Windows 10 Client v1809/LTSC2019 (v10.0.17763.1/v10.0.17763.3287 [KB5016623]) Windows 10 Client v1903 (v10.0.18362.1) & v1903/v1909 (v10.0.1836x.2274 [KB5013945]) Windows 10 Client v2004 (v10.0.19041.1) & v2004/v20H2/v21H1/v21H2 (v10.0.1904x.1889 [KB5016616]) Windows 10 Enterprise LTSC2021 (v10.0.19044.1288/v10.0.19044.1889 [KB5016616]) Windows 11 Client v21H2 (v10.0.22000.1/v10.0.22000.856 [KB5016629]) Windows 11 Client v22H2 (v10.0.22621.1/v10.0.22621.382 [KB5016632]) Also it supports Windows 10 Enterprise LTSC2021 (v10.0.19044.1947 [KB5016688]) Preview Someone was asking about component removal for arm64 source images, right now the ToolkitHelper does not support arm64 builds as I don't have a proper arm64 device to test the image, though I do a Raspberry Pi 3 but it's dead slow to operate.
I am sorry to hear that you haven't been very well recently. Thank for you keeping us updated and for also taking the time to update those CMD and EXE files. I shall probably do some testing tonight, as I have a 1909 system that keeps trying to do a feature upgrade and desperately needs reinstalling to shut it up.