NSudo | Series of System Administration Tools | General Thread

Successfully disabled the Windows Defender Security Center Service using NSudo! Thanks for this tool

 

Thanks for this so helpful tool, it's fantastic !

I would like to get the PID of the new process launched by NSudo, how can I get it ? Not the PID of NSudo.exe itself, but the PID of the exe file that NSudo will execute with the right privileges.

 

Code:

tasklist /FI "IMAGENAME eq cmd.exe" /FI "USERNAME eq NT AUTHORITY\SYSTEM"

replace cmd.exe with the executable file

batch command

Code:

for /f "tokens=2" %%i in ('tasklist /FI "IMAGENAME eq cmd.exe" /FI "USERNAME eq NT AUTHORITY\SYSTEM" /NH') do set pid=%%i

 

What if there is multiple cmd.exe process other than the one launched by NSudo ? How could I differentiate it ?

 

In fact, my goal is to wait for the NSudo process. Currently, here's my method for NSudo "Current User" using powershell :

Code:

param([string]$setupFile = $null)

$processBefore = Get-Process "PowerShell" -IncludeUserName |? {$_.UserName -NotMatch '^NT ' }

Start-Process -PassThru "NSudo.exe" "-U:C PowerShell.exe -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command $PSScriptRoot\SetupLauncher.ps1 $setupFile" -WindowStyle Hidden
Start-Sleep -m 100

$processAfter = Get-Process "PowerShell" -IncludeUserName  |? {$_.UserName -NotMatch '^NT ' }

$p = Compare-Object $processBefore $processAfter -PassThru -Property Id
$p = Get-Process -Id $p.Id
$p.WaitForExit()

Write-Host "Done"

 

Hei Kal.

This code looks interesting. I'm currently trying to learn a little PowerShell since my extensive cmd-Knowhow is not exactly en vogue anymore. Could you maybe elaborate a little on what the lines mean? Especially things like

Code:

$processBefore = Get-Process "PowerShell" -IncludeUserName |? {$_.UserName -NotMatch '^NT ' }

looks most interesting.

 

You need to login to view this posts content.

 

Marvellous! Thanks!!

 

you're welcome, I'm glad I could help sometimes regarding everything I get from mydigitallife

 

Why can't I delete the following services using NSudo & TrustedInstaller?

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsDrv]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MpsSvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sense]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SecurityHealthService]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog]

 

Most likely because the service is still running - or because those are integral parts of the operating systems (Event Log, SecurityHealthService). To be straight: Deleting the EventLog Service will come down to reinstalling the OS. This really puzzles me.

Since you have not given any indication on what you did, why you would like to mess with the services making up the OS or what your goal is (other than deleting the services) it is hard to help you achive what you want.

I am also not sure, if your post (and mine) shouldn't be in their own thread... So sorry to the others, if that is the case.

 

No I removed it offline. Still no go.

 

As I said. Integral part of the OS. Why not try to remove the kernel why you are at it.

 

Dude you have no clue what you are talking about.

 

Have you tried also to open regedit with NSudo and then try to manually remove them ?

 

Can remove others just MpsSvc I cannot. Really strange.
Have to first take ownership and then it goes.

Can't even stop the service under NSudo with TrustedInstaller + all privileges.

 

MpsSvc = Firewall, right?
On my 2016 LTSB I've removed offline many stuff (MSMG ToolKit + NTLite) but never firewall, it's "deep inside" in OS (like internet explorer)

 

Any news on full context menu integration for easy right-click use?