The future of controlling updates through bypassing protected processes

Discussion in 'Windows 10' started by pf100, Dec 11, 2018.

  1. pf100

    pf100 Duct Tape Coder

    Oct 22, 2010
    2,067
    3,454
    90
    gedit? Do you mean gpedit.msc? Working options are slowly being removed from that as time goes on as you found out. We already know how to selectively install windows and driver updates and block forced windows and driver updates. We're looking for solutions to bypass protected processes that are threatening our methods of modifying the system by deleting or changing system file permissions and editing the registry. It's time to plan for update control v2.0, which is what this thread is about.
     
  2. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,071
    10
    #42 shewolf, Dec 16, 2018
    Last edited: Dec 16, 2018
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. rayleigh_otter

    rayleigh_otter MDL Expert

    Aug 8, 2018
    1,121
    933
    60
    :eek: :shock:
     
  4. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,071
    10

    you have to know and know how to use to judge :cool:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. rayleigh_otter

    rayleigh_otter MDL Expert

    Aug 8, 2018
    1,121
    933
    60
    #45 rayleigh_otter, Dec 16, 2018
    Last edited: Dec 17, 2018
    Off topic post.

    Like i havnt already? Thats why i struck lucky with 8.1 on Coffee Lake. I have 3 systems worth of hardware, 2 boxed up, one in use, 2 w7 capable, 3 w8.1 capable, all have 8.1 drivers, my nvidia gpu has up to date 8.1 drivers. There will be another windows 8.1 capable Coffee Lake system coming in january.

    Windows 8.1 doesnt get damn silly eye candy upgrades every 6 months, it is stable and works perfectly. @abbodi1406 says its easy to mitigate telemetry on 7 and 8.1, i know his reputation and i trust his word. MS is supporting 8.1 until 2023. Thats 4 years minimum. With the 3 systems worth of hardware i already have plus the new lot coming in january, barring parts failure i should be ok with 8.1 until 2025 at least, 2026/7 possibly.

    In the meantime i will sit back and smuggly watch the monthly(patch tuesday) or multiple per month(any damn day) windows 10 fun and games. I have judged windows 10 for myself and i have decided to pass.
     
  6. pf100

    pf100 Duct Tape Coder

    Oct 22, 2010
    2,067
    3,454
    90
    Using 8.1 is great and all, and no offense, but it won't help bypass protected processes in windows 10 which is what we're trying to accomplish here.
     
  7. WildByDesign

    WildByDesign MDL Addicted

    Sep 8, 2013
    754
    408
    30
    For what it's worth, whenever I need to disable the Protected Process status, I typically use mimikatz. Similar to PPLKiller, mimikatz also uses a kernel-mode driver for the purpose of flipping the bit related to protected processes.

    Code:
    !+
    mimidrv
    
    !processprotect /process:notepad.exe
    !processprotect /process:notepad.exe /remove
    
    or by PID
    
    !processprotect /pid:464
    !processprotect /pid:464 /remove
    

    However, going forward, I don't think that Microsoft will be having much more use (increased usage, I should say) of protected processes in future iterations of Windows operating systems. Microsoft have decided not to offer bug bounties to security researchers relating to protected processes and really only cherry pick a small percentage of known PPL bypasses to service/patch in OS updates. That, to me, is the indication that protected processes are dying.

    For the future of protecting critical components on Windows, I believe that quite literally everything will be moving toward Hyper-V and related virtualization techniques. This would require and demand new hardware for the most part, of course. Most of the significant new security features added to Windows in the past 1-2 years have (and going forward) have been VBS (virtualization based security) components. Anyway, in the future, I expect this may be used to protect critical parts of the Windows OS that Microsoft doesn't want users to mess with.

    I found this topic to be quite interesting and read over all three initial pages before commenting. This was simply my opinion based on current knowledge and curiosity.
     
  8. rayleigh_otter

    rayleigh_otter MDL Expert

    Aug 8, 2018
    1,121
    933
    60
    I understand, hidden inside a spoiler. :)
     
  9. DavidXanatos

    DavidXanatos MDL Senior Member

    May 23, 2010
    409
    1,507
    10
    Security is not equal security, once security is an others threat.

    Your security to prevent your favorite PC game from downloading executable code from the internet and running it with administrative privileges is the game studios threat of not being able to prevent you from using cheats and bypassing in game purchases, for example.
    This example mostly applies to any sort of DRM, including Microsoft attempts to take your right away to update or not and to modify your system.

    While VBS is great for security from the users perspective its imho not so great from the corporation view of things.
    Sure having a 4k HDR BD DRM running in a SGX protected enclave might be the industries wet dream but this wont make for a nice wake up.

    Generally the issue with any VBS is that it protects the host from the guest not vice versa, so whatever M$ packs into a virtualized environment, as long as we have the host kernel/hypervizor compromised we can mess with the VM in any way we want. SGX is a bit more difficult, but it for example can be emulated in QEMU.
    So while we may have a hard time to extract DRM secrets protected by a TPM only available to authenticated code running under SGX, this subset of technology wont prevent us from controlling the OS and using in what ever way already compromised secrets.

    What Microsoft wants, what Microsoft needs to realize their closed ecosystem, is to lock down the OS and this is not something to be done with virtualization, quite the contrary the best approaches to thoroughly and reliably take over an OS with a virtualization approach.

    This line of reasoning depends however on the ability to disable or defeat secure boot, like done on android devices unlocking the boot loader.
    So if we can not take over the hypervizor we are screwed.
    But as i wrote earlier its not likely that vendors would be legally able to sell PC's without an option to disable secure boot.
     
  10. WildByDesign

    WildByDesign MDL Addicted

    Sep 8, 2013
    754
    408
    30
  11. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,101
    14,047
    340

    You should differentiate the commercial versions of w10 from corporate versions just like LTSB(C).
    Also because of the fact that WUs for LTS editions have another purpose than the WUs for the bolatware editions.

    The very first step to have more control on WU is to switch to a enterprise version and to leave the commercial versions alone.

    Why should I waste time and energy to bypass processes on the commercial versions when I can install versions which allow more control?

    I mean corporate admins which have also the claim to have most of own control do surely not install w10 home and then think about the future how to bypass its protected processes in order to have more control on its updates.....

    This is a senseless approach...

    Just my two cents.:)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. blinkomatic

    blinkomatic MDL Novice

    Aug 10, 2009
    48
    16
    0
    (Off-Topic)
    Managing a few hundred workstations in a corporate environment (currently using Citrix and in the future using VMware Horizon) I've become used to reducing my department's needs to LTSB/LTSC editions.
    I don't see a manageable future in any custom solution that does in-memory patching, if you're using anything related to TPM or SGX, including virtualized environments.
    We do license everything and have rather expensive support agreements with Microsoft and the current trend doesn't allow for much creativity beyond WSUS/MSUS, GPO's and transparent filtering to be truly GDPR-compliant (to filter any telemetry that's not compliant), unfortunately.

    Maybe using local application proxies that MITM-open-and-inspect the SSL traffic of the outgoing Windows Update traffic may be a workable approach.
    It won't be trivial to set up, but it might just work.

    Either that, or:
    instead of writing a small app that injects itself in the licensing, this time a small app that fakes a WSUS server and controls how many / which updates are to be installed.
    How about that?

    That approach might work for all versions except maybe for W10 Home. (I don't think it can join a domain and therefore won't be able to use a local fake WSUS I suppose.)
     
  13. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,101
    14,047
    340
    When I've read the thread the first time a 'fake' WSUS was my first idea, too.
    But then I ditched the idea focusing on administrating enterprise versions...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. DavidXanatos

    DavidXanatos MDL Senior Member

    May 23, 2010
    409
    1,507
    10
    Well I would guess that not everyone is in the position to obtain a enterprise version or willing to do whatever is needed to obtain one.
    The only versions that can be bought individually are Pro and Home, so a solution for these users will benefit many many many people.
     
  15. Carlos Detweiller

    Carlos Detweiller Emperor of Ice-Cream

    Dec 21, 2012
    6,756
    7,688
    210
    Also, many will want to use their correctly and perpetually licensed machines. With a Business SKU, individuals are not correctly licensed anymore.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,101
    14,047
    340
    #56 Yen, Dec 18, 2018
    Last edited: Dec 18, 2018
    I agree with that.

    Anyway my arguments come from another perspective.
    How many percent of all the w10 home / pro user (commercial editions) have got the awareness that WUs need to be controlled?

    Think about ALL user (people who have purchased a PC/notebook with preinstalled home/pro editions). Not those on MDL or other PC related forums...

    Then think about the efforts to be made to bypass protected processes and the dynamic changes via M$ updates in the future AKA cat and mouse game......
    -The efforts to create an approach
    -The efforts to realize it
    -The efforts to maintenance it.
    -The fact that you 'break' concepts of Microsoft, the issuer of the licenses.

    On the other side:
    The fact that you easily can get an enterprise version and the fact that one can activate it.
    And the fact that this is proper administrating. The only thing that is 'improper' is the license itself.

    If I relate now both sides......
    There has to be the will and intention to control WUs. To get this awareness one has to have doubts on WUs, how they are released and what they include.

    I guess 99% do not have this awareness and by that no doubts. They install WUs as they come without any worries...
    The other one percent is informed and by that has access to enterprise versions and the needed info to administrate it to one's ideas....
    Many MDL members use LTSB(C) even because of that.


    Which approach does violate M$'es licenses more?

    To use an improper enterprise license where I can make a proper administration without any cat and mouse game OR

    To try to bypass protected processes by the suggested approaches which includes a bootloader approach with the goal to attack ring-0 processes...or even kernel modifications?
    This is malware per se from the perspective of Microsoft! They will go against it.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. Mr.X

    Mr.X MDL Guru

    Jul 14, 2013
    8,556
    15,642
    270
    Fair enough.

    My own perspective: I'm a technician dealing with cheap laptops customers purchase whether for personal use or at the office.
    Cheap computers come with Home skus. None of my clients purchase, have purchased or ever will an enterprise license. So I say: bypassssss, lol.

    Cheap premise behind my perspective: Microsoft you are mean with your practices, well people out there are much more mean to fight back against yours :tooth:
     
  18. Carlos Detweiller

    Carlos Detweiller Emperor of Ice-Cream

    Dec 21, 2012
    6,756
    7,688
    210
    @Yen: I didn't state my opinion, only the facts. Telling them to use Enterprise+ and use KMS to activate will unleash a flood of "How can I activate permanently, KMS only provides 180 days, is that an EVAL?" posts.

    They not only will go against it, they already do. Hint: "Secure Boot".


    The only real solution would be a "Windows 10 Pro Technician Edition" SKU for Power Users, as a purchasable LTSC Edition with full control and updates not forcefully offered. Once "Patchgate" strikes again, those machines will stay alive to service the victims of MS' clusterf**kery.
    If I go with your figures, the (highly assumptional) 1% loss in Store purchases could be neglected.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,101
    14,047
    340
    #59 Yen, Dec 19, 2018
    Last edited: Dec 19, 2018
    I think important are the personal reasons why one does want to control updates at all. To make an opinion about one needs background knowledge which IMHO should surmount or at least include the knowledge of differentiating KMS from Eval. I am sorry...

    Consider a 'common' w10 home user which suddenly would be able to have control on any updates. How would he proceed to fulfill his 'goal'? Which WUs would he separate from being installed?

    To have control on WUs is 'nothing'. You need knowledge for own separation and therefore you need skills or at least you need to inform yourself and by that you can 'learn' to use enterprise.


    We here are running WSUS. For a corporate admin nothing is as bad as providing a WU that decreases productivity of the clients for whatever technical reasons.
    Nobody would use WU from M$ as they come. They have to be tested in advance.

    Relating to what would be practicable and could be provided (at MDL).
    We do not allow any homebrew versions of windows. Also the ideas from first post are about deep impacts on the system. It could be real malware, we are talking about protected processes to be bypassed.

    As mentioned already. An approach based on WSUS is the only one (so far) which would make some sense....to use WSUS as an update cache so to say...an approach that uses own means would also survive M$'es dynamic updates....

    But actually I just have to say: "You want to have control on WUs?. Use Enterprise! If your will to control WUs is strong enough you can realize it."....

    A quite another way is to get aware that M$ has no SKU anymore which can satisfy the personal needs/interest and to go for a completely other OS.....


    Edit:
    While we here (at company where I am working) are using WSUS...... at home I have turned off WU on w7 long time ago.....
    Using LTSB as successor I do not need to prevent WUs to be installed.....besides of that I dual boot Kubuntu
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. shewolf

    shewolf MDL Senior Member

    Apr 16, 2015
    471
    1,071
    10
    #60 shewolf, Dec 19, 2018
    Last edited: Dec 19, 2018
    The only correct approach respectively the only possible.
    How would you separate them, good guys from there bad?
    If someone tries to switch off over ten services and apps to disable WUs or is not normal (Idiot, better to say) or has a bad intention!!

    I can not understand what prevents you and others from doing it with all Windows (control WU) starting from Windows 7 all Home/Pro including LTSB/C ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...