Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > alt.comp.os.windows-10 > #181614

Re: More on disabling unneeded services in Windows 10

From Paul <nospam@needed.invalid>
Newsgroups alt.comp.os.windows-10
Subject Re: More on disabling unneeded services in Windows 10
Date 2025-01-20 14:32 -0500
Organization A noiseless patient Spider
Message-ID <vmm8c4$3clor$1@dont-email.me> (permalink)
References <vmlk1t$35lk3$1@dont-email.me> <vmlokq$37d3t$1@dont-email.me>

Show all headers | View raw

On Mon, 1/20/2025 10:04 AM, Newyana2 wrote:

> 
>   An interesting side note: Windows Update Blocker does a good
> job of stopping Windows Update, despite the built-in tricks to
> re-enable it. I'm not sure how it works, but I suspect it's changing
> permissions on the Registry keys, so that only Administrators
> can change them.

The highest level of permission, is a Registry key owned by TrustedInstaller.

That is the owner that malware uses, when it injects a key into
your Registry. That's how you know "kwality", is when a malware
does a thing, it must be double-plus-good way of doing it :-)

Administrator or SYSTEM account ownership of keys, might be considered
a tiny bit weaker. The purpose of Administrator, is to "impersonate"
other accounts. administrator is not royalty, it's merely
"our man in Istanbul". A useful account to know.

Now the bad news. Security has been improved on the OS.
Sysinternals "psexec" no longer works. Similarly, the two
utilities I have, one of which elevates a Command Prompt
window to the TrustedInstaller token, those no longer work
either. This means, if someone asks you to remove a malware
registry entry today, there's no way to do it! Unless you know
someone who has hacked a new version of such code. the simplest
explanation for this, is some privilege of the Administrator Group
has been modified, as it's not obvious that Windows Defender
is running interference on this issue. It's not a heuristic
gun battle. the machine is relatively quiet when these "features"
fail to work.

The TrustedInstaller token is copied from msiexec or something.
To utilize the TrustedInstaller capability, you have to start
the installer service, and within five seconds or so, run the
utility that will copy the token. The utility can then
elevate a new process such as cmd.exe and it then runs with
the actual highest permissions on the machine. That, at least,
is how it used to work. I that cmd.exe, you could type "regedit"
and then reach in and remove a malware key protected by
TrustedInstaller. (These are decorative keys which no longer
do anything, but the presence of the key might set off AVG
and it raises a stink unless you remove the key. That is
a typical reason for removing a Malware key. There is no point
removing a Malware key if the malware is resident and in
control of the machine.)

If they keep gunning down these utilities, if they keep
plugging osk.exe holes, then the OS really will be a
"secure piece of crap". Then the scenario will arise,
where you'll be locked out of the machine via a local
account problem, and there will be no recovery path for you.

I helped someone in another group, recover their administrator
(they had a "problem" they had trouble explaining to me,
where suddenly they had no administrator account), and I
used one of those osk.exe methods to get them a cmd.exe
that was running as real administrator, and from there it
was possible to make a regular account belong to the
Administrator Group and that put them back in control of
their machine. Well, if I want to do that today, there may
be one remaining method, but I'm certainly not going to
tell you what that method is, even if I knew, in a public
space. That would be an email recipe only  We cannot raise
the profile of these methods, or Microsoft will expunge them.

You can still use Kali to crack a local account, as far as I know.
Or use one of the other recipes for flattening a password.
but if you've lost all your Administrator accounts, all the password
flattening in the world is not going to help you then. Only
if the Real Administrator was enabled, would you have
"something to crack" :-)

The OS has changed significantly, in the last couple of years,
in terms of security posture. The casual insecurity is almost gone.
They've been cleaning up the driver exploits too. I was told
by Defender to remove Asus Ai Suite driver, which I did. As
no purpose is served in the OS, by leaving malware-exploitable
drivers in System32 area.

   Paul

Back to alt.comp.os.windows-10 | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

More on disabling unneeded services in Windows 10 "John C." <r9jmg0@yahoo.com> - 2025-01-20 05:45 -0800
  Re: More on disabling unneeded services in Windows 10 Newyana2 <newyana@invalid.nospam> - 2025-01-20 10:04 -0500
    Re: More on disabling unneeded services in Windows 10 Paul <nospam@needed.invalid> - 2025-01-20 14:32 -0500
      Re: More on disabling unneeded services in Windows 10 Newyana2 <newyana@invalid.nospam> - 2025-01-20 17:22 -0500
        Re: More on disabling unneeded services in Windows 10 Paul <nospam@needed.invalid> - 2025-01-20 21:24 -0500
          Re: More on disabling unneeded services in Windows 10 Newyana2 <newyana@invalid.nospam> - 2025-01-20 22:28 -0500
    Re: More on disabling unneeded services in Windows 10 wasbit <wasbit@nowhere.com> - 2025-01-21 09:41 +0000
      Re: More on disabling unneeded services in Windows 10 Newyana2 <newyana@invalid.nospam> - 2025-01-21 08:21 -0500
  Re: More on disabling unneeded services in Windows 10 Marion <marion@facts.com> - 2025-01-20 16:35 +0000

csiph-web