PowerRun v1.0 (Run as TrustedInstaller)

Would this be better off if the user could select the excutable/file via a file chooser to run as TI? It would be easier than editing the .ini file.

logical , thanks for the comment Alexander Ceed

thanks Wonko the Sane , we will try to develop it further

I'm not entirely certain that this script runs a given program as TrustedInstaller. I changed the path statement in the INI to C:\Windows\system32\cmd.exe, then ran your exe as admin. Then I cd'ed to the folder of Registry Workshop. I had an issue earlier with access denied when deleting some SecuROM DRM keys. But even when running Registry Workshop as TI, I still get the same error. So either my program is not running as TI, or TI/System doesn't have permissions (although they should be able to delete the keys without issues).

You're right , we are aware such problems and currently working on a new version , Thanks

It's great to see you're aware of the issue. I'll wait patiently on the new release.

But honestly, I'm not even sure if my program was running as TI. It was listed as running as System in Task Manager. And the Registry keys I was trying to delete are owned by System, not TI, so I should have been able to delete them. Apparently SecuROM did something with the keys which locked them down tightly. I'm also having issues deleting a few keys put in place by Denuvo DRM after uninstalling a few pirated games.

TI is a Service, not a user/group. It's really classified as System, but with higher authority. The most you can do is impersonate its' access token, running the Windows Installer Service (which is TI) long enough to escalate.

You can already run as system with something like PsTools or Process Hacker, but I dont expliciting recall whether they can run as TI as well. I read about this in a blog awhile back, apparently at least one person already came up with a way to do this.

Maybe you can add a few more features into your software, like being to specify, via a GUI, which program to run. Editing the INI works, but Regedit really shouldnt be the default program, or CMD.

Hey, "TheAntiFinder"  

links to Joakim's command line tool RunAsTI (tested working) already given:
http://reboot.pro/to...d-runfromtoken/

https://github.com/jschicht/RunAsTI

If RunAsTI doesn't work in that particular use, then possibly there is another reason.

Or you can try with Process Hacker and this plugin for it:

https://wj32.org/pro...opic.php?t=2407

Wonko

We have already analyzed similar programs and we know the weaknesses of them (they are not fully capable of the run as Trustedinstaller) , new version Of powerRun is nearly finished , of course with GUI , thanks

We have already analyzed similar programs and we know the weaknesses of them (they are not fully capable of the run as Trustedinstaller) , new version Of powerRun is nearly finished , of course with GUI , thanks

Well, the report by "TheAntiFinder" is about your tool (in the currently available version) seemingly not working for him, other tools may or may not work in his specific situation, no need to not-so-subtly hint about (supposed) deficiencies of the other programs.

If you really found specific situations where other programs did not work (and actually analyzed them) you could have - besides writing a supposedly "better" program - reported them to the Authors those specific "weaknesses".

Who knows, maybe they could have fixed them.

Wonko

Well, the report by "TheAntiFinder" is about your tool (in the currently available version) seemingly not working for him

Wrong , Not all the registry keys belong to TrustedInstaller - our new program may not help him too , I want to just say we have realized some  Bugs in our program but it works pretty good

no need to not-so-subtly hint about (supposed) deficiencies of the other programs.

Without analyzing and finding the other (similar) programs weaknesses there is no need to code new or similar program , if we find some BUGS in all the similar programs - in your opinion there is no need to write about it - I don't agree with you , we don't say we can do better , just try to do better , we have respect all other coders , sorry for misunderstanding

I am saying something very different.

You made this new program obviously with the intent to make a "better" program when compared to existing ones .

The report from "TheAntiFinder" is not detailed enough to understand if the specific issue is due to a problem in your software or if what he is/was attempting to do was incorrect or downright impossible to do.

Since at least two other programs exist that should be able to do the same (provide TrustedInstaller credentials to a program) I suggested to try them and see if the result is the same.

Clearly, if it is, either all three programs cannot do it (because all three of them don't work in the specific situation) or all three programs cannot do it (because the task at hand is impossible or outside the scope of all the tools).

Here you started hinting how the other two programs have weaknesses, and - specifically - you stated how they are "not fully capable of the run as Trustedinstaller".

This may well be accurate, still the report was about your tool not working in the specific situation.

I will do a quick carpenter's comparison:

Q: Hey, I tried planting a nail with a Stanley hammer and I was not capable to get it into the plank in less than 6 hits.

A1:Have you tried using a different hammer?

A2:Don't bother to try other hammers. Hammers by other manufactures are worse, the Stanley hammer is better, soon an enhanced Stanley hammer will be available.

What was reported is that the specific Stanley hammer didn't work for a specific task in the hands of the OP carpenter.

No doubts that the new Stanley hammer (not yet available) might be "better" (but there is no way to know if it will work for the OP and for the given task).

But NO need to state how other hammers (not tested specifically) are "worse", maybe even if they are worse" they would work in the specific, or maybe not, again no way to know.

Wonko

I see, it is your topic.

I thought that it was a topic on reboot.pro and thus belonging to the Community, while your site:

http://www.sordum.or...ustedinstaller/

would be the Stanley shop (and the idea of suggesting other hammers there didn't even cross my mind).

Wonko

Thank you  "Wonko the Sane" If you can test powerRun we will be very pleasent  

New version of PowerRun released  ( September 08, 2016)  changelog added to first post 

Thanks

I'll try the new version later tonight, looks nice. Maybe you can also add an option to run as NTAuthority/System? While TI is a higher level of System, it isn't the same.

Saying that a Registry key is impossible to delete is ridiculous. If a DRM installed a key, then it can certainly be deleted. Obviously you can't delete the entirety of the Registry tree (while Windows is running).

Thanks for your interest and feedback , if it is possible (feasibility) why not , but please try PowerRun v1.1 first, who know it may meet your request 

I was eventually able to delete the SecuROM/Denuvo keys without PowerRun. I just had to give ownership to Admins group, and give full rights to admins, my particular admin account, Users, and Everyone. Afterwards they were easily deleted.

But now I would like to completely disable (or better yet, delete) the Windows Defender services. The latest version of Windows 10 has at least 3 of them. I have already disabled WD in Group Policy, but its' services remain running. I suppose I could probably delete the WD folders from Program Files/Program Files (x86), the services would still remain, but would be listed as "failed to start" and "couldnt read description", which is acceptable enough for me. I was able to completely remove WD in Windows 7 before (all files, services, Registry entries, Control Panel entries, etc), this never presented any issues, sfc /scannow was clean afterwards.

But no matter what I try to do in regards to changing the service properties, I get "permission denied". I have tried running Regedit as admin, System, and TrustedInstaller. Same results every time. It seems 10 heavily protects these entries. I may try to mount the Registry offline to see if they can be more easily disabled/deleted that way.

OK, got it mostly figured out. All I had to do is run services.msc with PowerRun, then I could disable all 3 of Defender's services with ease. So it's definitely a TI thing. I would still like to completely purge it from the system, that will be a longer term project that I'll work on in a VM. I still get permission denied when trying to change or delete almost any key referencing Defender, no matter what I try.

PowerRun v1.1 looks great, am still hoping you can add a "run as NTAuthority/System". Process Hacker and PsTools can do it, so it's doable with this tool. But it would be better to have both functions in one tool. In which case I would simply rename the tool to PowerRun.

Nice to hear that you have figured it out , And thanks for your Advice (run as NT Authority/System) , we will try to improve Power Run further  but it seems PowerRun has already the ability to run under NT Authority/System

NOTE: PowerRun can not run only with “TrustedInstaller” privileges it can also run with “Nt Authority/system” privileges

Link to new version added to first post (a critical BUG fixed please update your old version)