I started a thread with subject "Disabling unneeded services in Windows
10", and as I'm beginning to discover about this group, it quickly got sidetracked into unrelated discussion.
Perhaps it's my fault for not asking for contributions to that topic and perhaps I was being too general in scope.
Accordingly, I am going to begin asking about specific services that I
would like to disable. Perhaps doing this will succeed in some very meaningful discussion.
No need to reply to this post unless you want to, others may choose to
read and reply to you but I will be focusing on my service-specific
posts instead.
I am going to begin asking about specific services that I
would like to disable.
An interesting side note: Windows Update Blocker does a good
job of stopping Windows Update, despite the built-in tricks to
re-enable it. I'm not sure how it works, but I suspect it's changing permissions on the Registry keys, so that only Administrators
can change them.
On Mon, 1/20/2025 10:04 AM, Newyana2 wrote:
An interesting side note: Windows Update Blocker does a good
job of stopping Windows Update, despite the built-in tricks to
re-enable it. I'm not sure how it works, but I suspect it's changing
permissions on the Registry keys, so that only Administrators
can change them.
The highest level of permission, is a Registry key owned by TrustedInstaller.
That is the owner that malware uses, when it injects a key into
your Registry. That's how you know "kwality", is when a malware
does a thing, it must be double-plus-good way of doing it :-)
Administrator or SYSTEM account ownership of keys, might be considered
a tiny bit weaker. The purpose of Administrator, is to "impersonate"
other accounts. administrator is not royalty, it's merely
"our man in Istanbul". A useful account to know.
Now the bad news. Security has been improved on the OS.
Sysinternals "psexec" no longer works. Similarly, the two
utilities I have, one of which elevates a Command Prompt
window to the TrustedInstaller token, those no longer work
either. This means, if someone asks you to remove a malware
registry entry today, there's no way to do it! Unless you know
someone who has hacked a new version of such code. the simplest
explanation for this, is some privilege of the Administrator Group
has been modified, as it's not obvious that Windows Defender
is running interference on this issue. It's not a heuristic
gun battle. the machine is relatively quiet when these "features"
fail to work.
The TrustedInstaller token is copied from msiexec or something.
To utilize the TrustedInstaller capability, you have to start
the installer service, and within five seconds or so, run the
utility that will copy the token. The utility can then
elevate a new process such as cmd.exe and it then runs with
the actual highest permissions on the machine. That, at least,
is how it used to work. I that cmd.exe, you could type "regedit"
and then reach in and remove a malware key protected by
TrustedInstaller. (These are decorative keys which no longer
do anything, but the presence of the key might set off AVG
and it raises a stink unless you remove the key. That is
a typical reason for removing a Malware key. There is no point
removing a Malware key if the malware is resident and in
control of the machine.)
If they keep gunning down these utilities, if they keep
plugging osk.exe holes, then the OS really will be a
"secure piece of crap". Then the scenario will arise,
where you'll be locked out of the machine via a local
account problem, and there will be no recovery path for you.
I helped someone in another group, recover their administrator
(they had a "problem" they had trouble explaining to me,
where suddenly they had no administrator account), and I
used one of those osk.exe methods to get them a cmd.exe
that was running as real administrator, and from there it
was possible to make a regular account belong to the
Administrator Group and that put them back in control of
their machine. Well, if I want to do that today, there may
be one remaining method, but I'm certainly not going to
tell you what that method is, even if I knew, in a public
space. That would be an email recipe only We cannot raise
the profile of these methods, or Microsoft will expunge them.
You can still use Kali to crack a local account, as far as I know.
Or use one of the other recipes for flattening a password.
but if you've lost all your Administrator accounts, all the password flattening in the world is not going to help you then. Only
if the Real Administrator was enabled, would you have
"something to crack" :-)
The OS has changed significantly, in the last couple of years,
in terms of security posture. The casual insecurity is almost gone.
They've been cleaning up the driver exploits too. I was told
by Defender to remove Asus Ai Suite driver, which I did. As
no purpose is served in the OS, by leaving malware-exploitable
drivers in System32 area.
On 1/20/2025 2:32 PM, Paul wrote:
On Mon, 1/20/2025 10:04 AM, Newyana2 wrote:
An interesting side note: Windows Update Blocker does a good
job of stopping Windows Update, despite the built-in tricks to
re-enable it. I'm not sure how it works, but I suspect it's changing
permissions on the Registry keys, so that only Administrators
can change them.
The highest level of permission, is a Registry key owned by TrustedInstaller.
That is the owner that malware uses, when it injects a key into
your Registry. That's how you know "kwality", is when a malware
does a thing, it must be double-plus-good way of doing it :-)
Administrator or SYSTEM account ownership of keys, might be considered
a tiny bit weaker. The purpose of Administrator, is to "impersonate"
other accounts. administrator is not royalty, it's merely
"our man in Istanbul". A useful account to know.
Now the bad news. Security has been improved on the OS.
Sysinternals "psexec" no longer works. Similarly, the two
utilities I have, one of which elevates a Command Prompt
window to the TrustedInstaller token, those no longer work
either. This means, if someone asks you to remove a malware
registry entry today, there's no way to do it! Unless you know
someone who has hacked a new version of such code. the simplest
explanation for this, is some privilege of the Administrator Group
has been modified, as it's not obvious that Windows Defender
is running interference on this issue. It's not a heuristic
gun battle. the machine is relatively quiet when these "features"
fail to work.
The TrustedInstaller token is copied from msiexec or something.
To utilize the TrustedInstaller capability, you have to start
the installer service, and within five seconds or so, run the
utility that will copy the token. The utility can then
elevate a new process such as cmd.exe and it then runs with
the actual highest permissions on the machine. That, at least,
is how it used to work. I that cmd.exe, you could type "regedit"
and then reach in and remove a malware key protected by
TrustedInstaller. (These are decorative keys which no longer
do anything, but the presence of the key might set off AVG
and it raises a stink unless you remove the key. That is
a typical reason for removing a Malware key. There is no point
removing a Malware key if the malware is resident and in
control of the machine.)
If they keep gunning down these utilities, if they keep
plugging osk.exe holes, then the OS really will be a
"secure piece of crap". Then the scenario will arise,
where you'll be locked out of the machine via a local
account problem, and there will be no recovery path for you.
I helped someone in another group, recover their administrator
(they had a "problem" they had trouble explaining to me,
where suddenly they had no administrator account), and I
used one of those osk.exe methods to get them a cmd.exe
that was running as real administrator, and from there it
was possible to make a regular account belong to the
Administrator Group and that put them back in control of
their machine. Well, if I want to do that today, there may
be one remaining method, but I'm certainly not going to
tell you what that method is, even if I knew, in a public
space. That would be an email recipe only We cannot raise
the profile of these methods, or Microsoft will expunge them.
You can still use Kali to crack a local account, as far as I know.
Or use one of the other recipes for flattening a password.
but if you've lost all your Administrator accounts, all the password
flattening in the world is not going to help you then. Only
if the Real Administrator was enabled, would you have
"something to crack" :-)
The OS has changed significantly, in the last couple of years,
in terms of security posture. The casual insecurity is almost gone.
They've been cleaning up the driver exploits too. I was told
by Defender to remove Asus Ai Suite driver, which I did. As
no purpose is served in the OS, by leaving malware-exploitable
drivers in System32 area.
I'm having a hard time following this. Are you saying it's no
longer possible to take ownership of a Registry key? I haven't
encountered problems, with either keys or folders. But I don't
do it a lot.
My impression would be that if I took ownership of a key from TrustedInstaller then it might be possible to actually block Windows
system processes from changing the value. Does that make sense?
I don't know how to test it, but I'm guessing it's what WUB does.
If a key is owned by TrustedInstaller, you won't be owning it.
If you had the ability to elevate as TrustedInstaller, then some
sort of plan could be formed to become the owner (or more likely,
to delete it). There aren't normally keys that you need to access
that are protected by TrustedInstaller. The most likely situation
is a key installed by a malware, and the malware people know
how hard it is for mere users to undo such things. You would most
likely be trying to delete the key, and TrustedInstaller is the
only "owner".
It's possible a registry editor that does not respect permissions
could be used to edit a key.
I'm just annoyed I can't run a Command Prompt window while
holding the TrustedInstaller token, as that enabled a lot more
freedom to get things done. Sooner or later, someone will find
a new way to do that. It all depends on whether the Administrator
account has been gutted or not (had the Impersonate privilege removed).
No, it's not Impersonate, it's a problem with communicating with WMI
and getting the token.
OpenProcessToken: Access is denied
[Picture]
https://i.postimg.cc/1tr0T6MF/WMI-Run-As-Token-W10.gif
Paul
On 1/20/2025 8:45 AM, John C. wrote:
I started a thread with subject "Disabling unneeded services in Windows
10", and as I'm beginning to discover about this group, it quickly got
sidetracked into unrelated discussion.
Perhaps it's my fault for not asking for contributions to that topic and
perhaps I was being too general in scope.
Accordingly, I am going to begin asking about specific services that I
would like to disable. Perhaps doing this will succeed in some very
meaningful discussion.
No need to reply to this post unless you want to, others may choose to
read and reply to you but I will be focusing on my service-specific
posts instead.
When I first set up Win10 I made a composite image of
my services settings. I'd be happy to post that in case it
might be useful, but as I said earlier, everyone is different.
You really have to understand your own system.
In my case, for example, I don't regard the LAN as a network.
Each device is independent and firewalled. So I need nothing
related to network, file sharing, etc. I disable workstation
and server services. I also disable all remote execution services.
That's all for security reasons and because I have no reason
to take such risks. I don't need to share files within the house.
Other people want to share files with a second computer, send
a print job to another room via ethernet, run Remote Desktop
from their vacation home... That's a completely different usage
profile.
This is an important point because by default Microsoft sets
things up to be in workstation mode. It's assumed that you're
on an open network because their real customer is business
users. There really is no SOHo version of Windows with
intranet security.
Services are a bit like ActiveX in webpages. Microsoft had
invented some very clever stuff that was very unsafe. It took
them a very long time to accept the latter fact. Services on
NT are similar. When XP first came out it was the first retail
version designed to be a networked workstation. One of the
services set to run by default was called Messenger. (No relation
to FB.) Messenger allowed for things like an IT dept that was
asked to send out a notice not to forget the company picnic
on Saturday. They could easily send out a popup message to
every computer in the company. In no time, hackers were
using Messenger to pop up misleading messages in order to do
things like tricking people into going to a website for scam
software.
For unknown reasons, in 25 years Microsoft have still not fixed
this sheer stupidity and produced a true SOHo system for
people who own their own computer. Their model is that on
a corporate netwrok, the IT dept owns your computer and
now, in SOHo scenarios, MS owns your computer. Of course,
you get to own the actual hardware, but Windows is now a
commercial service. Which is why it's increasingly hard to
set it up the way you want it.
The status of disabling is also somewhat vague. For example,
if you disable Windows Update, Windows will overrule your choice
on Win10, which seems to be a first. On the other hand, if you
disable rpcss or background tasks infrastructure you'll break the
system, but Windows won't complain in its final throes! Though
many services now will block the change, telling you the setting
of disabled is not valid. It's an almost humorous passive aggression.
They don't say, "You're not alllowed to make this change." They
vaguely tell you there's something amiss. For those you have to
get the service name, look up in the Registry, and set startup to
4 if you want them disabled.
Given such a circus of permissions, what kind of security
from 3rd-party hanky panky do you get by disabling services?
I really don't know. Can 3rd-party software change permissions
if running as admin? I don't know. That would be bizarre, given
that Windows seems unable to re-enable most services
unilaterally. But I wouldn't put anything past these people at
this point. They've made a bloated mess of things and they now
have conflicting motives, not least of which is trying to combine
a corporate clientelle with surveillance business model.
On the bright side, Win10/11 are largely fixable, though it takes
a lot of work to reduce the bloat, eliminate the popup nags, etc.
A lot more things require 3rd-party tweaking than used to.
An interesting side note: Windows Update Blocker does a good
job of stopping Windows Update, despite the built-in tricks to
re-enable it. I'm not sure how it works, but I suspect it's changing permissions on the Registry keys, so that only Administrators
can change them.
Windows Update Blocker - presumably this one
- https://www.sordum.org/9470/windows-update-blocker-v1-8/
| Sysop: | Keyop |
|---|---|
| Location: | Huddersfield, West Yorkshire, UK |
| Users: | 508 |
| Nodes: | 16 (3 / 13) |
| Uptime: | 215:04:59 |
| Calls: | 9,972 |
| Calls today: | 3 |
| Files: | 13,831 |
| Messages: | 6,358,274 |
