XenonKilla Posted May 26, 2014 Posted May 26, 2014 I've got a registry script I made that I run after every new clean install of Windows which makes several changes to the OS enables/disables features, tweaks the interface etc. I've got ALL my tweaks in the file working EXCEPT the Disabling of Windows Defender.[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]"DisableAntiSpyware"=dword:00000001I know this isn't working due to a permissions error being that the Windows Defender key is owned by SYSTEM and Administrators or User don't have sufficient privileges. So I'm in search of how to script around this issue. I was thinking perhaps using regini or subinacl to change the permissions of the key and they run the reg file but I can't seem to come up with anything that works. Any ideas?
MagicAndre1981 Posted May 26, 2014 Posted May 26, 2014 use psexcec (http://msdn.microsoft.com/en-us/library/bb897553.aspx) to run reg.exe as system to add the data
XenonKilla Posted May 27, 2014 Author Posted May 27, 2014 (edited) Worked great!! Thanks!! Here is what I ended up with...PsExec -accepteula -s reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001 Edited May 27, 2014 by XenonKilla 1
XenonKilla Posted May 28, 2014 Author Posted May 28, 2014 (edited) Looks like I spoke too soon. I just discovered an issue today when I was rebuilding a system and doing an OS install from scratch. My script worked fine however PsExec would not run because the computer didn't have a network connection enabled. The computer has a network controller however the drivers weren't installed yet so this was causing PsExec to throw this error... Error establishing communication with PsExec service on Desktop.The network location cannot be reached. I was running the exact code I listed above locally so I dunno why it would throw this error. I'm assuming it just has something to do with the way PsExec works being that it's a tool targeted for running commands on remote systems rather than locally. I dunno if there is a workaround for this or if I just need to search for a new tool or what. Any ideas? Edited May 28, 2014 by XenonKilla
jaclaz Posted May 28, 2014 Posted May 28, 2014 Try RunAsSystem: http://www.msfn.org/board/topic/155910-taking-back-the-registry-from-trustedinstaller/ http://reboot.pro/files/file/237-runassystem-and-runfromtoken/ jaclaz
XenonKilla Posted May 28, 2014 Author Posted May 28, 2014 (edited) Yeah I tried that before and upon your suggestion I tried it again, however, I'm having the same issue as the first time I tried which is that I can get it to launch a command window as SYSTEM, however, I cannot get it to pass a command to that new command window with the same batch script. Here's what I've tried...RunAsSystem reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001RunAsSystem cmd /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001If I use RunAsSystem to launch a new command window and then run my reg add it works just fine. But I'm trying to get this all to run automatic without any user intervention.Ideas? Edited May 28, 2014 by XenonKilla
jaclaz Posted May 29, 2014 Posted May 29, 2014 Have you tried running a batch file? I mean, Runassystem accepts only one parameter, the name of the process to start, anything else is simply ignored. jaclaz
XenonKilla Posted May 29, 2014 Author Posted May 29, 2014 (edited) Well I tried creating TWO bat files. My first one uses this command... test1.batRunAsSystem test2.battest2.batreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001This didn't work either. So I guess RunAsSystem won't work for this situation then. If it only opens the process but doesn't pass any parameters to the process then it's pretty much useless for this situation. At the very most I would have to launch the cmd process from my original batch file and then manually type the reg add command. Ideas? Edited May 29, 2014 by XenonKilla
jaclaz Posted May 30, 2014 Posted May 30, 2014 Strange. And I mean it. What actually means "did not work"?I mean is the test2.bat not executed or it is not executed as system or *something else*? I have not a way to reproduce/test this right now. Try just running RunAsSystem.And in the command prompt that results try running test2.bat. What happens if you try "compiling" ( please notice the double quotes) the second batch?Like (say) with this:http://www.f2ko.de/programs.php?lang=en&pid=b2e jaclaz
XenonKilla Posted May 30, 2014 Author Posted May 30, 2014 Yeah I'm using VMware Workstation to test. I'm working with a clean install of Windows 7 x64 and NOTHING modified. UAC enabled etc etc. I'm simply trying to disable Windows Defender with a batch script so that I can implement it into my "Tweaks" script that I've made. If I open a command window (as admin) and run this... RunAsSystem cmd This obviously opens a new command window as SYSTEM. So now if I run my reg script reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001 Then everything works great. Registry value gets changed and Windows Defender is now Disabled. So obviously I know RunAsSystem can get the job done, however the hard part is getting this to work in a batch script. When I say it doesn't work, I simply mean that everything executes as expected, however, the registry value just never gets changed. I've tried this...From a command window (as admin)RunAsSystem reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001No errors are given and everything executes as expected, however, the DisableAntiSpyware value isn't changed. I've also tried this...From a command windows (as admin)RunAsSystem test.bat(test.bat)reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001Once again no errors are given and everything executes as expected, however, the DisableAntiSpyware value isn't changed. And lastly, per your suggestion, I tried compiling with BATtoEXE (which I already use regulary BTW) and I got the same results as running with test.bat
jaclaz Posted May 30, 2014 Posted May 30, 2014 This is very strange.The first method should not work because RunAsSystem (according to the docs) will only accept a process name (and no further parameters)-.The second should work unless the cmd.exe that is spawned by the batch changes back to "admin" user. If this is the case also the compiled batch (actually a SFX installer) behaves the same. Try running this batch through RegAsSystem:whoami /allpausereg. exe /?whoami /allpauseand compare with the output of whoami /all given from the command prompt opened by RunAsSystem. Otherwise it will be needed a "real" executable. On another approach, what happens using Nirsoft's nircmd?http://www.nirsoft.net/utils/nircmd.htmlthe command runassystem:http://www.nirsoft.net/utils/nircmd2.html#usingallows process and command line parameters. jaclaz 1
XenonKilla Posted May 30, 2014 Author Posted May 30, 2014 (edited) FINALLY! NirCmd did the trick!nircmdc runassystem reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 00000001Out of all the dam registry tweaks I have in my script, this stupid Windows Defender key is the only one to give me trouble. You would expect the UAC key to have the same issues but of course that one can be modified with no issues lol. Now hopefully I don't run into any other issues like I did with PsExec Thanks to everyone for their help and especially jaclaz for suggesting NirCmd. As many NirSoft programs as I have saved on my computer, I completely forgot about NirCmd Edited May 30, 2014 by XenonKilla 1
jaclaz Posted May 31, 2014 Posted May 31, 2014 (edited) Well, just for the record my usual approach to a Windows batch issue is:can it be done natively with built-in commands? if not can it be done with one of Nirsoft's nircmd or some of the other nice tools? if not let me see if another suitable tool exists... In this occasion I somehow missed point #2 . All is well that ends well.... jaclaz Edited May 31, 2014 by jaclaz 1
XenonKilla Posted May 31, 2014 Author Posted May 31, 2014 Yeah I was pretty disappointed when PsExec didn't work when trying to run commands on a LOCAL computer without an active network connection. Then RunAsSystem looked promising but clearly lacks the ability to pass arguments to the process it's opening. But NirCmd definitely seems to do the trick just fine
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now