big yikes anyway speaking of cool things take a look at jh.live/training for more education and my newsletter at jh.live/newsletter i guess lol

I've bricked my vm windows install 3 times this year since I found this channel, excellent video!!

User: "can I uninstall Edge?" Windows: "absolutely not." User: "can I uninstall the Kernal" Linux: "Let's find out!"

Now imagine deleting every single internet application apart from teamviewer and anydesk and calling tech scam call centers.

Reminds me of how on XP you could actually become System, complete with XP startmenu identifying as system.

3:06 what stackoverflow is like now - Q: "How do I do X" A: "Why would you do that? dont do that." (if your lucky they give an alternative) What it should be: "You *can* do that by doing this, but you this is the better way"

Redditors are so aggressive about being wrong that it's quite comical.

Every single time i watch Jhon Hammond i look at myself and say : I'm a noob in IT even though i was that strange kid that was obsessed over computers out of curiosity. I was the only kid who hacked my school and sold wifi passwords for admin privilege at my first year of high-school. I fixed my first laptop (from a friend) replacement with hardware when i was 11 but yet Jhon Hammond reminds me the learning curve in IT is ENDLESS! *GOD I LOVE THE ENDLESS LEARNING*

There is a plugin for Process Hacker which allows you to start any process with TrustedInstaller permissions and even run GUI apps like cmd.

13:45 Notepad.exe is not a service binary. "Service binaries are different in the sense that they must “check in” to the service control manager (SCM) and if it doesn’t, it will exit execution." -specterops, Offensive Lateral Movement

I really enjoyed the way you broke this problem down. Add this to the list of follies that is Windows OS. Once Linux is fully able to boot whatever games I want I will fully drop windows. It’s so annoying to have to jump through so many hoops to delete programs from your own PC.

James Forshaw's blog: www.tiraniddo.dev/2017/08/the-art-of-becoming-trustedinstaller.html I love seeing the sentiment for "just run Linux", or "just boot into Safe Mode", or "just attach a recovery USB", etc., but I think in the case of leveraging this for a penetration test, red team engagement, or offensive security work, if it is a remote Windows target (where you can't change the OS or have physical access) you have to live off the land and the constraints of the environment. This process should be valuable when you've got initial access, escalated privileges, and can do further post-exploitation to do damage or set up some sneaky persistence -- you can't as easily make changes, but you can sure as hell run PowerShell code. Just an option and one of many ways to skin a cat :)

Amazing how people on Reddit will just bash you over and over for asking a simple question, on a tech forum nonetheless. Absolutely ridiculous behavior from these people

Guess what, recently Windows started harassing me with the win11 update by installing a program called RUXIM, and every time i deleted it windows just installed it back. So i changed the privilige from system to me, and i denied write access for system :d

Fixing the family computer when my dad broke it when I was a kid is what started my hacking journey and a lifelong love of computers. Break all the things!

"You have unlocked god mode." "For more information on this issue..."

The reason you're getting the error when setting binpath for the service is because there are certain requirements for executables designed to operate as Windows services, one of which is to respond to queries from the service control manager. Obviously tools that aren't designed this way (like cmd.exe) don't respond and the service control manager thinks "this service is not responding and didn't start correctly." The reason you still see the executable being run is due to a small timeout that the service control manager uses to wait for the service to initialize. The reason you can't see graphical applications like notepad is because services don't run under the local user session and don't have access to the desktop.

I absolutely love how cool this is and how much work went into this when you can just change the owner and delete the folder all within the Security tab 🤣🤣 You do amazing work John, it's always a pleasure to see your videos or guest appearances with others, keep it up 🔥🔥💪 (I also hope KZbin doesn't come for you for mentioning TrustedInstaller like they did with Enderman... 😶🤫)

In other words, removing bloatware with the equivalent of Linux sudo

Whoa, this was a great video with some even better enthusiasm! Thanks for sharing this, I learned several new things and I have some new ideas for setting up security policies around the trusted installer or attempts to a abuse it. 🙏🙏🙏🔥🔥🔥

I barely use that joke of a website but every time I've had to because there was no other option, 99% of my experience from reddit has been almost exactly what you showed in the video. Armchair redditors answering everything besides the question you're asking and in the most condescending way possible. I unironically have more competent conversations with people on /b/ than anywhere I've been forced to go on reddit. Great video btw

You should be able to run a GUI app, you just need to flag the service to interact with the desktop. It's been a while since I have messed with with, but its an option for launching a service somewhere.

It might also be worthwhile noting that any process run in "Session 0" will always result be in a non-gui context. AFAIK "most" services are run as Session 0 meaning they will never have a GUI to interact with.

"...for I have become TrustedInstaller, destroyer of Windows." --Barbara Millicent Roberts-Oppenheimer

14:00 notepad isn't showing up because services are started in Session 0, it's a special windows session (like being logged in as another user that would also be a different session), you can even see it in process explorer :)

Hahaha, this thumbnail aged like fine wine :D

You can install Take Ownership which lets you take ownership of the file so you can edit or delete it. I used to do that on Windows 7 and 8 when I was using it. You could also unlock God Mode by editing the Windows Explorer file by typing in a registry key. I don't know if that's changed on Windows 10 because I am using Linux now.

So MS trying to transform Windows in a smartphone again and locking the admin from his own files. Miss the old days of NT4 where being part of Administrator's group already gave you all this, like Dave Cutler wanted.

Probably what happened when you ran notepad as TrustedInstaller is that is started but it started under "session 0" that does not have a visible UI. I ran into this same problem with a service we wrote to run instrument drivers and one of the drivers used Active-X to interface to an application that talked to the vendor's hardware (the only option they provided). In this case sometimes their application would ask me to say "OK" but because the app was launched from the service, the UI was hidden and we could not see the error. Running the app locally allowed me to answer the question and not to ask again and the problem was resolved.

Great video, very informative! Thanks for sharing your knowledge!

I did a lot of this research a few years ago and got stuck where you were at like 12:45. This is awesome, seeing the next steps I could never quite get. Will be removing windows defender from my computer as soon as I get home

It’s seems like every new video John’s hair grows larger and flows further up and to the left maybe one day it will look like Johnny Bravo’s

14:21 You would have to enable "Allow service to interact with desktop" in the service configuration..

0:39 you could use iobit unlocker and unlock and delete it

This a comment about the responses to the reddit posts in the video. It is more of an anecdote, really. The year was 1992 and my parents surprised me by giving me my own pc. It was by all means barebones, even in those days. It was a AMD 80386DX 40 mhz with 4mb of RAM. There was no sound card or CD-ROM. And of course no modem or network. And the hdd was only 120 MB. My dad being the computer guru he was, had setup MS-DOS 6.0 and Windows 3.1 along with a carefully selected Word processor ( my teachers at the time were very leary of me wanting to type out my assignments on a computer. So my dad heard out their concerns and chose a very basic wysiwyg word processor - dos based, of course). My dad also installed a menu frontend and passworded it. I couldn't exit or use the only game on the system ( a shareware copy of Tank Wars) without it. I also could not access the command prompt or windows. But.... Guess what.... It took all of two minutes to break out of the menu front end. Lol. So I began exploring my new PC. Back then security was pretty non-existent in windows. So my explorations pretty quickly made windows start malfunctioning. It started doing weird things.... Clicking any icon to open it in program manager would cause the program icon to duplicate. Things like that. I did not know what I was doing.... Any ways, things kept going like this, and my dad ended up having to reinstall dos and windows several times, until he told me if I screwed up my system again, then that was it. Naturally, being 12, I ignored him and his attempts at locking things down even further. I ended up with a big pc sized paper weight for 6 months. Then my mom finally got involved. She convinced my dad to make a copy of the dos and windows disk ( three dos floppy's, and 6 windows floppies) and gave them to me. He told me that if I screwed up the floppies, then that really was the last time, and he would even take the PC away. I didn't screw those up. But I did end up reinstalling the os multiple times before too long. Eventually it got to where I only screwed things up and needed a reinstall maybe once a year. These days the interval is much longer. Anyways.... Some people learn by doing. No amount of warning or telling will do any good. I think the poster asking about how to become a trusted installer just needed to experience his mistakes to learn that he shouldnt do that. And if he needed to reinstall Windows as part of the process, the isnt that just a part of the process? FYI... I would have posted this on the the reddit, but the thread was locked.

Always fun John, thanks!

Finally you upload John

I was on the path to be a programmer, but I got kicked out of computer science in high school for getting caught having full access to the hd, bypassing the name/password.. I didn't keep up with it. I became a musician for the last 25 years and became really good at that, realizing now, If i would have continued my computer programming path, I'd be smart enough to follow all of this video, but now it's over my head.. lol.. The way he talks as if it's obvious to do this and that.. Shake my head and smile, the world is in the hands of people far smarter than I ... :)

At 14:00 or so - you need to presumably have to start something that will either act as a service or will do something before the service controller kills it. I thought services had a different entry point than ordinary applications, so I was surprised this approach worked.

"Complete and unrestricted access to the computer" is not the same as "complete and unrestricted control over the computer."

You should be able to launch UI apps from a service (eg TrustedInstaller) when you configure the option 'allow interaction with the desktop' on the service. Windows will then ask you to open a separate user interface which in turn will show the service app on screen.

As admin you can take ownership of the folder and then remove "Trusted installer" from the permissions, add yourself as full control and then delete the folder. Alternatively I removed trusted installer as a user from the local account, which breaks all the permissions, you can then take ownership of the whole drive, obviously this is a massive security risk though. This was on the first release of windows 10, this may be harder or impossible now. The other thing this does is prevents the os from doing updates as it no longer has permission to save updates to the staging folder it uses, so if you want an update you need to do it yourself

Here specifically to spite KZbin not letting you get ad dollars on this. Great content as always. It's a nice break from my web app pentest studies

There are also the "Network Service" and "Loacl Service" users, I saw that some of my services were running at those "accounts", so what are those?

so...if I scroll to the end of the video will I get the answer without all of the foam?

Windows: "Noooo you can't uninstall critical software it will brick your installation noooo!!!" Linux: "Hahah rm -rf / go brrrrr"

I thought this is today’s video, you actually time travelled!

I think the reason notepad did not display a window because it ran in session 0 (as seen at 13:55) I wonder what would happen if you tried this in Windows 7 where interactive services session was still a thing

With windows you use the OS with linux,you *own* the OS

John, I love you bro -but, I’m a little sad. Why didn’t you show them how to unlock the REAL Microsoft God Mode that comes with the OS? It takes like two minutes & everything is “on/visible” view. 🤣

Or just run NSudo and run the process with TI priv

@John Hammond how do you do that scrolling-thingie @1:48?

so it was you

"It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error." - HAL 9000...

Does the SYSTEM and/or TrustedInstaller privilege thing run at the kernel level, or just a very high privilege level outside the kernel? 2nd Question: Are all kernel drivers and other kernel software running *in the ntoskrnl.exe process* OR *outside the ntoskrnl.exe process* in a service or something?

Always something to learn. Great job, John. Thx.

That thumbnail was kind of prophetic, it seems 😂

I have a legal question: (Note: using analogy here, no demand for accuracy is required to make the point.) If "Trusted Installer" is the Windsows OS owned by Microsoft, akin to an OS installed on an electric app-capable vehicle owned by the same vehicle company, the subscription service to make the car's computer work is what makes the vehicle function, the lease or owner has a no-right-to-repair clause because both the vehicle and the OS are proprietary, the same we would expect of a Microsoft computer running Windows, just like Google runs Chromebook. Ok, so just like we'll never see a truck OS on a jeep vehicle, we won't see Windows on a Chromebook, not without extensive modification and agreement between companies for such, so an agreement-to-modify exists. So....why is Windows operating a Trusted Installer limitation on non-Microsoft computers where it doesn't have authority to compel an owner to operate their computer to OS standards not designed explicitly for it? The OS must match the device for it to function, be it a vehicle or computer, in order for tangible operations to match digital limitations, whereby the digital is limiting the tangible, like how Windows wouldn't be compatible to a Chromebook inherently, the agreement to modify must prevail, with or without license? I say this because purchasing Windows OS is not requiring a Microsoft computer explicitly.

it's your fault, wasn't it john?

Good to see you're back.

this thumbnail has not aged well 🤣

The reason your Notepad didn't show up on your desktop is because you were running it from the "session 0" which does not have a desktop. So it was running, but couldn't display it's GUI.

Challenge for you, try disabling the delivery optimization service without touching the registry. (i don't know about windows 11 but its pretty tough on windows 10). Also I don't even know why it can't be disabled even after taking ownership of its parent service i.e. the infamous svhost.

Meanwhile in Linux the root user is all powerful, and requires none of this weird working around

The reason the service timeout errors occur is that you are running applications and not services, where service executables handle events and ate stateful based on them e.g. start, stop, pause, resume, etc

reddit used to be a cool place to get help and meet great people. Today it's complete garbage, highly politicized, and just down right filled with wrong information. I miss old reddit before mods ruined the site.

Cool video I always wanted info on Trusted Installer.

Windows is an absolute unfixable disaster.

Bro has never heard of Advanced Run...

Great. Had some issues with TI and at the end I forced to reinstall windoes but the path for beging forced to delete my windows was actually educative.

well well well

as an admin, you could also inject your payload into a system owned process like lasass or printspooler to get nt system shell without psexec

Classic reddit bullshit > Tries to ask how to do this to learn for education ONLY > Cue the cesspool of bullshit "DO NOT DO IT, IT WILL DIE" People, PEOPLE WANT TO LEAAAAAARN

There’s a way easier version of this. Take Ownership. There is a registry hack you can download (at your own risk), which installs a registry key that adds an extra context menu to the right click action. Right click on any file or folder and now you’ll see a “Take Ownership” button. Click it, and it strips the security permissions from the original owner (system, trusted installer, admin, whatever) and replaces the owner with your current user. This gives you full control of the file or folder without exception.

That "GOD MODE" probably got many people clicking on this video :D

this is much cool. A long time ago I found out about a process hacker addon that allowed me to run stuff with the permissions of trusted installer. It required admin access and had something to do with services. I mainly used it for tampering with old Windows drives with total commander, because my host os refused to let me into the user folders and taking ownership was not ideal. I wanna try making my own automated powershell script now

Linux, Linux and Linux

TrustedInstaller is so called Well-Known Security Principal, it is not visible in the local SAM database and is built-in the OS

Your voice is amazing. You would be killer in sales.

The way I get rid of ANYTHING I want on windows is to boot from the usb recovery disk offered by windows and then drop to a cmd prompt. I can then dir/delete/move etc anything and that includes hidden and system files as well. A great utility for browsing the windows hard drive from DOS is called Q-Dir and that would be the portable version. Another trick to have complete control of all windows files is to boot up a live Linux system from usb and browse that way with the sudo. In some instances when trying to access the windows hard drive from a Linux boot disk the windows disk will be locked and you cannot work with it. The fix , trick, is to do a restart from windows and when the screen goes blank showing windows is shut down press and hold the computer off button until the computer completely shuts down. Now boot up into your Live Linux and mount the windows hard drive . Using the root option then browse windows and do what you like! I like using a gui interface like Linux when doing operations on windows files because of all the file utilities available. :O)

yeah I noticed. I WAS expecting a seperate video but this is perfect. Thanks.

Could you please show us how to completely delete trustedtinstaller ?

Liked, commented and subscribed. Nice video, thank you.

Didn't watch the full video yet, but. If you right click your windows drive, go to security write and read, set your account to full access, you can do what ever you want with your files. hope this helps.

THANKS FOR TEACHING ME THIS POWER, FELLOW JOHN!!

You can't run interactive shells or gui apps because services run in session 0 which to my knowledge can't be accessed anymore.

This is sooo Microsoft. They have a long history in practically every product where admin isn't admin, removal doesn't remove, hidden and then there's extra hidden, etc.

You can't run/launch GUIs from a service as all services are owned by terminal session 0. If did have access to that desktop/terminal then you would be able to see them, but ever since newer versions of Windows they have removed this feature since it was a security concern (there is also a registry hack you have to perform).

Used this trick to spawn a reverse shell as TrustedInstaller on the HTB Academy WINLPE-SRV01 box. Should be interesting to see if this is allowed on the CPTS exam…

If I’m not mistaken, the reason why notepad didn’t appear is because services run in a separate desktop/winstation in session 0

why was this so fun to leave on the background

14:29 That's wrong. Notepad.exe doesn't implement the services interface. Same with cmd.exe, hence why you're getting the weird errors.

To think this is basically the Windows equivalent of logging in as sudo, yet Reddit gets so agrressive about it because you can damage shit like. Yea that's the type of file access we're looking for-

I go around TrustedInstaller on systems that are low on disk space, so I can relocate the Windows Update folders to a secondary drive. The LCU and SoftwareDistribution folders can fill up very quickly and the computer will cease to update. It’s nice to be able to move those around as needed.

14:31 isn't that just hte "Interactive service" / "allow to interact with desktop" check box ?

I actually used some of this one time. I had installed the SSD from my old laptop as a second drive in my new laptop. I had some large and important media on it so I didn't want to reformat it, because I didn't have enough spare diskspace to copy it to first. So figuring out how to dupe TrustedInstaller entries in the ACL was the only way to make the hard drive look like a normal secondary harddrive.

Actually during windows install when you see preparing setting up services youre actually trusted installer for a moment (with mouse and keyboard suspension tho) and oobe where you setup your first account is run as NT authority/system. With right knowledge you can create account as trusted installer during preparation which leads to stealing sid and registering it as normal user. Full control over files despite a lot of bugs and apps not working correctly but a fun experiment to do.

if you want to uninstall folders/files that are blocked by trustedinstaller, you just need to right-click on the file - security - advanced - then hit change next to "owner"

13:30 What if you would start it with psexec in interactive mode?

The smiling blue screen isn't real, it can't hurt you. *This thumbnail*