If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Access denied and the task scheduler
Hi All,
I had another slow Windows 10 this week to fix. 70% of her problem was Fast Boot. I fixed a bunch of other things too. She LOVED Brave. Without all the ads, she was much faster. When checking a slow computer, one of the things I check is (sysinternals') Auto Runs for File Not Found (yellow) entries. I remove these. Some times there are dozens and dozens of these. But I came across four of these from Adobe stuff that had been previously removed. I got access denied. So I went straight to the task scheduler and got the same thing. I was thinking of looking in the registry, but her computer was now 10 times faster that when I started, so I let it go. But it is still bugging me. What would you have done to kill these auto run entries? Many thanks, -T |
Ads |
#2
|
|||
|
|||
Access denied and the task scheduler
T wrote:
Hi All, I had another slow Windows 10 this week to fix. 70% of her problem was Fast Boot. I fixed a bunch of other things too. She LOVED Brave. Without all the ads, she was much faster. When checking a slow computer, one of the things I check is (sysinternals') Auto Runs for File Not Found (yellow) entries. I remove these. Some times there are dozens and dozens of these. But I came across four of these from Adobe stuff that had been previously removed. I got access denied. So I went straight to the task scheduler and got the same thing. I was thinking of looking in the registry, but her computer was now 10 times faster that when I started, so I let it go. But it is still bugging me. What would you have done to kill these auto run entries? Many thanks, -T Administrator - an account, with a password and a home directory - mostly useless, valued for its SeImpersonate privilege, amongst others. In other words, "a Wizards Wand, not a Wizard". SYSTEM - used by Scheduled Tasks - found on some registry entries - an account, no home directory, no password psexec -hsi cmd === 32 bit OS, opens SYSTEM cmd.exe window psexec64 -hsi cmd === 64 bit OS, opens SYSTEM cmd.exe window TrustedInstaller - used by TiWorker and friends, trustedinstaller - found on a few registry entries (malware) - a token, not an account - trustedinstaller service must be running, to "copy" token RunFromToken.exe trustedinstaller.exe 1 cmd Or alternately 8. Type "net start TrustedInstaller" (it is normally "triggered" by setup.exe... but you're triggering it manually) 9. Type "runassystem_x64.exe "runfromtoken_x64.exe trustedinstaller.exe 1 cmd"" (You would not normally do it this way, and the person who presented that, was showing off.) When finished, type "whoami" to verify that any Command Prompt windows opened by these commands, are elevated to where you expect. Running regedit from these windows, doesn't always have the expected results. Regedit is a bit savvy to account manipulation. Just as Xorg doesn't like to run as root, providing a root desktop. Note: RunFromToken makes a change to the administrator account! This is one reason I *do not* promote this for general usage. Hard to say what hole this change makes. The change would be in the privileges, with the items like SeImpersonate. Welcome to Windows 98. I'm not aware of "any other accounts worth having". Using SYSTEM is safe and effective, but there will always be times where malware makes it necessary to dabble with the other one. Paul |
#3
|
|||
|
|||
Access denied and the task scheduler
On 11/15/19 11:00 PM, Paul wrote:
T wrote: Hi All, I had another slow Windows 10 this week to fix.Â* 70% of her problem was Fast Boot.Â* I fixed a bunch of other things too.Â* She LOVED Brave.Â* Without all the ads, she was much faster. When checking a slow computer, one of the things I check is (sysinternals') Auto Runs for File Not Found (yellow) entries.Â* I remove these.Â* Some times there are dozens and dozens of these. But I came across four of these from Adobe stuff that had been previously removed.Â* I got access denied. So I went straight to the task scheduler and got the same thing.Â* I was thinking of looking in the registry, but her computer was now 10 times faster that when I started, so I let it go.Â* But it is still bugging me. What would you have done to kill these auto run entries? Many thanks, -T Administrator - an account, with a password and a home directory Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* - mostly useless, valued for its SeImpersonate privilege, Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* amongst others. In other words, "a Wizards Wand, not a Wizard". SYSTEMÂ*Â*Â*Â*Â*Â*Â* - used by Scheduled Tasks Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* - found on some registry entries Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* - an account, no home directory, no password Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* psexecÂ*Â* -hsi cmdÂ* === 32 bit OS, opens SYSTEM cmd.exe window Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* psexec64 -hsi cmdÂ* === 64 bit OS, opens SYSTEM cmd.exe window TrustedInstaller - used by TiWorker and friends, trustedinstaller Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* - found on a few registry entries (malware) Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* - a token, not an account Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* - trustedinstaller service must be running, to "copy" token Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* RunFromToken.exe trustedinstaller.exe 1 cmd Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Or alternately Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* 8. Type "net start TrustedInstaller" (it is normally "triggered" by setup.exe... Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Â*Â*Â*Â* but you're triggering it manually) Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* 9. Type "runassystem_x64.exe "runfromtoken_x64.exe trustedinstaller.exe 1 cmd"" Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* (You would not normally do it this way, and the person who Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* presented that, was showing off.) When finished, type "whoami" to verify that any Command Prompt windows opened by these commands, are elevated to where you expect. Running regedit from these windows, doesn't always have the expected results. Regedit is a bit savvy to account manipulation. Just as Xorg doesn't like to run as root, providing a root desktop. Note: RunFromToken makes a change to the administrator account! Â*Â*Â*Â*Â* This is one reason I *do not* promote this for general usage. Â*Â*Â*Â*Â* Hard to say what hole this change makes. Â*Â*Â*Â*Â* The change would be in the privileges, with the items like Â*Â*Â*Â*Â* SeImpersonate. Welcome to Windows 98. I'm not aware of "any other accounts worth having". Using SYSTEM is safe and effective, but there will always be times where malware makes it necessary to dabble with the other one. Â*Â* Paul Hi Paul, That explains a lot. I was using Auto Runs as Administrator. When I get some time, I am going to test what work with user SYSTEM. And see how badly regedit whines at me too. Thank you ! -T |
Thread Tools | |
Display Modes | Rate This Thread |
|
|