A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Windows 10 » Windows 10 Help Forum
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Access denied and the task scheduler



 
 
Thread Tools Rate Thread Display Modes
  #1  
Old November 16th 19, 05:03 AM posted to alt.comp.os.windows-10
T
external usenet poster
 
Posts: 4,600
Default Access denied and the task scheduler

Hi All,

I had another slow Windows 10 this week to fix. 70%
of her problem was Fast Boot. I fixed a bunch of
other things too. She LOVED Brave. Without
all the ads, she was much faster.

When checking a slow computer, one of the things I
check is (sysinternals') Auto Runs for File Not Found
(yellow) entries. I remove these. Some times there
are dozens and dozens of these.

But I came across four of these from Adobe stuff that
had been previously removed. I got access denied.

So I went straight to the task scheduler and got the
same thing. I was thinking of looking in the registry,
but her computer was now 10 times faster that when I
started, so I let it go. But it is still bugging me.

What would you have done to kill these auto run entries?

Many thanks,
-T
Ads
  #2  
Old November 16th 19, 08:00 AM posted to alt.comp.os.windows-10
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Access denied and the task scheduler

T wrote:
Hi All,

I had another slow Windows 10 this week to fix. 70%
of her problem was Fast Boot. I fixed a bunch of
other things too. She LOVED Brave. Without
all the ads, she was much faster.

When checking a slow computer, one of the things I
check is (sysinternals') Auto Runs for File Not Found
(yellow) entries. I remove these. Some times there
are dozens and dozens of these.

But I came across four of these from Adobe stuff that
had been previously removed. I got access denied.

So I went straight to the task scheduler and got the
same thing. I was thinking of looking in the registry,
but her computer was now 10 times faster that when I
started, so I let it go. But it is still bugging me.

What would you have done to kill these auto run entries?

Many thanks,
-T


Administrator - an account, with a password and a home directory
- mostly useless, valued for its SeImpersonate privilege,
amongst others. In other words, "a Wizards Wand, not a Wizard".

SYSTEM - used by Scheduled Tasks
- found on some registry entries
- an account, no home directory, no password
psexec -hsi cmd === 32 bit OS, opens SYSTEM cmd.exe window
psexec64 -hsi cmd === 64 bit OS, opens SYSTEM cmd.exe window

TrustedInstaller - used by TiWorker and friends, trustedinstaller
- found on a few registry entries (malware)
- a token, not an account
- trustedinstaller service must be running, to "copy" token

RunFromToken.exe trustedinstaller.exe 1 cmd

Or alternately

8. Type "net start TrustedInstaller" (it is normally "triggered" by setup.exe...
but you're triggering it manually)
9. Type "runassystem_x64.exe "runfromtoken_x64.exe trustedinstaller.exe 1 cmd""
(You would not normally do it this way, and the person who
presented that, was showing off.)

When finished, type "whoami" to verify that any
Command Prompt windows opened by these commands,
are elevated to where you expect.

Running regedit from these windows, doesn't always
have the expected results. Regedit is a bit savvy to
account manipulation. Just as Xorg doesn't like to run
as root, providing a root desktop.

Note: RunFromToken makes a change to the administrator account!
This is one reason I *do not* promote this for general usage.
Hard to say what hole this change makes.
The change would be in the privileges, with the items like
SeImpersonate.

Welcome to Windows 98.

I'm not aware of "any other accounts worth having".

Using SYSTEM is safe and effective, but there
will always be times where malware makes it
necessary to dabble with the other one.

Paul
  #3  
Old November 17th 19, 12:29 PM posted to alt.comp.os.windows-10
T
external usenet poster
 
Posts: 4,600
Default Access denied and the task scheduler

On 11/15/19 11:00 PM, Paul wrote:
T wrote:
Hi All,

I had another slow Windows 10 this week to fix.Â* 70%
of her problem was Fast Boot.Â* I fixed a bunch of
other things too.Â* She LOVED Brave.Â* Without
all the ads, she was much faster.

When checking a slow computer, one of the things I
check is (sysinternals') Auto Runs for File Not Found
(yellow) entries.Â* I remove these.Â* Some times there
are dozens and dozens of these.

But I came across four of these from Adobe stuff that
had been previously removed.Â* I got access denied.

So I went straight to the task scheduler and got the
same thing.Â* I was thinking of looking in the registry,
but her computer was now 10 times faster that when I
started, so I let it go.Â* But it is still bugging me.

What would you have done to kill these auto run entries?

Many thanks,
-T


Administrator - an account, with a password and a home directory
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* - mostly useless, valued for its SeImpersonate privilege,
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* amongst others. In other words, "a Wizards Wand, not a
Wizard".

SYSTEMÂ*Â*Â*Â*Â*Â*Â* - used by Scheduled Tasks
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* - found on some registry entries
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* - an account, no home directory, no password
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* psexecÂ*Â* -hsi cmdÂ* === 32 bit OS, opens SYSTEM
cmd.exe window
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* psexec64 -hsi cmdÂ* === 64 bit OS, opens SYSTEM
cmd.exe window

TrustedInstaller - used by TiWorker and friends, trustedinstaller
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* - found on a few registry entries (malware)
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* - a token, not an account
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* - trustedinstaller service must be running, to "copy"
token

Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* RunFromToken.exe trustedinstaller.exe 1 cmd

Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Or alternately

Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* 8. Type "net start TrustedInstaller" (it is normally
"triggered" by setup.exe...
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* Â*Â*Â*Â* but you're
triggering it manually)
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* 9. Type "runassystem_x64.exe "runfromtoken_x64.exe
trustedinstaller.exe 1 cmd""
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* (You would not normally do it this way, and the
person who
Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* presented that, was showing off.)

When finished, type "whoami" to verify that any
Command Prompt windows opened by these commands,
are elevated to where you expect.

Running regedit from these windows, doesn't always
have the expected results. Regedit is a bit savvy to
account manipulation. Just as Xorg doesn't like to run
as root, providing a root desktop.

Note: RunFromToken makes a change to the administrator account!
Â*Â*Â*Â*Â* This is one reason I *do not* promote this for general usage.
Â*Â*Â*Â*Â* Hard to say what hole this change makes.
Â*Â*Â*Â*Â* The change would be in the privileges, with the items like
Â*Â*Â*Â*Â* SeImpersonate.

Welcome to Windows 98.

I'm not aware of "any other accounts worth having".

Using SYSTEM is safe and effective, but there
will always be times where malware makes it
necessary to dabble with the other one.

Â*Â* Paul


Hi Paul,

That explains a lot.

I was using Auto Runs as Administrator. When I get
some time, I am going to test what work with user
SYSTEM. And see how badly regedit whines at me too.

Thank you !

-T

 




Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off






All times are GMT +1. The time now is 12:20 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.