https://fourcore.io/blogs/no-more-access-denied-i-am-trustedinstaller
According to Microsoft, Tamper protection essentially locks Microsoft Defender Antivirus to its secure default values and prevents your security settings from being changed through apps and methods such as:
Configuring settings in Registry Editor on your Windows device
Changing settings through PowerShell cmdlets on your device
Therefore, disabling the service or modifying the configuration won’t work.
(...)
We wrote a small POC which starts TrustedInstaller, opens a handle to it, and creates a new child process. The code spawns a cmd.exe shell with the privileges of TrustedInstaller and the user as NT Authority/System.
| functions.go | ||
| go.mod | ||
| go.sum | ||
| main.go | ||
| README.md | ||
TrustedInstaller
A simple Proof of Concept in Golang to start a new shell as TrustedInstaller. This code accompanies FourCore's blog about TrustedInstaller. It is important to note that you need to run this as a user which has SeDebugPrivileges. Upon running, it will automatically ask for UAC in case you are not running as an Administrator.
Use the RunAsTrustedInstaller function to pass any executable to be run with TrustedInstaller privileges.
To run
- git clone the repository
- ensure you have go compiler installed
- You can either build a binary using
go build tior run it directly usinggo run ti
It will spawn a new cmd shell as TrustedInstaller which you can check by running whoami /all
