{"id":13490486,"url":"https://github.com/AveYo/LeanAndMean","last_synced_at":"2025-03-28T06:31:19.938Z","repository":{"id":39644537,"uuid":"365367096","full_name":"AveYo/LeanAndMean","owner":"AveYo","description":"snippets for power users","archived":false,"fork":false,"pushed_at":"2025-02-06T21:44:08.000Z","size":293,"stargazers_count":311,"open_issues_count":12,"forks_count":45,"subscribers_count":20,"default_branch":"main","last_synced_at":"2025-03-27T14:13:44.874Z","etag":null,"topics":["batch","powershell","reg-own","runas","runasti","toggle-defender","trustedinstaller"],"latest_commit_sha":null,"homepage":"","language":"Batchfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AveYo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"AveYo"}},"created_at":"2021-05-07T22:29:10.000Z","updated_at":"2025-03-27T03:39:39.000Z","dependencies_parsed_at":"2024-01-14T14:54:58.203Z","dependency_job_id":"09d3c41e-43d3-4084-b329-1ee4d8114aeb","html_url":"https://github.com/AveYo/LeanAndMean","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AveYo%2FLeanAndMean","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AveYo%2FLeanAndMean/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AveYo%2FLeanAndMean/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AveYo%2FLeanAndMean/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AveYo","download_url":"https://codeload.github.com/AveYo/LeanAndMean/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":245984460,"owners_count":20704791,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["batch","powershell","reg-own","runas","runasti","toggle-defender","trustedinstaller"],"created_at":"2024-07-31T19:00:47.328Z","updated_at":"2025-03-28T06:31:19.916Z","avatar_url":"https://github.com/AveYo.png","language":"Batchfile","readme":"\u003cimg src=\"preview1.png\"\u003e  \r\n\r\nRunAsTI - TrustedInstaller access rights while keeping HKCU loaded  \r\n---  \r\n*supports Windows 7 - Windows 10 - Windows 11 release - Windows 11 dev*  \r\n\r\n#### [RunAsTI.reg](RunAsTI.reg) context menu for folders, exe, msc, bat, cmd, reg - updated 2023.07.06  \r\n```reg\r\nWindows Registry Editor Version 5.00\r\n\r\n; Context Menu entries to use RunAsTI - lean and mean snippet by AveYo, 2018-2023\r\n; [FEATURES]\r\n; - innovative HKCU load, no need for reg load / unload ping-pong; programs get the user profile\r\n; - sets ownership privileges, high priority, and explorer support; get System if TI unavailable\r\n; - accepts special characters in paths for which default run as administrator fails\r\n; - show on the new 11 contextmenu via whitelisted id; plenty other available, fuck needing an app!\r\n; 2022.04.07: PowerShell / Terminal here (if installed, use Terminal as TI, else use PowerShell as TI)\r\n; 2023.07.06: fix arguments with quotes\r\n\r\n[-HKEY_CLASSES_ROOT\\RunAsTI]\r\n[-HKEY_CLASSES_ROOT\\batfile\\shell\\setdesktopwallpaper]\r\n[-HKEY_CLASSES_ROOT\\cmdfile\\shell\\setdesktopwallpaper]\r\n[-HKEY_CLASSES_ROOT\\exefile\\shell\\setdesktopwallpaper]\r\n[-HKEY_CLASSES_ROOT\\mscfile\\shell\\setdesktopwallpaper]\r\n[-HKEY_CLASSES_ROOT\\Microsoft.PowerShellScript.1\\shell\\setdesktopwallpaper]\r\n[-HKEY_CLASSES_ROOT\\regfile\\shell\\setdesktopwallpaper]\r\n[-HKEY_CLASSES_ROOT\\Folder\\shell\\setdesktopwallpaper]\r\n[-HKEY_CLASSES_ROOT\\Directory\\background\\shell\\extract]\r\n; To remove entries, copy paste above into undo_RunAsTI.reg file, then import it\r\n\r\n; RunAsTI on .bat\r\n[HKEY_CLASSES_ROOT\\batfile\\shell\\setdesktopwallpaper]\r\n\"MUIVerb\"=\"Run as trustedinstaller\"\r\n\"HasLUAShield\"=\"\"\r\n\"Icon\"=\"powershell.exe,0\"\r\n[HKEY_CLASSES_ROOT\\batfile\\shell\\setdesktopwallpaper\\command]\r\n@=\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \\\"%L\\\"\"\r\n\r\n; RunAsTI on .cmd\r\n[HKEY_CLASSES_ROOT\\cmdfile\\shell\\setdesktopwallpaper]\r\n\"MUIVerb\"=\"Run as trustedinstaller\"\r\n\"HasLUAShield\"=\"\"\r\n\"Icon\"=\"powershell.exe,0\"\r\n[HKEY_CLASSES_ROOT\\cmdfile\\shell\\setdesktopwallpaper\\command]\r\n@=\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \\\"%L\\\"\"\r\n\r\n; RunAsTI on .exe\r\n[HKEY_CLASSES_ROOT\\exefile\\shell\\setdesktopwallpaper]\r\n\"MUIVerb\"=\"Run as trustedinstaller\"\r\n\"HasLUAShield\"=\"\"\r\n\"Icon\"=\"powershell.exe,0\"\r\n[HKEY_CLASSES_ROOT\\exefile\\shell\\setdesktopwallpaper\\command]\r\n@=\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \\\"%L\\\"\"\r\n\r\n; RunAsTI on .msc\r\n[HKEY_CLASSES_ROOT\\mscfile\\shell\\setdesktopwallpaper]\r\n\"MUIVerb\"=\"Run as trustedinstaller\"\r\n\"HasLUAShield\"=\"\"\r\n\"Icon\"=\"powershell.exe,0\"\r\n[HKEY_CLASSES_ROOT\\mscfile\\shell\\setdesktopwallpaper\\command]\r\n@=\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \\\"%L\\\"\"\r\n\r\n; RunAsTI on .ps1\r\n[HKEY_CLASSES_ROOT\\Microsoft.PowerShellScript.1\\shell\\setdesktopwallpaper]\r\n\"MUIVerb\"=\"Run as trustedinstaller\"\r\n\"HasLUAShield\"=\"\"\r\n\"Icon\"=\"powershell.exe,0\"\r\n[HKEY_CLASSES_ROOT\\Microsoft.PowerShellScript.1\\shell\\setdesktopwallpaper\\command]\r\n@=\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% powershell -nop -c iex((gc -lit '%L')-join[char]10)\"\r\n\r\n; RunAsTI on .reg\r\n[HKEY_CLASSES_ROOT\\regfile\\shell\\setdesktopwallpaper]\r\n\"MUIVerb\"=\"Import as trustedinstaller\"\r\n\"HasLUAShield\"=\"\"\r\n\"Icon\"=\"powershell.exe,0\"\r\n[HKEY_CLASSES_ROOT\\regfile\\shell\\setdesktopwallpaper\\command]\r\n@=\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% regedit /s \\\"%L\\\"\"\r\n\r\n; RunAsTI on Folder\r\n[HKEY_CLASSES_ROOT\\Folder\\shell\\setdesktopwallpaper]\r\n\"MuiVerb\"=\"Open as trustedinstaller\"\r\n\"HasLUAShield\"=\"\"\r\n\"Icon\"=\"powershell.exe,0\"\r\n\"AppliesTo\"=\"NOT System.ParsingName:=\\\"::{645FF040-5081-101B-9F08-00AA002F954E}\\\"\"\r\n[HKEY_CLASSES_ROOT\\Folder\\shell\\setdesktopwallpaper\\command]\r\n@=\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% \\\"%L\\\"\"\r\n\r\n; Open Terminal or Powershell as trustedinstaller here - can spawn another terminal with: cmd /c $env:wt\r\n[HKEY_CLASSES_ROOT\\Directory\\background\\shell\\extract]\r\n\"MuiVerb\"=\"PowerShell / Terminal\"\r\n\"HasLUAShield\"=\"\"\r\n\"NoWorkingDirectory\"=\"\"\r\n\"Position\"=-\r\n\"Position\"=\"Middle\"\r\n\"Icon\"=\"powershell.exe,0\"\r\n[HKEY_CLASSES_ROOT\\Directory\\background\\shell\\extract\\command]\r\n@=\"C:\\\\Windows\\\\System32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe -win 1 -nop -c iex((10..40|%%{(gp 'Registry::HKCR\\\\RunAsTI' $_ -ea 0).$_})-join[char]10); # --%% cmd /c pushd \\\"%V\\\" \u0026 start \\\"RunAsTI\\\" %%wt%%\"\r\n\r\n; RunAsTI function\r\n[HKEY_CLASSES_ROOT\\RunAsTI]\r\n\"10\"=\"function RunAsTI ($cmd,$arg) { $id='RunAsTI'; $key=\\\"Registry::HKU\\\\$(((whoami /user)-split' ')[-1])\\\\Volatile Environment\\\"; $code=@'\"\r\n\"11\"=\" $I=[int32]; $M=$I.module.gettype(\\\"System.Runtime.Interop`Services.Mar`shal\\\"); $P=$I.module.gettype(\\\"System.Int`Ptr\\\"); $S=[string]\"\r\n\"12\"=\" $D=@(); $T=@(); $DM=[AppDomain]::CurrentDomain.\\\"DefineDynami`cAssembly\\\"(1,1).\\\"DefineDynami`cModule\\\"(1); $Z=[uintptr]::size \"\r\n\"13\"=\" 0..5|% {$D += $DM.\\\"Defin`eType\\\"(\\\"AveYo_$_\\\",1179913,[ValueType])}; $D += [uintptr]; 4..6|% {$D += $D[$_].\\\"MakeByR`efType\\\"()}\"\r\n\"14\"=\" $F='kernel','advapi','advapi', ($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), ([uintptr],$S,$I,$I,$D[9]),([uintptr],$S,$I,$I,[byte[]],$I)\"\r\n\"15\"=\" 0..2|% {$9=$D[0].\\\"DefinePInvok`eMethod\\\"(('CreateProcess','RegOpenKeyEx','RegSetValueEx')[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}\"\r\n\"16\"=\" $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)\"\r\n\"17\"=\" 1..5|% {$k=$_; $n=1; $DF[$_-1]|% {$9=$D[$k].\\\"Defin`eField\\\"('f' + $n++, $_, 6)}}; 0..5|% {$T += $D[$_].\\\"Creat`eType\\\"()}\"\r\n\"18\"=\" 0..5|% {nv \\\"A$_\\\" ([Activator]::CreateInstance($T[$_])) -fo}; function F ($1,$2) {$T[0].\\\"G`etMethod\\\"($1).invoke(0,$2)}\"\r\n\"19\"=\" $TI=(whoami /groups)-like'*1-16-16384*'; $As=0; if(!$cmd) {$cmd='control';$arg='admintools'}; if ($cmd-eq'This PC'){$cmd='file:'}\"\r\n\"20\"=\" if (!$TI) {'TrustedInstaller','lsass','winlogon'|% {if (!$As) {$9=sc.exe start $_; $As=@(get-process -name $_ -ea 0|% {$_})[0]}}\"\r\n\"21\"=\" function M ($1,$2,$3) {$M.\\\"G`etMethod\\\"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H += M \\\"AllocHG`lobal\\\" $I $_}\"\r\n\"22\"=\" M \\\"WriteInt`Ptr\\\" ($P,$P) ($H[0],$As.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=1; $A2.f2=1; $A2.f3=1; $A2.f4=1\"\r\n\"23\"=\" $A2.f6=$A1; $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M \\\"StructureTo`Ptr\\\" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false)\"\r\n\"24\"=\" $Run=@($null, \\\"powershell -win 1 -nop -c iex `$env:R; # $id\\\", 0, 0, 0, 0x0E080600, 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5]))\"\r\n\"25\"=\" F 'CreateProcess' $Run; return}; $env:R=''; rp $key $id -force; $priv=[diagnostics.process].\\\"GetM`ember\\\"('SetPrivilege',42)[0]\"\r\n\"26\"=\" 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$priv.Invoke($null, @(\\\"$_\\\",2))}\"\r\n\"27\"=\" $HKU=[uintptr][uint32]2147483651; $NT='S-1-5-18'; $reg=($HKU,$NT,8,2,($HKU -as $D[9])); F 'RegOpenKeyEx' $reg; $LNK=$reg[4]\"\r\n\"28\"=\" function L ($1,$2,$3) {sp 'Registry::HKCR\\\\AppID\\\\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' 'RunAs' $3 -force -ea 0\"\r\n\"29\"=\"  $b=[Text.Encoding]::Unicode.GetBytes(\\\"\\\\Registry\\\\User\\\\$1\\\"); F 'RegSetValueEx' @($2,'SymbolicLinkValue',0,6,[byte[]]$b,$b.Length)}\"\r\n\"30\"=\" function Q {[int](gwmi win32_process -filter 'name=\\\"explorer.exe\\\"'|?{$_.getownersid().sid-eq$NT}|select -last 1).ProcessId}\"\r\n\"31\"=\" $env:wt='powershell'; dir \\\"$env:ProgramFiles\\\\WindowsApps\\\\Microsoft.WindowsTerminal*\\\\wt.exe\\\" -rec|% {$env:wt='\\\"'+$_.FullName+'\\\" \\\"-d .\\\"'}\"\r\n\"32\"=\" $11bug=($((gwmi Win32_OperatingSystem).BuildNumber)-eq'22000')-AND(($cmd-eq'file:')-OR(test-path -lit $cmd -PathType Container))\"\r\n\"33\"=\" if ($11bug) {'System.Windows.Forms','Microsoft.VisualBasic' |% {$9=[Reflection.Assembly]::LoadWithPartialName(\\\"'$_\\\")}}\"\r\n\"34\"=\" if ($11bug) {$path='^(l)'+$($cmd -replace '([\\\\+\\\\^\\\\%\\\\~\\\\(\\\\)\\\\[\\\\]])','{$1}')+'{ENTER}'; $cmd='control.exe'; $arg='admintools'}\"\r\n\"35\"=\" L ($key-split'\\\\\\\\')[1] $LNK ''; $R=[diagnostics.process]::start($cmd,$arg); if ($R) {$R.PriorityClass='High'; $R.WaitForExit()}\"\r\n\"36\"=\" if ($11bug) {$w=0; do {if($w-gt40){break}; sleep -mi 250;$w++} until (Q); [Microsoft.VisualBasic.Interaction]::AppActivate($(Q))}\"\r\n\"37\"=\" if ($11bug) {[Windows.Forms.SendKeys]::SendWait($path)}; do {sleep 7} while(Q); L '.Default' $LNK 'Interactive User'\"\r\n\"38\"=\"'@; $V='';'cmd','arg','id','key'|%{$V+=\\\"`n`$$_='$($(gv $_ -val)-replace\\\"'\\\",\\\"''\\\")';\\\"}; sp $key $id $($V,$code) -type 7 -force -ea 0\"\r\n\"39\"=\" start powershell -args \\\"-win 1 -nop -c `n$V `$env:R=(gi `$key -ea 0).getvalue(`$id)-join''; iex `$env:R\\\" -verb runas\"\r\n\"40\"=\"}; $A=,([environment]::commandline-split'-[-]%+ ?',2)[1]-split'\\\"([^\\\"]+)\\\"|([^ ]+)',2|%{$_.Trim(' \\\"')}; RunAsTI $A[1] $A[2]; # AveYo, 2023.07.06\"\r\n;\r\n\r\n```\r\n*2022.01.16: added `Open Powershell as trustedinstaller` entry on directory background*  \r\n*2022.01.28: workaround for 11 release (22000) delaying explorer; fix 7 args*\r\n*2022.04.07: PowerShell / Terminal (if installed, use Terminal as TI, else use PowerShell as TI)*  \r\n*2023.07.06: fix arguments with quotes*  \r\n\r\n#### [RunAsTI.bat](RunAsTI.bat) with ***Send to*** right-click menu entry to launch files and folders as TI - updated 2023.07.06  \r\n```bat\r\n@echo off\u0026 title RunAsTI - lean and mean snippet by AveYo, 2018-2022\r\ngoto :nfo\r\n    [FEATURES]\r\n    - innovative HKCU load, no need for reg load / unload ping-pong; programs get the user profile\r\n    - sets ownership privileges, high priority, and explorer support; get System if TI unavailable\r\n    - accepts special characters in paths for which default run as administrator fails\r\n    - adds Send to - RunAsTI right-click menu entry to launch files and folders as TI via explorer\r\n    [USAGE]\r\n    - First copy-paste RunAsTI snippet after .bat script content\r\n    - Then call it anywhere to launch programs with arguments as TI\r\n      call :RunAsTI regedit\r\n      call :RunAsTI powershell -noprofile -nologo -noexit -c [environment]::Commandline\r\n      call :RunAsTI cmd /k \"whoami /all \u0026 color e0\"\r\n      call :RunAsTI \"C:\\System Volume Information\"\r\n    - Or just relaunch the script once if not already running as TI:\r\n      whoami /user | findstr /i /c:S-1-5-18 \u003enul || ( call :RunAsTI \"%~f0\" %* \u0026 exit /b )\r\n    2022.01.28: workaround for 11 release (22000) hindering explorer as TI; fix 7 args\r\n    2023.07.06 fix arguments with quotes\r\n:nfo\r\n\r\n:::::::::::::::::::::::::\r\n:: .bat script content ::\r\n:::::::::::::::::::::::::\r\n\r\n:: [optional] add Send to - RunAsTI right-click menu entry to launch files and folders as TI via explorer\r\nset \"0=%~f0\"\u0026 powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split':SendTo\\:.*')[1])\u0026 goto :SendTo:\r\n$SendTo=[Environment]::GetFolderPath('ApplicationData')+'\\Microsoft\\Windows\\SendTo\\RunAsTI.bat'; $enc=[Text.Encoding]::UTF8\r\nif ($env:0 -ne $SendTo) {[IO.File]::WriteAllLines($SendTo, [io.file]::ReadAllLines($env:0,$enc))}\r\n:SendTo:\r\n\r\n:: call RunAsTI snippet with default commandline args - if none provided, defaults to opening This PC as TI\r\ncall :RunAsTI %*\r\n\r\necho args: %*\r\n::whoami\r\n::timeout /t 7\r\n\r\n:: done\r\nexit /b\r\n\r\n::::::::::::::::::::::::::::::::::::::::::::::::::::::::::\r\n:: .bat script content end - copy-paste RunAsTI snippet ::\r\n::::::::::::::::::::::::::::::::::::::::::::::::::::::::::\r\n\r\n#:RunAsTI snippet to run as TI/System, with innovative HKCU load, ownership privileges, high priority, and explorer support\r\nset ^ #=\u0026 set \"0=%~f0\"\u0026 set 1=%*\u0026 powershell -c iex(([io.file]::ReadAllText($env:0)-split'#\\:RunAsTI .*')[1])\u0026 exit /b\r\nfunction RunAsTI ($cmd,$arg) { $id='RunAsTI'; $key=\"Registry::HKU\\$(((whoami /user)-split' ')[-1])\\Volatile Environment\"; $code=@'\r\n $I=[int32]; $M=$I.module.gettype(\"System.Runtime.Interop`Services.Mar`shal\"); $P=$I.module.gettype(\"System.Int`Ptr\"); $S=[string]\r\n $D=@(); $T=@(); $DM=[AppDomain]::CurrentDomain.\"DefineDynami`cAssembly\"(1,1).\"DefineDynami`cModule\"(1); $Z=[uintptr]::size\r\n 0..5|% {$D += $DM.\"Defin`eType\"(\"AveYo_$_\",1179913,[ValueType])}; $D += [uintptr]; 4..6|% {$D += $D[$_].\"MakeByR`efType\"()}\r\n $F='kernel','advapi','advapi', ($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), ([uintptr],$S,$I,$I,$D[9]),([uintptr],$S,$I,$I,[byte[]],$I)\r\n 0..2|% {$9=$D[0].\"DefinePInvok`eMethod\"(('CreateProcess','RegOpenKeyEx','RegSetValueEx')[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}\r\n $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)\r\n 1..5|% {$k=$_; $n=1; $DF[$_-1]|% {$9=$D[$k].\"Defin`eField\"('f' + $n++, $_, 6)}}; 0..5|% {$T += $D[$_].\"Creat`eType\"()}\r\n 0..5|% {nv \"A$_\" ([Activator]::CreateInstance($T[$_])) -fo}; function F ($1,$2) {$T[0].\"G`etMethod\"($1).invoke(0,$2)}\r\n $TI=(whoami /groups)-like'*1-16-16384*'; $As=0; if(!$cmd) {$cmd='control';$arg='admintools'}; if ($cmd-eq'This PC'){$cmd='file:'}\r\n if (!$TI) {'TrustedInstaller','lsass','winlogon'|% {if (!$As) {$9=sc.exe start $_; $As=@(get-process -name $_ -ea 0|% {$_})[0]}}\r\n function M ($1,$2,$3) {$M.\"G`etMethod\"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H += M \"AllocHG`lobal\" $I $_}\r\n M \"WriteInt`Ptr\" ($P,$P) ($H[0],$As.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=1; $A2.f2=1; $A2.f3=1; $A2.f4=1\r\n $A2.f6=$A1; $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M \"StructureTo`Ptr\" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false)\r\n $Run=@($null, \"powershell -win 1 -nop -c iex `$env:R; # $id\", 0, 0, 0, 0x0E080600, 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5]))\r\n F 'CreateProcess' $Run; return}; $env:R=''; rp $key $id -force; $priv=[diagnostics.process].\"GetM`ember\"('SetPrivilege',42)[0]\r\n 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$priv.Invoke($null, @(\"$_\",2))}\r\n $HKU=[uintptr][uint32]2147483651; $NT='S-1-5-18'; $reg=($HKU,$NT,8,2,($HKU -as $D[9])); F 'RegOpenKeyEx' $reg; $LNK=$reg[4]\r\n function L ($1,$2,$3) {sp 'HKLM:\\Software\\Classes\\AppID\\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' 'RunAs' $3 -force -ea 0\r\n  $b=[Text.Encoding]::Unicode.GetBytes(\"\\Registry\\User\\$1\"); F 'RegSetValueEx' @($2,'SymbolicLinkValue',0,6,[byte[]]$b,$b.Length)}\r\n function Q {[int](gwmi win32_process -filter 'name=\"explorer.exe\"'|?{$_.getownersid().sid-eq$NT}|select -last 1).ProcessId}\r\n $11bug=($((gwmi Win32_OperatingSystem).BuildNumber)-eq'22000')-AND(($cmd-eq'file:')-OR(test-path -lit $cmd -PathType Container))\r\n if ($11bug) {'System.Windows.Forms','Microsoft.VisualBasic' |% {[Reflection.Assembly]::LoadWithPartialName(\"'$_\")}}\r\n if ($11bug) {$path='^(l)'+$($cmd -replace '([\\+\\^\\%\\~\\(\\)\\[\\]])','{$1}')+'{ENTER}'; $cmd='control.exe'; $arg='admintools'}\r\n L ($key-split'\\\\')[1] $LNK ''; $R=[diagnostics.process]::start($cmd,$arg); if ($R) {$R.PriorityClass='High'; $R.WaitForExit()}\r\n if ($11bug) {$w=0; do {if($w-gt40){break}; sleep -mi 250;$w++} until (Q); [Microsoft.VisualBasic.Interaction]::AppActivate($(Q))}\r\n if ($11bug) {[Windows.Forms.SendKeys]::SendWait($path)}; do {sleep 7} while(Q); L '.Default' $LNK 'Interactive User'\r\n'@; $V='';'cmd','arg','id','key'|%{$V+=\"`n`$$_='$($(gv $_ -val)-replace\"'\",\"''\")';\"}; sp $key $id $($V,$code) -type 7 -force -ea 0\r\n start powershell -args \"-win 1 -nop -c `n$V `$env:R=(gi `$key -ea 0).getvalue(`$id)-join''; iex `$env:R\" -verb runas\r\n}; $A=,$env:1-split'\"([^\"]+)\"|([^ ]+)',2|%{$_.Trim(' ')}; RunAsTI $A[1] $A[2]; #:RunAsTI lean \u0026 mean snippet by AveYo, 2023.07.06\r\n\r\n```\r\n*2022.01.28: workaround for 11 release (22000) delaying explorer; fix 7 args*  \r\n*2023.07.06: fix arguments with quotes*  \r\n\r\n#### [RunAsTI.ps1](RunAsTI.ps1) or copy-paste function code in powershell console  - updated 2022.01.28\r\n```ps1\r\n$host.ui.RawUI.WindowTitle = 'RunAsTI - lean and mean snippet by AveYo, 2018-2022'\r\n\u003c#\r\n  [FEATURES]\r\n  - innovative HKCU load, no need for reg load / unload ping-pong; programs get the user profile\r\n  - sets ownership privileges, high priority, and explorer support; get System if TI unavailable        \r\n  - accepts special characters in paths for which default run as administrator fails\r\n  - can copy-paste snippet directly in powershell console then use it manually\r\n  [USAGE]\r\n  - First copy-paste RunAsTI snippet before .ps1 script content\r\n  - Then call it anywhere after to launch programs with arguments as TI\r\n    RunAsTI regedit\r\n    RunAsTI powershell '-noprofile -nologo -noexit -c [environment]::Commandline'\r\n    RunAsTI cmd '/k \"whoami /all \u0026 color e0\"'\r\n    RunAsTI \"C:\\System Volume Information\"\r\n  - Or just relaunch the script once if not already running as TI:\r\n    if (((whoami /user)-split' ')[-1]-ne'S-1-5-18') {\r\n      RunAsTI powershell \"-f $($MyInvocation.MyCommand.Path) $($args[0]) $($args[1..99])\"; return\r\n    }\r\n  2022.01.28: workaround for 11 release (22000) hindering explorer as TI\r\n#\u003e\r\n\r\n#########################################################\r\n# copy-paste RunAsTI snippet before .ps1 script content #\r\n#########################################################\r\n\r\nfunction RunAsTI ($cmd,$arg) { $id='RunAsTI'; $key=\"Registry::HKU\\$(((whoami /user)-split' ')[-1])\\Volatile Environment\"; $code=@'\r\n $I=[int32]; $M=$I.module.gettype(\"System.Runtime.Interop`Services.Mar`shal\"); $P=$I.module.gettype(\"System.Int`Ptr\"); $S=[string]\r\n $D=@(); $T=@(); $DM=[AppDomain]::CurrentDomain.\"DefineDynami`cAssembly\"(1,1).\"DefineDynami`cModule\"(1); $Z=[uintptr]::size \r\n 0..5|% {$D += $DM.\"Defin`eType\"(\"AveYo_$_\",1179913,[ValueType])}; $D += [uintptr]; 4..6|% {$D += $D[$_].\"MakeByR`efType\"()}\r\n $F='kernel','advapi','advapi', ($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), ([uintptr],$S,$I,$I,$D[9]),([uintptr],$S,$I,$I,[byte[]],$I)\r\n 0..2|% {$9=$D[0].\"DefinePInvok`eMethod\"(('CreateProcess','RegOpenKeyEx','RegSetValueEx')[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}\r\n $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)\r\n 1..5|% {$k=$_; $n=1; $DF[$_-1]|% {$9=$D[$k].\"Defin`eField\"('f' + $n++, $_, 6)}}; 0..5|% {$T += $D[$_].\"Creat`eType\"()}\r\n 0..5|% {nv \"A$_\" ([Activator]::CreateInstance($T[$_])) -fo}; function F ($1,$2) {$T[0].\"G`etMethod\"($1).invoke(0,$2)}   \r\n $TI=(whoami /groups)-like'*1-16-16384*'; $As=0; if(!$cmd) {$cmd='control';$arg='admintools'}; if ($cmd-eq'This PC'){$cmd='file:'}\r\n if (!$TI) {'TrustedInstaller','lsass','winlogon'|% {if (!$As) {$9=sc.exe start $_; $As=@(get-process -name $_ -ea 0|% {$_})[0]}}\r\n function M ($1,$2,$3) {$M.\"G`etMethod\"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H += M \"AllocHG`lobal\" $I $_}\r\n M \"WriteInt`Ptr\" ($P,$P) ($H[0],$As.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=1; $A2.f2=1; $A2.f3=1; $A2.f4=1\r\n $A2.f6=$A1; $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M \"StructureTo`Ptr\" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false)\r\n $Run=@($null, \"powershell -win 1 -nop -c iex `$env:R; # $id\", 0, 0, 0, 0x0E080600, 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5]))\r\n F 'CreateProcess' $Run; return}; $env:R=''; rp $key $id -force; $priv=[diagnostics.process].\"GetM`ember\"('SetPrivilege',42)[0]   \r\n 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$priv.Invoke($null, @(\"$_\",2))}\r\n $HKU=[uintptr][uint32]2147483651; $NT='S-1-5-18'; $reg=($HKU,$NT,8,2,($HKU -as $D[9])); F 'RegOpenKeyEx' $reg; $LNK=$reg[4]\r\n function L ($1,$2,$3) {sp 'HKLM:\\Software\\Classes\\AppID\\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}' 'RunAs' $3 -force -ea 0\r\n  $b=[Text.Encoding]::Unicode.GetBytes(\"\\Registry\\User\\$1\"); F 'RegSetValueEx' @($2,'SymbolicLinkValue',0,6,[byte[]]$b,$b.Length)}\r\n function Q {[int](gwmi win32_process -filter 'name=\"explorer.exe\"'|?{$_.getownersid().sid-eq$NT}|select -last 1).ProcessId}\r\n $11bug=($((gwmi Win32_OperatingSystem).BuildNumber)-eq'22000')-AND(($cmd-eq'file:')-OR(test-path -lit $cmd -PathType Container))\r\n if ($11bug) {'System.Windows.Forms','Microsoft.VisualBasic' |% {[Reflection.Assembly]::LoadWithPartialName(\"'$_\")}}\r\n if ($11bug) {$path='^(l)'+$($cmd -replace '([\\+\\^\\%\\~\\(\\)\\[\\]])','{$1}')+'{ENTER}'; $cmd='control.exe'; $arg='admintools'}\r\n L ($key-split'\\\\')[1] $LNK ''; $R=[diagnostics.process]::start($cmd,$arg); if ($R) {$R.PriorityClass='High'; $R.WaitForExit()}\r\n if ($11bug) {$w=0; do {if($w-gt40){break}; sleep -mi 250;$w++} until (Q); [Microsoft.VisualBasic.Interaction]::AppActivate($(Q))}\r\n if ($11bug) {[Windows.Forms.SendKeys]::SendWait($path)}; do {sleep 7} while(Q); L '.Default' $LNK 'Interactive User'\r\n'@; $V='';'cmd','arg','id','key'|%{$V+=\"`n`$$_='$($(gv $_ -val)-replace\"'\",\"''\")';\"}; sp $key $id $($V,$code) -type 7 -force -ea 0\r\n start powershell -args \"-win 1 -nop -c `n$V `$env:R=(gi `$key -ea 0).getvalue(`$id)-join''; iex `$env:R\" -verb runas\r\n} # lean \u0026 mean snippet by AveYo, 2022.01.28\r\n\r\n#######################\r\n# .ps1 script content #\r\n#######################\r\n\r\n# call RunAsTI snippet with default commandline args - if none provided, defaults to opening This PC as TI \r\nRunAsTI $args[0] $args[1..99]\r\n\r\nwrite-host args: $args\r\n#$(whoami) \r\n#timeout /t 7\r\n\r\n# done\r\nreturn \r\n\r\n```\r\n*2022.01.28: workaround for 11 release (22000) delaying explorer*  \r\n\r\n#### Q \u0026 A:  \r\n*Q: what is the deal with the back\\`quotes?*  \r\nA: to silence lame powershell keyword-based event-log warnings that include the whole snippet and slows down processing  \r\n*Q: pretty sure reflection is used, single-letter vars for types, then.. any hints about those magic constants and arrays?*  \r\nA: $Ai instance of $T[i] type of $D[i] structure of $DF[i] fields; $D[4] StartupInfoEx, $D[3] StartupInfo, $D[2] lpAttribute..  \r\n$D[0] for pinvoke definitions; numbers mostly calling flags or premade struct sizes; check microsoft docs ^,^  \r\n\r\n*Q: is there a way to launch Windows Terminal as TI on a windows 11 machine?*  \r\nA: sure. create a new profile / clone / edit Windows PowerShell one, with the command line:  \r\n```\r\npowershell.exe -nop -c iex($(foreach($l in 10..40){(gp 'Registry::HKCR\\RunAsTI' $l -ea 0).$l})-join [char]10); # --% cmd /c %wt%\r\n```\r\n\r\n\r\n\u003cimg src=\"preview2.png\"\u003e  \r\n\r\nReg_Own - change registry security via scripts  \r\n---  \r\n*supports Windows 7 - Windows 10 - Windows 11 release - Windows 11 dev*  \r\n\r\n#### [reg_own.bat](reg_own.bat) snippet showcase  - updated 2022.01.15  \r\n\r\n```bat\r\n@echo off\u0026 color 07\u0026 title reg_own - lean and mean snippet by AveYo, 2018-2022\r\ngoto :nfo\r\n    [FEATURES]\r\n    - parameters after key are optional; if -owner if ommited, try to preserve existing\r\n    - enable inherited rights / disable / delete entries with -recurse Inherit / Replace / Delete\r\n    - add -list to show summary even when regedit fails; no low-level registry functions used        \r\n    - can copy-paste snippet directly in powershell (admin) console then use it manually\r\n    [USAGE]\r\n    - First copy-paste reg_own snippet after .bat script content\r\n    - Then call it anywhere (after elevation) to change registry security:\r\n      call :reg_own \"key\" -recurse Replace -user S-1-5-32-545 -owner S-1-1-0 -acc Allow -perm FullControl\r\n:nfo\r\n\r\n:::::::::::::::::::::::::\r\n:: .bat script content ::\r\n:::::::::::::::::::::::::\r\n\r\n:::: Define TI sid (TrustedInstaller)\r\nfor /f \"tokens=3\" %%a in ('sc.exe showsid TrustedInstaller') do set TI=%%a \u003enul\r\n\r\n:::: Define USER sid before asking for elevation since it gets replaced for limited accounts\r\nif \"%USER%\"==\"\" for /f \"tokens=2\" %%u in ('whoami /user /fo list') do (set USER=%%u)\r\n\r\n:::: Ask for elevation passing USER and any batch arguments\r\nfltmc \u003enul || (set _=set USER=%USER%^\u0026 call \"%~f0\" %*\u0026 powershell -nop -c start cmd -args '/d/x/r',$env:_ -verb runas\u0026 exit)\r\n\r\n::# lean xp+ color macros by AveYo:  %\u003c%:af \" hello \"%\u003e\u003e%  \u0026  %\u003c%:cf \" w\\\"or\\\"ld \"%\u003e%   for single \\ / \" use .%|%\\  .%|%/  \\\"%|%\\\"\r\nfor /f \"delims=:\" %%s in ('echo;prompt $h$s$h:^|cmd /d') do set \"|=%%s\"\u0026set \"\u003e\u003e=\\..\\c nul\u0026set /p s=%%s%%s%%s%%s%%s%%s%%s\u003cnul\u0026popd\"\r\nset \"\u003c=pushd \"%public%\"\u00262\u003enul findstr /c:\\ /a\" \u0026set \"\u003e=%\u003e\u003e%\u0026echo;\" \u0026set \"|=%|:~0,1%\" \u0026set /p s=\\\u003cnul\u003e\"%public%\\c\"\r\n\r\n:: Setup a test key\r\nreg delete HKLM\\SOFTWARE\\REG_OWN /f \u003enul 2\u003enul\u0026 reg add HKLM\\SOFTWARE\\REG_OWN\\DEL\\ME\\NOW /f \u003enul 2\u003enul \u0026 prompt $E \u003enul\r\n\r\n%\u003c%:af \" Allow FullControl from Administrators \"%\u003e\u003e% \u0026 %\u003c%:f0 \" default, just this key \"%\u003e%\r\necho;call :reg_own \"HKEY_LOCAL_MACHINE\\SOFTWARE\\REG_OWN\" -list\r\n     call :reg_own \"HKEY_LOCAL_MACHINE\\SOFTWARE\\REG_OWN\" -list\r\n\r\n%\u003c%:8f \" Allow READ from Users \"%\u003e\u003e% \u0026 %\u003c%:f0 \" recursive, enable inheritance [no -list to hide output] \"%\u003e%\r\necho;call :reg_own \"HKLM:\\SOFTWARE\\REG_OWN\\DEL\" -recurse Inherit -user S-1-5-32-545 -acc Allow -perm ReadKey\r\n     call :reg_own \"HKLM:\\SOFTWARE\\REG_OWN\\DEL\" -recurse Inherit -user S-1-5-32-545 -acc Allow -perm ReadKey\r\n\r\necho;\r\n%\u003c%:5f \" Allow WriteKey from %%USER%% and set owner to SYSTEM \"%\u003e\u003e% \u0026 %\u003c%:f0 \" just this key \"%\u003e%\r\necho;call :reg_own \"HKLM\\SOFTWARE\\REG_OWN\\DEL\" -user %%USER%% -owner S-1-5-18 -acc Allow -perm WriteKey -list\r\n     call :reg_own \"HKLM\\SOFTWARE\\REG_OWN\\DEL\" -user %USER%   -owner S-1-5-18 -acc Allow -perm WriteKey -list\r\n\r\n%\u003c%:cf \" Deny changes from Everyone and set owner to TrustedInstaller \"%\u003e\u003e% \u0026 %\u003c%:f0 \" recursive, disable inheritance \"%\u003e%\r\nset nochanges=\"SetValue,Delete,ChangePermissions,TakeOwnership\"\r\necho;call :reg_own \"HKLM\\SOFTWARE\\REG_OWN\\DEL\" -recurse Replace -user S-1-1-0 -owner %%TI%% -acc Deny -perm %nochanges% -list\r\n     call :reg_own \"HKLM\\SOFTWARE\\REG_OWN\\DEL\" -recurse Replace -user S-1-1-0 -owner %TI%   -acc Deny -perm %nochanges% -list\r\n\r\necho;\r\n%\u003c%:0e \"TO WRITE LOCKED VALUES WHILE TRYING TO PRESERVE EXISTING OWNER AND RIGHTS I RECOMMEND THE FOLLOWING:\"%\u003e%\r\n\r\necho;\r\n%\u003c%:e0 \"0. DO WHATEVER MODIFICATIONS NEEDED IN THE TARGET REGKEY - SHOULD FAIL NOW \"%\u003e%\r\necho;reg add \"HKLM\\SOFTWARE\\REG_OWN\\DEL\" /v somevalue /d somedata /f\r\n     reg add \"HKLM\\SOFTWARE\\REG_OWN\\DEL\" /v somevalue /d somedata /f\r\n\r\necho;\r\n%\u003c%:9e \"1. Allow FullControl from Everyone \"%\u003e\u003e% \u0026 %\u003c%:f0 \" recursive, disable inheritance \"%\u003e%\r\necho;call :reg_own \"HKLM\\SOFTWARE\\REG_OWN\\DEL\" -recurse Replace -user S-1-1-0 -list\r\n     call :reg_own \"HKLM\\SOFTWARE\\REG_OWN\\DEL\" -recurse Replace -user S-1-1-0 -list\r\n\r\n%\u003c%:e0 \"2. DO WHATEVER MODIFICATIONS NEEDED IN THE TARGET REGKEY - SHOULD SUCCEED NOW \"%\u003e%\r\necho;reg add \"HKLM\\SOFTWARE\\REG_OWN\\DEL\" /v somevalue /d somedata /f\r\n     reg add \"HKLM\\SOFTWARE\\REG_OWN\\DEL\" /v somevalue /d somedata /f\r\n\r\necho;\r\n%\u003c%:9e \"3. Remove non-inherited rules from Everyone \"%\u003e\u003e% \u0026 %\u003c%:f0 \" recursive, delete \"%\u003e%\r\necho;call :reg_own \"HKLM\\SOFTWARE\\REG_OWN\\DEL\" -recurse Delete -user S-1-1-0 -list\r\n     call :reg_own \"HKLM\\SOFTWARE\\REG_OWN\\DEL\" -recurse Delete -user S-1-1-0 -list\r\n\r\n:: Delete test key\r\nreg delete HKLM\\SOFTWARE\\REG_OWN /f \u003enul 2\u003enul\r\n\r\necho;\r\n%\u003c%:bf \" Done! \"%\u003e%\r\nchoice /c EX1T\r\nexit /b\r\n\r\n::::::::::::::::::::::::::::::::::::::::::::::::::::::::::\r\n:: .bat script content end - copy-paste reg_own snippet ::\r\n::::::::::::::::::::::::::::::::::::::::::::::::::::::::::\r\n\r\n#:reg_own \"HKCU\\Key\" -recurse Inherit / Replace / Delete -user S-1-5-32-545 -owner '' -acc Allow -perm ReadKey\r\nset ^ #=\u0026set \"0=%~f0\"\u0026set 1=%*\u0026 powershell -nop -c iex(([io.file]::ReadAllText($env:0)-split'#\\:reg_own .*')[1]); # --%% %*\u0026exit/b\r\nfunction reg_own { param ( $key, $recurse='', $user='S-1-5-32-544', $owner='', $acc='Allow', $perm='FullControl', [switch]$list )\r\n  $D1=[uri].module.gettype('System.Diagnostics.Process').\"GetM`ember\"('SetPrivilege',42)[0]; $u=$user; $o=$owner; $p=524288  \r\n  'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$D1.Invoke($null, @(\"$_\",2))}\r\n  $reg=$key-split':?\\\\',2; $key=$reg-join'\\'; $HK=gi -lit Registry::$($reg[0]) -force; $re=$recurse; $in=(1,0)[$re-eq'Inherit']\r\n  $own=$o-eq''; if($own){$o=$u}; $sid=[Security.Principal.SecurityIdentifier]; $w='S-1-1-0',$u,$o |% {new-object $sid($_)}\r\n  $r=($w[0],$p,1,0,0),($w[1],$perm,1,0,$acc) |% {new-object Security.AccessControl.RegistryAccessRule($_)}; function _own($k,$l) {\r\n  $t=$HK.OpenSubKey($k,2,'TakeOwnership'); if($t) { try {$n=$t.GetAccessControl(4)} catch {$n=$HK.GetAccessControl(4)}\r\n  $u=$n.GetOwner($sid); if($own-and $u) {$w[2]=$u}; $n.SetOwner($w[0]); $t.SetAccessControl($n); $d=$HK.GetAccessControl(2)\r\n  $c=$HK.OpenSubKey($k,2,'ChangePermissions'); $b=$c.GetAccessControl(2); $d.RemoveAccessRuleAll($r[1]); $d.ResetAccessRule($r[0])\r\n  $c.SetAccessControl($d); if($re-ne'') {$sk=$HK.OpenSubKey($k).GetSubKeyNames(); foreach($i in $sk) {_own \"$k\\$i\" $false}}\r\n  if($re-ne'') {$b.SetAccessRuleProtection($in,1)}; $b.ResetAccessRule($r[1]); if($re-eq'Delete') {$b.RemoveAccessRuleAll($r[1])} \r\n  $c.SetAccessControl($b); $b,$n |% {$_.SetOwner($w[2])}; $t.SetAccessControl($n)}; if($l) {return $b|fl} }; _own $reg[1] $list\r\n}; iex \"reg_own $(([environment]::get_CommandLine()-split'-[-]%+ ?')[1])\" #:reg_own lean \u0026 mean snippet by AveYo, 2022.01.15\r\n\r\n```\r\n\r\n#### [reg_own.ps1](reg_own.ps1) or copy-paste function code in powershell (admin) console  - updated 2022.01.15  \r\n```ps1\r\n$host.ui.RawUI.WindowTitle = 'reg_own - lean and mean snippet by AveYo, 2018-2022'\r\n\u003c#\r\n    [FEATURES]\r\n    - parameters after key are optional; if -owner if ommited, try to preserve existing\r\n    - enable inherited rights / disable / delete entries with -recurse Inherit / Replace / Delete\r\n    - add -list to show summary even when regedit fails; no low-level registry functions used        \r\n    - can copy-paste snippet directly in powershell (admin) console then use it manually\r\n    [USAGE]\r\n    - First copy-paste reg_own snippet before .ps1 script content\r\n    - Then call it anywhere (after elevation) to change registry security:\r\n      reg_own \"key\" -recurse Replace -user S-1-5-32-545 -owner S-1-1-0 -acc Allow -perm FullControl\r\n#\u003e\r\n\r\n#########################################################\r\n# copy-paste reg_own snippet before .ps1 script content #\r\n#########################################################\r\n\r\nfunction reg_own { param ( $key, $recurse='', $user='S-1-5-32-544', $owner='', $acc='Allow', $perm='FullControl', [switch]$list )\r\n  $D1=[uri].module.gettype('System.Diagnostics.Process').\"GetM`ember\"('SetPrivilege',42)[0]; $u=$user; $o=$owner; $p=524288  \r\n  'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$D1.Invoke($null, @(\"$_\",2))}\r\n  $reg=$key-split':?\\\\',2; $key=$reg-join'\\'; $HK=gi -lit Registry::$($reg[0]) -force; $re=$recurse; $in=(1,0)[$re-eq'Inherit']\r\n  $own=$o-eq''; if($own){$o=$u}; $sid=[Security.Principal.SecurityIdentifier]; $w='S-1-1-0',$u,$o |% {new-object $sid($_)}\r\n  $r=($w[0],$p,1,0,0),($w[1],$perm,1,0,$acc) |% {new-object Security.AccessControl.RegistryAccessRule($_)}; function _own($k,$l) {\r\n  $t=$HK.OpenSubKey($k,2,'TakeOwnership'); if($t) { try {$n=$t.GetAccessControl(4)} catch {$n=$HK.GetAccessControl(4)}\r\n  $u=$n.GetOwner($sid); if($own-and $u) {$w[2]=$u}; $n.SetOwner($w[0]); $t.SetAccessControl($n); $d=$HK.GetAccessControl(2)\r\n  $c=$HK.OpenSubKey($k,2,'ChangePermissions'); $b=$c.GetAccessControl(2); $d.RemoveAccessRuleAll($r[1]); $d.ResetAccessRule($r[0])\r\n  $c.SetAccessControl($d); if($re-ne'') {$sk=$HK.OpenSubKey($k).GetSubKeyNames(); foreach($i in $sk) {_own \"$k\\$i\" $false}}\r\n  if($re-ne'') {$b.SetAccessRuleProtection($in,1)}; $b.ResetAccessRule($r[1]); if($re-eq'Delete') {$b.RemoveAccessRuleAll($r[1])} \r\n  $c.SetAccessControl($b); $b,$n |% {$_.SetOwner($w[2])}; $t.SetAccessControl($n)}; if($l) {return $b|fl} }; _own $reg[1] $list\r\n} # lean \u0026 mean snippet by AveYo, 2022.01.15\r\n\r\n#######################\r\n# .ps1 script content #\r\n#######################\r\n\r\n## Define TI sid (TrustedInstaller)\r\n$TI = (sc.exe showsid TrustedInstaller)-split': '|?{$_-like'*S-1-*'}\r\n\r\n## Define USER sid before asking for elevation since it gets replaced for limited accounts\r\nif ($null -eq $USER) {$USER = ((whoami /user)-split' ')[-1]}\r\n\r\n## Ask for elevation passing USER\r\n$admin = fltmc; if ($LASTEXITCODE) {\r\n  $arg = \"-nop -c `$USER='$USER'; iex((gc '$($MyInvocation.MyCommand.Path-replace'''','''''')')-join'`n')\" \r\n  start powershell -verb runas -args $arg; exit\r\n}\r\n\r\n## Setup a test key\r\nreg delete HKLM\\SOFTWARE\\REG_OWN /f \u003e$null 2\u003e$null; reg add HKLM\\SOFTWARE\\REG_OWN\\DEL\\ME\\NOW /f \u003e$null 2\u003e$null; function prompt {}\r\n\r\nwrite-host \" Allow FullControl from Administrators \" -back 0xa -fore 0xf -nonew\r\nwrite-host \" default, just this key \" -back 0xf -fore 0x0\r\nwrite-host \"reg_own 'HKEY_LOCAL_MACHINE\\SOFTWARE\\REG_OWN' -list\"\r\n            reg_own 'HKEY_LOCAL_MACHINE\\SOFTWARE\\REG_OWN' -list\r\n\r\nwrite-host \" Allow READ from Users \" -back 0x8 -fore 0xf -nonew\r\nwrite-host \" recursive, enable inheritance [no -list to hide output] \" -back 0xf -fore 0x0\r\nwrite-host \"reg_own 'HKLM:\\SOFTWARE\\REG_OWN\\DEL' -recurse Inherit -user S-1-5-32-545 -acc Allow -perm ReadKey\"\r\n            reg_own 'HKLM:\\SOFTWARE\\REG_OWN\\DEL' -recurse Inherit -user S-1-5-32-545 -acc Allow -perm ReadKey\r\n\r\nwrite-host\r\nwrite-host \" Allow WriteKey from `$USER and set owner to SYSTEM \" -back 0xd -fore 0xf -nonew\r\nwrite-host \" just this key \" -back 0xf -fore 0x0\r\nwrite-host \"reg_own 'HKLM\\SOFTWARE\\REG_OWN\\DEL' -user `$USER -owner S-1-5-18 -acc Allow -perm WriteKey -list\"\r\n            reg_own 'HKLM\\SOFTWARE\\REG_OWN\\DEL' -user  $USER -owner S-1-5-18 -acc Allow -perm WriteKey -list\r\n\r\nwrite-host \" Deny changes from Everyone and set owner to TrustedInstaller \" -back 0xc -fore 0xf -nonew\r\nwrite-host \" recursive, disable inheritance \" -back 0xf -fore 0x0\r\n$nochanges = \"SetValue,Delete,ChangePermissions,TakeOwnership\"\r\nwrite-host \"reg_own 'HKLM\\SOFTWARE\\REG_OWN\\DEL' -recurse Replace -user S-1-1-0 -owner `$TI -acc Deny -perm `$nochanges -list\"\r\n            reg_own 'HKLM\\SOFTWARE\\REG_OWN\\DEL' -recurse Replace -user S-1-1-0 -owner  $TI -acc Deny -perm  $nochanges -list\r\n\r\nwrite-host\r\nwrite-host \"TO WRITE LOCKED VALUES WHILE TRYING TO PRESERVE EXISTING OWNER AND RIGHTS I RECOMMEND THE FOLLOWING:\" -back 0x0 -fore 0xe\r\n\r\nwrite-host\r\nwrite-host \"0. DO WHATEVER MODIFICATIONS NEEDED IN THE TARGET REGKEY - SHOULD FAIL NOW \" -back 0xe -fore 0x0\r\nwrite-host \"reg add 'HKLM\\SOFTWARE\\REG_OWN\\DEL' /v somevalue /d somedata /f\"\r\n            reg add 'HKLM\\SOFTWARE\\REG_OWN\\DEL' /v somevalue /d somedata /f\r\n\r\nwrite-host\r\nwrite-host \"1. Allow FullControl from Everyone \" -back 0x9 -fore 0xe -nonew\r\nwrite-host \" recursive, disable inheritance \" -back 0xf -fore 0x0\r\nwrite-host \"reg_own 'HKLM\\SOFTWARE\\REG_OWN\\DEL' -recurse Replace -user S-1-1-0 -list\"\r\n            reg_own 'HKLM\\SOFTWARE\\REG_OWN\\DEL' -recurse Replace -user S-1-1-0 -list\r\n\r\nwrite-host \"2. DO WHATEVER MODIFICATIONS NEEDED IN THE TARGET REGKEY - SHOULD SUCCEED NOW \" -back 0xe -fore 0x0\r\nwrite-host \"reg add 'HKLM\\SOFTWARE\\REG_OWN\\DEL' /v somevalue /d somedata /f\"\r\n            reg add 'HKLM\\SOFTWARE\\REG_OWN\\DEL' /v somevalue /d somedata /f\r\n\r\nwrite-host\r\nwrite-host \"3. Remove non-inherited rules from Everyone \" -back 0x9 -fore 0xe -nonew\r\nwrite-host \" recursive, delete \" -back 0xf -fore 0x0\r\nwrite-host \"reg_own 'HKLM\\SOFTWARE\\REG_OWN\\DEL' -recurse Delete -user S-1-1-0 -list\"\r\n            reg_own 'HKLM\\SOFTWARE\\REG_OWN\\DEL' -recurse Delete -user S-1-1-0 -list\r\n\r\n## Delete test key\r\nreg delete HKLM\\SOFTWARE\\REG_OWN /f \u003e$null 2\u003e$null\r\n\r\nwrite-host\r\nwrite-host \" Done! \"\r\nchoice /c EX1T\r\nreturn\r\n\r\n```\r\n\r\n\u003cimg src=\"preview3.png\"\u003e\r\n\r\nToggleDefender - without it re-enabling itself at the worst moment  \r\n---  \r\n*supports Windows 7 - Windows 11*  \r\nFebruary 14 2022: Tamper Protection finally reliable - this script and more pesky stuff have been ignoring it just fine for 3 freaking years, about time!  \r\nSo now it won't work unless you disable Tamper Protection manually from GUI - which **I strongly advise re-enabling after you're done with intensive tasks**!  \r\nAugust 2023: ToggleDefender now reliably switches the service on and off!  \r\nYou still need to manually turn off Tamper Protection, and the script will warn and wait for it  \r\n\r\n#### [ToggleDefender.bat](ToggleDefender.bat) or [ToggleDefender.ps1](ToggleDefender.ps1) or copy-paste code in powershell console  - updated 2023.09.13  \r\n```ps1\r\n@(set \"0=%~f0\"^)#) \u0026 powershell -nop -c \"iex([io.file]::ReadAllText($env:0))\" \u0026 exit /b\r\n\r\n## Toggle Defender, AveYo 2023.09.13\r\n## for users that understand the risk but still need it off to prevent unexpected interference and i/o handicap\r\n## may copy-paste directly into powershell\r\n\r\n$ENABLE_TAMPER_PROTECTION = 0    \u003c#  1 script re-enables Tamper Protection   0 skip  #\u003e\r\n$TOGGLE_SMARTSCREENFILTER = 1    \u003c#  1 script toggles SmartScreen as well    0 skip  #\u003e\r\n\r\n## Allowed check\r\n$wait = 20; while ((gp 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Features' 'TamperProtection' -ea 0).TamperProtection -ne 0x4) {\r\n  if ($wait -eq 20) {echo \"`n Toggle Defender only works after turning Tamper Protection off in Windows Security settings`n\"}\r\n  if ($wait -eq 16) {if ($ENABLE_TAMPER_PROTECTION -ne 0) {start 'windowsdefender://threatsettings/'}}\r\n  if ($wait -lt 0) {kill -name ApplicationFrameHost -force -ea 0; return}\r\n  write-host \"`r $wait \" -nonew; sleep 1; $wait--\r\n}\r\nwrite-host; kill -name ApplicationFrameHost -force -ea 0 \r\n\r\n## Service check\r\nif (get-process \"MsMpEng\" -ea 0) {$YES=6; $Q=\"Disable\"; $NO=7; $V=\"ON\"; $I=0} else {$YES=7; $Q=\"Enable\"; $NO=6; $V=\"OFF\"; $I=16}\r\n\r\n## Comment to hide dialog prompt with Yes, No, Cancel (6,7,2)\r\nif ($env:1 -ne 6 -and $env:1 -ne 7) {\r\n  $choice=(new-object -ComObject Wscript.Shell).Popup($Q + \" Windows Defender?\", 0, \"Defender service is: \" + $V, 0x1033 + $I)\r\n  if ($choice -eq 2) {break} elseif ($choice -eq 6) {$env:1=$YES} else {$env:1=$NO}\r\n}\r\n\r\n## Without the dialog prompt above would toggle automatically\r\nif ($env:1 -ne 6 -and $env:1 -ne 7) {$env:1=$YES}\r\n\r\n## Toggle - can press No to Enable or Disable again so there are more variants:\r\nif ( ($NO -eq 7 -and $env:1 -eq 6) -or ($NO -eq 6 -and $env:1 -eq 6) ) {$op=\"Disable\"} \r\nif ( ($NO -eq 7 -and $env:1 -eq 7) -or ($NO -eq 6 -and $env:1 -eq 7) ) {$op=\"Enable\"}\r\n\r\n## pass script options\r\n$O1 = $ENABLE_TAMPER_PROTECTION; $O2 = $TOGGLE_SMARTSCREENFILTER\r\n\r\n## RunAsTI mod\r\nfunction RunAsTI { $id=\"Defender\"; $key='Registry::HKU\\S-1-5-21-*\\Volatile Environment'; $code=@'\r\n $I=[int32]; $M=$I.module.gettype(\"System.Runtime.Interop`Services.Mar`shal\"); $P=$I.module.gettype(\"System.Int`Ptr\"); $S=[string]\r\n $D=@(); $DM=[AppDomain]::CurrentDomain.\"DefineDynami`cAssembly\"(1,1).\"DefineDynami`cModule\"(1); $U=[uintptr]; $Z=[uintptr]::size \r\n 0..5|% {$D += $DM.\"Defin`eType\"(\"AveYo_$_\",1179913,[ValueType])}; $D += $U; 4..6|% {$D += $D[$_].\"MakeByR`efType\"()}; $F=@()\r\n $F+='kernel','CreateProcess',($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]), 'advapi','RegOpenKeyEx',($U,$S,$I,$I,$D[9])\r\n $F+='advapi','RegSetValueEx',($U,$S,$I,$I,[byte[]],$I),'advapi','RegFlushKey',($U),'advapi','RegCloseKey',($U)\r\n 0..4|% {$9=$D[0].\"DefinePInvok`eMethod\"($F[3*$_+1], $F[3*$_]+\"32\", 8214,1,$S, $F[3*$_+2], 1,4)}\r\n $DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)\r\n 1..5|% {$k=$_; $n=1; $DF[$_-1]|% {$9=$D[$k].\"Defin`eField\"(\"f\" + $n++, $_, 6)}}; $T=@(); 0..5|% {$T += $D[$_].\"Creat`eType\"()}\r\n 0..5|% {nv \"A$_\" ([Activator]::CreateInstance($T[$_])) -fo}; function F ($1,$2) {$T[0].\"G`etMethod\"($1).invoke(0,$2)}\r\n function M ($1,$2,$3) {$M.\"G`etMethod\"($1,[type[]]$2).invoke(0,$3)}; $H=@(); $Z,(4*$Z+16)|% {$H += M \"AllocHG`lobal\" $I $_}\r\n if ([environment]::username -ne \"system\") { $TI=\"Trusted`Installer\"; start-service $TI -ea 0; $As=get-process -name $TI -ea 0\r\n M \"WriteInt`Ptr\" ($P,$P) ($H[0],$As.Handle); $A1.f1=131072; $A1.f2=$Z; $A1.f3=$H[0]; $A2.f1=1; $A2.f2=1; $A2.f3=1; $A2.f4=1\r\n $A2.f6=$A1; $A3.f1=10*$Z+32; $A4.f1=$A3; $A4.f2=$H[1]; M \"StructureTo`Ptr\" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false)\r\n $R=@($null, \"powershell -nop -c iex(`$env:R); # $id\", 0, 0, 0, 0x0E080610, 0, $null, ($A4 -as $T[4]), ($A5 -as $T[5]))\r\n F 'CreateProcess' $R; return}; $env:R=''; rp $key $id -force -ea 0; $e=[diagnostics.process].\"GetM`ember\"('SetPrivilege',42)[0]\r\n 'SeSecurityPrivilege','SeTakeOwnershipPrivilege','SeBackupPrivilege','SeRestorePrivilege' |% {$e.Invoke($null,@(\"$_\",2))}\r\n ## Toggling was unreliable due to multiple windows programs with open handles on these keys\r\n ## so went with low-level functions instead! do not use them in other scripts without a trip to learn-microsoft-com  \r\n function RegSetDwords ($hive, $key, [array]$values, [array]$dword, $REG_TYPE=4, $REG_ACCESS=2, $REG_OPTION=0) {\r\n   $rok = ($hive, $key, $REG_OPTION, $REG_ACCESS, ($hive -as $D[9]));  F \"RegOpenKeyEx\" $rok; $rsv = $rok[4]\r\n   $values |% {$i = 0} { F \"RegSetValueEx\" ($rsv[0], [string]$_, 0, $REG_TYPE, [byte[]]($dword[$i]), 4); $i++ }\r\n   F \"RegFlushKey\" @($rsv); F \"RegCloseKey\" @($rsv); $rok = $null; $rsv = $null;\r\n }  \r\n ## The ` sprinkles are used to keep ps event log clean, not quote the whole snippet on every run\r\n ################################################################################################################################ \r\n \r\n ## get script options\r\n $toggle = @(0,1)[$op -eq \"Disable\"]; $toggle_rev = @(0,1)[$op -eq \"Enable\"]; write-host \"`n $op Defender, please wait...`n\"\r\n $ENABLE_TAMPER_PROTECTION = $O1; $TOGGLE_SMARTSCREENFILTER = $O2\r\n\r\n rnp \"HKLM:\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\" \"Disabled\" \"Disabled_Old\" -force -ea 0\r\n sp \"HKLM:\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\" \"Disabled\" 1 -type Dword -force -ea 0\r\n stop-service \"wscsvc\" -force -ea 0 \u003e'' 2\u003e''\r\n kill -name \"OFFmeansOFF\",\"MpCmdRun\" -force -ea 0 \r\n \r\n $HKLM = [uintptr][uint32]2147483650; $HKU = [uintptr][uint32]2147483651 \r\n $VALUES = \"ServiceKeepAlive\",\"PreviousRunningMode\",\"IsServiceRunning\",\"DisableAntiSpyware\",\"DisableAntiVirus\",\"PassiveMode\"\r\n $DWORDS = 0, 0, 0, $toggle, $toggle, $toggle\r\n RegSetDwords $HKLM \"SOFTWARE\\Policies\\Microsoft\\Windows Defender\" $VALUES $DWORDS \r\n RegSetDwords $HKLM \"SOFTWARE\\Microsoft\\Windows Defender\" $VALUES $DWORDS\r\n [GC]::Collect(); sleep 1\r\n pushd \"$env:programfiles\\Windows Defender\"\r\n $mpcmdrun=(\"OFFmeansOFF.exe\",\"MpCmdRun.exe\")[(test-path \"MpCmdRun.exe\")]\r\n start -wait $mpcmdrun -args \"-${op}Service -HighPriority\"\r\n $wait=@(3,14)[$op -eq \"Disable\"]\r\n while ((get-process -name \"MsMpEng\" -ea 0) -and $wait -gt 0) {$wait--; sleep 1; write-host \"`r $wait \" -nonew}\r\n \r\n ## OFF means OFF\r\n pushd (split-path $(gp \"HKLM:\\SYSTEM\\CurrentControlSet\\Services\\WinDefend\" ImagePath -ea 0).ImagePath.Trim('\"'))\r\n if ($op -eq \"Disable\") {ren MpCmdRun.exe OFFmeansOFF.exe -force -ea 0} else {ren OFFmeansOFF.exe MpCmdRun.exe -force -ea 0}\r\n \r\n ## Comment to not clear per-user toggle notifications\r\n gi \"Registry::HKU\\S-1-5-21-*\\Software\\Microsoft\\Windows\\CurrentVersion\" |% {\r\n   $n1=join-path $_.PSPath \"Notifications\\Settings\\Windows.SystemToast.SecurityAndMaintenance\"\r\n   ni $n1 -force -ea 0|out-null; ri $n1.replace(\"Settings\",\"Current\") -recurse -force -ea 0\r\n   if ($op -eq \"Enable\") {rp $n1 \"Enabled\" -force -ea 0} else {sp $n1 \"Enabled\" 0 -type Dword -force -ea 0}\r\n   ri \"HKLM:\\Software\\Microsoft\\Windows Security Health\\State\\Persist\" -recurse -force -ea 0 \r\n }\r\n\r\n ## Comment to keep old scan history\r\n if ($op -eq \"Disable\") {del \"$env:ProgramData\\Microsoft\\Windows Defender\\Scans\\mpenginedb.db\" -force -ea 0}  \r\n if ($op -eq \"Disable\") {del \"$env:ProgramData\\Microsoft\\Windows Defender\\Scans\\History\\Service\" -recurse -force -ea 0}\r\n\r\n RegSetDwords $HKLM \"SOFTWARE\\Policies\\Microsoft\\Windows Defender\" $VALUES $DWORDS \r\n RegSetDwords $HKLM \"SOFTWARE\\Microsoft\\Windows Defender\" $VALUES $DWORDS\r\n\r\n ## when toggling Defender, also toggle SmartScreen - set to 0 at top of the script to skip it\r\n if ($TOGGLE_SMARTSCREENFILTER -ne 0) {\r\n   sp \"HKLM:\\CurrentControlSet\\Control\\CI\\Policy\" 'VerifiedAndReputablePolicyState' 0 -type Dword -force -ea 0\r\n   sp \"HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\" 'SmartScreenEnabled' @('Off','Warn')[$toggle -eq 0] -force -ea 0 \r\n   gi Registry::HKEY_Users\\S-1-5-21*\\Software\\Microsoft -ea 0 |% {\r\n     sp \"$($_.PSPath)\\Windows\\CurrentVersion\\AppHost\" 'EnableWebContentEvaluation' $toggle_rev -type Dword -force -ea 0\r\n     sp \"$($_.PSPath)\\Windows\\CurrentVersion\\AppHost\" 'PreventOverride' $toggle_rev -type Dword -force -ea 0\r\n     ni \"$($_.PSPath)\\Edge\\SmartScreenEnabled\" -ea 0 \u003e ''\r\n     sp \"$($_.PSPath)\\Edge\\SmartScreenEnabled\" \"(Default)\" $toggle_rev\r\n   }\r\n   if ($toggle_rev -eq 0) {kill -name smartscreen -force -ea 0}\r\n }\r\n \r\n ## when re-enabling Defender, also re-enable Tamper Protection - annoying but safer - set to 0 at top of the script to skip it\r\n if ($ENABLE_TAMPER_PROTECTION -ne 0 -and $op -eq \"Enable\") {\r\n   RegSetDwords $HKLM \"SOFTWARE\\Microsoft\\Windows Defender\\Features\" (\"TamperProtection\",\"TamperProtectionSource\") (1,5)\r\n }\r\n \r\n if ($op -eq \"Enable\") {start-service \"windefend\" -ea 0}\r\n start-service \"wscsvc\" -ea 0 \u003e'' 2\u003e'' \r\n if ($op -eq \"Enable\") {rnp \"HKLM:\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\" \"Disabled_Old\" \"Disabled\" -force -ea 0}\r\n \r\n ################################################################################################################################\r\n'@; $V='';\"op\",\"id\",\"key\",\"O1\",\"O2\"|%{$V+=\"`n`$$_='$($(gv $_ -val)-replace\"'\",\"''\")';\"}; sp $key $id $V,$code -type 7 -force -ea 0\r\n start powershell -args \"-nop -c `n$V  `$env:R=(gi `$key -ea 0 |% {`$_.getvalue(`$id)-join''}); iex(`$env:R)\" -verb runas\r\n} # lean \u0026 mean snippet by AveYo, 2023.09.05\r\n\r\nRunAsTI\r\nreturn\r\n\r\n```\r\n","funding_links":["https://github.com/sponsors/AveYo"],"categories":["Batchfile"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAveYo%2FLeanAndMean","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FAveYo%2FLeanAndMean","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FAveYo%2FLeanAndMean/lists"}