| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by gruez 1788 days ago

>I'll take all the side-channels I can get though. These "exploits" are really useful for regaining control over my own PC.

Not really? What does this exploit let you do that you couldn't already do with a local administrator account? Or are you making the general argument that "EoP exploits are features because they allow you to jailbreak your device"?

>Just yesterday I learned how to Run-As TrustedInstaller, and that let me remove a lot of unwanted bullshit on my windows 10 install.

They're not really comparable. You need admin to do it, which means you already crossed the security boundary[1]. This is in contrast to this exploit which allows you to cross a security boundary.

[1] https://devblogs.microsoft.com/oldnewthing/20121207-00/?p=58...

1 comments

majkinetor 1788 days ago

> What does this exploit let you do that you couldn't already do with a local administrator account

There are some things that users in Administrators group still can't do. Hence the need for TrustedInstaller perms.

For example, try running this script:

https://github.com/W4RH4WK/Debloat-Windows-10/blob/master/sc...

You will get access denied since few months back:

https://github.com/W4RH4WK/Debloat-Windows-10/issues/273

gruez 1788 days ago

> > What does this exploit let you do that you couldn't already do with a local administrator account

>There are some things that users in Administrators group still can't do. Hence the need for TrustedInstaller perms.

By "this exploit" I was referring to the exploit mentioned in the article, not whatever gp did to get trustedinstaller permissions. As far as I know I don't see why you'd need access to the SAM file to give yourself trustedinstaller permissions. You can do that yourself if you're administrator.

Also, from a security point of view there isn't much that administrators can't do. You're right that they can't directly delete certain files, but they can take ownership of any file they want and adjust the ACLs to give them the required permissions. I don't think is some sort of EoP/exploit/hack, but rather protection against accidental deletions (eg. https://news.ycombinator.com/item?id=23054506)