WinDefend Service: OpenService failed (5)

Question

WinDefend Service: OpenService failed (5)

OccamsXor opened this issue 3 years ago · comments

Hi there,

I was trying to execute the StopDefender today and I realized it gets "Access Denied" (5) error when it tries to open WinDefend service. I think Microsoft updated something in Feb '22 because I was able to execute it in the same machine in January. I will write some more details if I can debug the issue. Here is the command output:

[+] TrustedInstaller already running
[+] TrustedInstaller Service Started!
[+] Current user is: x
[+] Winlogon process found!
[+] TrustedInstaller process found!
[+] WINLOGON OpenProcess() success!
[+] WINLOGON OpenProcessToken() success!
[+] WINLOGON ImpersonatedLoggedOnUser() success!
[+] WINLOGON Current user is: SYSTEM
[+] TRUSTEDINSTALLER OpenProcess() success!
[+] TRUSTEDINSTALLER OpenProcessToken() success!
[+] TRUSTEDINSTALLER ImpersonatedLoggedOnUser() success!
[+] Current user is: SYSTEM
[+] OpenSCManager success!
[-] OpenService failed (5)
[-] TRUSTEDINSTALLER StopDefenderService() Error: 5

lab52.io · Answer 1 · Wed Feb 16 2022 16:59:55 GMT+0800 (China Standard Time)

Hi,
you are completely right, Microsoft patched Defender service (WinDefend) DACLs and removed TrustedIntaller service account entry, so additional research would be needed in order to stop it again programatically :)

OccamsXor · Answer 2 · Wed Feb 16 2022 22:28:44 GMT+0800 (China Standard Time)

Thanks for the information @lab52io
I am closing this issue now. Thank you for sharing this research 👍