Wmiprvse.exe is forbidden, so that others' PR cannot be elevation of permission.

Prohibit elevation of PR

First, analyze the principle of PR elevation from the source code.
Some of the source code is as follows:



Pr is obtained by searching wmiprvse.exe to obtain the SYSTEM permission.
Execute any command to add a user.

Method 1

Load K8ShellNoExecExe. sys. This prevents various overflow tools from Elevation of Privilege by executing commands on WEBSHELL.


Method 2

Disable wmiprvse.exe to make others' PR unable to escalate Permissions


File Location:
C: \ WINDOWS \ system32 \ wbem \ wmiprvse.exe
C: \ WINDOWS \ system32 \ dllcache \ wmiprvse.exe

Processes (case sensitive) that are not killed by ntsd: WMIPRVSE. EXE


1. Run in CMD
Reg add "HKLM \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ wmiprvse.exe"/v debugger/t reg_sz/d debugfile.exe/f
Method to restart wmiprvse.exe process:
Run in CMD
Reg add "HKLM \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ wmiprvse.exe"/f
2. solution:
Wmiprvse.exe is a system service process. You can end the task and the process disappears naturally.
Disable the Windows Management Instrumentation Driver Extensions Service or manually
For details, right-click Windows Management Instrumentation in desktop-my computer-Management-services and applications-and choose disable.
After I use it, I feel that the second method is better. However, If you disable the Windows Management Instrumentation Service, you may encounter unexpected problems.
Command release method: copy the following command to paste the input, and press enter to confirm. You can,
Reg add "HKLM \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ wmiprvse.exe"/f

It is declared that disabling wmiprvse.exe does not affect the normal operation of the system.
I wonder if you have noticed