![]() ![]() ![]() (2) Find MsMpEng.exe in the Process Explorer process tree, right-click and select Properties The -i is very important to see the program run interactively, and of course -s to run as SYSTEM. ![]() (1) Run Process Explorer as SYSTEM (PSExec -s -i ProcExp.exe). Method 1 – Using SysInternals’ “ Process Explorer”: They both use SysInternals’ PSExec to launch a process as SYSTEM. Both methods can be summarized simply as “use the SYSTEM account to give Administrators full control over the service in question, which includes the right to stop it, then stop the service normally” - they differ only in that the first method uses a GUI and the second uses command line, making it appropriate for scripting and mass deployment to multiple machines. The two methods I eventually came up with after some testing on a home VM that happens to be running the same Endpoint Protection certainly worked in the case of this particular service, but should be applicable to a variety of similarly protected services (when they’re suspected of causing issues and provide no alternate way of gracefully shutting them down). Needless to say, he only asked because this particular service (like many services one encounters in one’s travels) has permissions set to not only protect itself from being stopped via normal means, like the Services snap-in or “ Net Stop …”, but also to prevent the forcible termination of its service executable (in this case MsMpEng.exe) via Task Manager or “ TaskKill /F …”, regardless of the privileges held by the account attempting it (including SYSTEM). Winrm complaining “Error: Invalid use of command line.” – easy fix :) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |