Question Disable WaaSMedicSvc via Registry with .reg or script ?

[Sarcastic_Wit]

Hello,

Here's my first question as a newly established Tom's Hardware member... Sadly, I cannot remember my logon credentials from back in '97 when I first signed up ~ but that's okay...

NEway; I am the only onsite IT technician for a company that is Airgapped. There is an IT Architect that is formulating the network and monitoring the firewall activity - I handle everything from the server down. There have been a lot of attempts from computers attempting to reach out to the world for Windows Update queries.
I have disabled windows update via the registry; HKLM\SYSTEM\CurrentControlSet\Services\wuauserv and as a backup I have created HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU with dword at a value of 1 for NoAutoUpdate.

This has slowed down the outbound attempts but there are still calls from WaasMedicSvc. To remedy this I have gone into the registry and manually set the "Full Control" permissions for SYSTEM to "Deny"... This has worked for the 10 test computers I have completed this on...

Now I have 200 more to do this to and I'm trying to create a powershell script (or anything actually) where I can automate this through the domain server.
I have gone to a computer that has the permissions set to deny, exported the registry settings for the branch: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc; copied that into a newly created reg file and executed it - but it's not working. I've tried both methods of being logged in as an admin, running regedit as an admin, importing the file as well as simply double-clicking the reg file - neither work.

So, I'm trying to create one manually using the below Powershell Commands - and it's still not working...

$registryKeyPath = "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc"

$currentAcl = Get-Acl -Path $registryKeyPath

$newAce = New-Object System.Security.AccessControl.AccessRule -ArgumentList ("System", "Full Control", "Deny")

$updatedAcl = $currentAcl + $newAce

Set-Acl -Path $registryKeyPath -Acl $updatedAcl


The error message I'm getting on the above powershell command is "cannot find path"

Can someone help me with this

 

[ex_bubblehead]

Push your script down to all desired domain members from SMS (SCCM) as a one-time scipt. There it will run a single time then terminate and delete itself. Your best approach would be to create a working .reg file that can be imported, place it on all of the machines to be modified then create a one time script that runs the reg import command and import the .reg file. No need to get fancy with scripts here.

 

[Sarcastic_Wit]

Push your script down to all desired domain members from SMS (SCCM) as a one-time scipt. There it will run a single time then terminate and delete itself. Your best approach would be to create a working .reg file that can be imported, place it on all of the machines to be modified then create a one time script that runs the reg import command and import the .reg file. No need to get fancy with scripts here.

Thank you for your reply...

The problem I am encountering is the .reg file doesn't work. I was hoping someone could look at the script and offer corrections...

I have set the correct parameters on one of the machines, manually, then after a reboot to confirm success, I've exported the registry branch and tried to import it onto other machines and it doesn't work.
Here is the outcome of the exported registry branch. Perhaps you see something amiss or know of a more simpler way?

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc]
"DependOnService"=hex(7):72,00,70,00,63,00,73,00,73,00,00,00,00,00
"Description"="@WaaSMedicSvcImpl.dll,-101"
"DisplayName"="@WaaSMedicSvcImpl.dll,-100"
"ErrorControl"=dword:00000001
"FailureActions"=hex:84,03,00,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
00,01,00,00,00,c0,d4,01,00,01,00,00,00,e0,93,04,00,00,00,00,00,00,00,00,00
"ImagePath"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,00,\
74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
6b,00,20,00,77,00,75,00,73,00,76,00,63,00,73,00,20,00,2d,00,70,00,00,00
"LaunchProtected"=dword:00000002
"ObjectName"="LocalSystem"
"RequiredPrivileges"=hex(7):53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,\
00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,43,00,68,00,61,00,6e,00,\
67,00,65,00,4e,00,6f,00,74,00,69,00,66,00,79,00,50,00,72,00,69,00,76,00,69,\
00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,\
73,00,6f,00,6e,00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
00,67,00,65,00,00,00,53,00,65,00,54,00,61,00,6b,00,65,00,4f,00,77,00,6e,00,\
65,00,72,00,73,00,68,00,69,00,70,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
00,67,00,65,00,00,00,53,00,65,00,53,00,65,00,63,00,75,00,72,00,69,00,74,00,\
79,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,\
00,42,00,61,00,63,00,6b,00,75,00,70,00,50,00,72,00,69,00,76,00,69,00,6c,00,\
65,00,67,00,65,00,00,00,53,00,65,00,52,00,65,00,73,00,74,00,6f,00,72,00,65,\
00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,\
4d,00,61,00,6e,00,61,00,67,00,65,00,56,00,6f,00,6c,00,75,00,6d,00,65,00,50,\
00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"ServiceSidType"=dword:00000001
"Start"=dword:00000003
"Type"=dword:00000020

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc\Parameters]
"ServiceDll"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
57,00,61,00,61,00,53,00,4d,00,65,00,64,00,69,00,63,00,53,00,76,00,63,00,2e,\
00,64,00,6c,00,6c,00,00,00
"ServiceDllUnloadOnStop"=dword:00000001
"ServiceMain"="ServiceMain"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc\Security]
"Security"=hex:01,00,14,80,78,00,00,00,84,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,00,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,48,00,03,00,00,00,00,00,14,00,9d,00,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,ff,01,0f,00,01,01,00,00,00,00,00,05,12,00,00,00,01,\
01,00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

 

[Sarcastic_Wit]

So,. I tried to use icacls through a batch file and that didn't work either so I tried powershell with the below and while I don't get an error message, it's not working either...

Is this task not possible?

$regKeyPath = "HKLM:\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc"
$acl = Get-Acl -Path $regKeyPath
$denyRule = New-Object System.Security.AccessControl.RegistryAccessRule("SYSTEM", "FullControl", "Deny")
$acl.SetAccessRule($denyRule)
Set-Acl -Path $regKeyPath -AclObject $acl

My batch file is:

@Echo off
reg.exe load HKLM\TempSoftware "C:\Windows\System32\Config\SOFTWARE"
icacls "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /deny SYSTEM:F
reg.exe unload HKLM\TempSoftware
if errorlevel 1 (
echo Failed to replace permissions as requested.
) else (
echo Permissions successfully updated.
)
) else (
echo Permissions not updated.
)
pause

For this one I get the following:

ERROR: The process cannot access the file because it is being used by another process.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc: The system cannot find the path specified.
Successfully processed 0 files; Failed processing 1 files
ERROR: The parameter is incorrect.
Failed to replace permissions as requested.
Permissions not updated.
Press any key to continue . . .


ANY help would be appreciated...

 

[ex_bubblehead]

If these machines are actually members of the same domain there is no problem importing the .reg file. What is the EXACT error message received when importing a known working .reg file? Are you stopping all running services that may be accessing the affected registry keys before trying the import?

BTW the proper commandline is "reg import <registry.reg file> not "reg load"

Permissions matter here as well. You must run the reg import as local or domain administrator.

 

[Sarcastic_Wit]

Yes, they are on the same domain .

If these machines are actually members of the same domain there is no problem importing the .reg file. What is the EXACT error message received when importing a known working .reg file? Are you stopping all running services that may be accessing the affected registry keys before trying the import?

BTW the proper commandline is "reg import <registry.reg file> not "reg load"

Permissions matter here as well. You must run the reg import as local or domain administrator.

I'm actually starting regedit as an admin and importing the reg file from there. I do not get an error message but rather a message that states importing the keys for HKLM:\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc was successful. However, when I go check the branch, there is no change - the permissions are still full control - allow; & this is both before and after a reboot (though the reboot shouldn't be necessary for visibility, for effect yeah, but visibility no)

For the batch and powershell methods, I am logged in as a local admin and running either the batch as an admin or powershell as admin.

I don't know if any processes/services are using the reg key simultaneous to my attempts at changing the permissions, nothing sticks out as such however, there isn't any errors when I do it manually other than a disclaimer permissions hierarchy.

Last but not least, yes, they are all on the same domain - HOWEVER - this is irrelevant because I can't do on the same computer I export the registry file from...

For example, I'm at home - I manually set the permissions for that exact branch - I reboot - checked the branch, permissions still intact. Restored the original permissions, reboot, checked; back to the way it normally is. Imported the reg file while in elevated registry editor, received a successful message, checked permissions - no change. Still full control allowed.; reboot, still no change.

Try it on your own computer, maybe? You'll see what I'm talking about.


I have got to be missing something! ugh

 

[ex_bubblehead]

I do these things quite regularly and have never in over 20 years had such issues using "reg import <.reg file>"

 

[Sarcastic_Wit]

I do these things quite regularly and have never in over 20 years had such issues using "reg import <.reg file>"

I'm not sure what to say... I've been working on the windows registry since Windows for workgroups 3.11 ~ This is the first time I've ever encountered a scenario where I was unable to understand the limitations of my actions.

Your professed method did not work.

c:\Users\Dan\Desktop>reg import testing.reg
The operation completed successfully.

Yet the permissions for SYSTEM at HKLM:\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc remain set to FullControl - Allow.

I read somewhere that you cannot set the permissions for some branches using a 'simple registry editing technique' and have to use the Integrity Control ACL's, hence the reason I've tried to create the batch and powershell composites for this --

But I'm starting to think this registry setting cannot be done in the fashion I'm wishing for it to be handled -- manually doing this to a few hosts at a time during the imaging process isn't going to be so bad - but I really dredge having to walk up to 200+

If anyone reads this thread and knows of a solution, please offer your advise.

and just to reiterate - I am working with an exported version of the correct settings but not getting the same results when importing. On the same host.

 

[SteJBorchard]

To be completely honest with you I did not read the other replies and I do not know if any of that worked for you.

BUT. Just my opinion that if it gets this bad to just back up your data and then nuke it from orbit.

Nuke it from Orbit Protocol being a full reformat of the drive and fresh install of windows Via a physical Disk or USB Drive.

Then what you can do is once you have it all re-installed, security hardened to your liking and then AFTER you do all windows updates and security updates you can go through the services and disable all automatic windows update protocols and services.

As well as go through the registry and manually change the start value to "4" for anything the services GUI is not letting you touch.

And so I just did this 1.5 days ago. The Windows update medic service is one that you have to go into registry and change start value to 4 and two different locations for it to be turned off.

 

[USAFRet]

Nuke it from Orbit Protocol being a full reformat of the drive and fresh install of windows Via a physical Disk or USB Drive.

Thats a bit extreme for a fleet of 200+ workstations.

 

[Sarcastic_Wit]

To be completely honest with you I did not read the other replies and I do not know if any of that worked for you.

BUT. Just my opinion that if it gets this bad to just back up your data and then nuke it from orbit.

Nuke it from Orbit Protocol being a full reformat of the drive and fresh install of windows Via a physical Disk or USB Drive.

Then what you can do is once you have it all re-installed, security hardened to your liking and then AFTER you do all windows updates and security updates you can go through the services and disable all automatic windows update protocols and services.

As well as go through the registry and manually change the start value to "4" for anything the services GUI is not letting you touch.

And so I just did this 1.5 days ago. The Windows update medic service is one that you have to go into registry and change start value to 4 and two different locations for it to be turned off.

Thank you for your input but I've already done a ton of google searches trying to find the answer - I came here because I have proudly referred to Tom's Hardware for sound advice since Tom's Hardware was create back in the late 90's -- google's AI answers are crap, chatgpt isn't all that up to speed either -- that "4" mechanism you speak of; it works, SHORT TERM - the windows update medic service returns - on it's own - I believe its 5 weeks, never really took the time to count down the days.

I've tried taking ownership and everything else I can think of - I can't figure out how to force the fullcontrol - deny for that registry branch. I can MANUALLY do it and it stays - but ugh, day in and day out until I get all the computers -- annoying.

Anyway - thanks for your input. Sarcastic as it may be. I'll start the manual process and maybe after a couple days someone reading these posts will respond and I'll have that wonderful, forehead smacking, "DOH" moment.

 

[SteJBorchard]

I mean I'm sure there is some automatic script that can be multicasted over to all the workstation on a network/specific protoclol. I just don't know how to do it. Prehaps someone with microsoft coding god abilities on this forum will know how globably apply policy and registry changes over a network.

 

[Ralston18]

Just a question from "afar"...

Regarding:

"Yet the permissions for SYSTEM at HKLM:\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc remain set to FullControl - Allow."

The Registry gets changed. However, are the changes being saved via some "Okay", or "Yes"?

No harm in asking.