{"id":1477,"date":"2019-03-07T04:07:37","date_gmt":"2019-03-07T12:07:37","guid":{"rendered":"http:\/\/wonghoi.humgar.com\/blog\/?p=1477"},"modified":"2019-03-08T14:09:22","modified_gmt":"2019-03-08T22:09:22","slug":"malware-deleting-trustedinstaller-exe","status":"publish","type":"post","link":"https:\/\/wonghoi.humgar.com\/blog\/2019\/03\/07\/malware-deleting-trustedinstaller-exe\/","title":{"rendered":"Malware deleting TrustedInstaller.exe, therefore crippling Windows"},"content":{"rendered":"<p>My sister&#8217;s computer <del>is<\/del> was infected with a bunch of stubborn malware. Even after cleaning the offending files, a lot of things <del>won&#8217;t<\/del> wouldn&#8217;t work.<\/p>\n<p>Windows Update, run sfc \/scannow, or DISM \/Online \/Cleanup-Image fails with unknown reasons, which I found it somehow related to &#8220;Windows Module Installer&#8221; service not running.<\/p>\n<p>I saw something weird in services.msc: &#8220;Windows Module Installer&#8221; doesn&#8217;t exist, but I know the underlying name is &#8220;TrustedIntaller&#8221; and noticed a service named as such is there, but it cannot be started, nor there are any descriptive information.<\/p>\n<p>So I searched registry for &#8220;TrustedInstaller&#8221; and got to its entry. I noticed these two:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"null\">[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\TrustedInstaller]\r\n\"DisplayName\"=\"@%SystemRoot%\\\\servicing\\\\TrustedInstaller.exe,-100\"\r\n\"Description\"=\"@%SystemRoot%\\\\servicing\\\\TrustedInstaller.exe,-101\"<\/pre>\n<p>It means the meaningful names and descriptions I saw on services.msc are generated by calling the underlying\u00a0 service executable file with switches. I checked my &#8220;C:\\Windows\\servicing&#8221; and found that &#8220;TrustedInstaller.exe&#8221; is not there at all! Of course you cannot start a service where the file does not exist at the promised path (ImagePath).<\/p>\n<p>I searched the hard drive and found only one instance of the file stored somewhere (like C:\\Windows\\winsxs\\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.1.7600.16385_none_90e389a7ae7a4b6c) and I tried to move the file to\u00a0&#8220;C:\\Windows\\servicing&#8221;. However the ownership and permissions to write to &#8220;C:\\Windows\\servicing&#8221; goes to &#8220;TrustedInstaller&#8221; account, not &#8220;Administrator&#8221;, so I took the ownership, gave Administrator full rights, then move the file over.<\/p>\n<p>Everything worked after that! Just the mere trick of deleting TrustedInstaller.exe is enough to make the user miserable trying to clean the system up! &#8220;sfc \/scannow&#8221; or the like requires TrustedInstaller\/WIM to be working in the first place, so you cannot use it to repair TrustedInstaller\/WIM problems.<\/p>\n<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_1477\" class=\"pvc_stats all  \" data-element-id=\"1477\" style=\"\"><i class=\"pvc-stats-icon medium\" aria-hidden=\"true\"><svg aria-hidden=\"true\" focusable=\"false\" data-prefix=\"far\" data-icon=\"chart-bar\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 512 512\" class=\"svg-inline--fa fa-chart-bar fa-w-16 fa-2x\"><path fill=\"currentColor\" d=\"M396.8 352h22.4c6.4 0 12.8-6.4 12.8-12.8V108.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v230.4c0 6.4 6.4 12.8 12.8 12.8zm-192 0h22.4c6.4 0 12.8-6.4 12.8-12.8V140.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v198.4c0 6.4 6.4 12.8 12.8 12.8zm96 0h22.4c6.4 0 12.8-6.4 12.8-12.8V204.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v134.4c0 6.4 6.4 12.8 12.8 12.8zM496 400H48V80c0-8.84-7.16-16-16-16H16C7.16 64 0 71.16 0 80v336c0 17.67 14.33 32 32 32h464c8.84 0 16-7.16 16-16v-16c0-8.84-7.16-16-16-16zm-387.2-48h22.4c6.4 0 12.8-6.4 12.8-12.8v-70.4c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v70.4c0 6.4 6.4 12.8 12.8 12.8z\" class=\"\"><\/path><\/svg><\/i> <img loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/wonghoi.humgar.com\/blog\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n","protected":false},"excerpt":{"rendered":"<p>My sister&#8217;s computer is was infected with a bunch of stubborn malware. Even after cleaning the offending files, a lot of things won&#8217;t wouldn&#8217;t work. Windows Update, run sfc \/scannow, or DISM \/Online \/Cleanup-Image fails with unknown reasons, which I &hellip; <a href=\"https:\/\/wonghoi.humgar.com\/blog\/2019\/03\/07\/malware-deleting-trustedinstaller-exe\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n<div class=\"pvc_clear\"><\/div>\n<p id=\"pvc_stats_1477\" class=\"pvc_stats all  \" data-element-id=\"1477\" style=\"\"><i class=\"pvc-stats-icon medium\" aria-hidden=\"true\"><svg aria-hidden=\"true\" focusable=\"false\" data-prefix=\"far\" data-icon=\"chart-bar\" role=\"img\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 512 512\" class=\"svg-inline--fa fa-chart-bar fa-w-16 fa-2x\"><path fill=\"currentColor\" d=\"M396.8 352h22.4c6.4 0 12.8-6.4 12.8-12.8V108.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v230.4c0 6.4 6.4 12.8 12.8 12.8zm-192 0h22.4c6.4 0 12.8-6.4 12.8-12.8V140.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v198.4c0 6.4 6.4 12.8 12.8 12.8zm96 0h22.4c6.4 0 12.8-6.4 12.8-12.8V204.8c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v134.4c0 6.4 6.4 12.8 12.8 12.8zM496 400H48V80c0-8.84-7.16-16-16-16H16C7.16 64 0 71.16 0 80v336c0 17.67 14.33 32 32 32h464c8.84 0 16-7.16 16-16v-16c0-8.84-7.16-16-16-16zm-387.2-48h22.4c6.4 0 12.8-6.4 12.8-12.8v-70.4c0-6.4-6.4-12.8-12.8-12.8h-22.4c-6.4 0-12.8 6.4-12.8 12.8v70.4c0 6.4 6.4 12.8 12.8 12.8z\" class=\"\"><\/path><\/svg><\/i> <img loading=\"lazy\" decoding=\"async\" width=\"16\" height=\"16\" alt=\"Loading\" src=\"https:\/\/wonghoi.humgar.com\/blog\/wp-content\/plugins\/page-views-count\/ajax-loader-2x.gif\" border=0 \/><\/p>\n<div class=\"pvc_clear\"><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[6,4],"tags":[],"class_list":["post-1477","post","type-post","status-publish","format-standard","hentry","category-note-to-self","category-windows"],"_links":{"self":[{"href":"https:\/\/wonghoi.humgar.com\/blog\/wp-json\/wp\/v2\/posts\/1477","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wonghoi.humgar.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wonghoi.humgar.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wonghoi.humgar.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wonghoi.humgar.com\/blog\/wp-json\/wp\/v2\/comments?post=1477"}],"version-history":[{"count":9,"href":"https:\/\/wonghoi.humgar.com\/blog\/wp-json\/wp\/v2\/posts\/1477\/revisions"}],"predecessor-version":[{"id":1487,"href":"https:\/\/wonghoi.humgar.com\/blog\/wp-json\/wp\/v2\/posts\/1477\/revisions\/1487"}],"wp:attachment":[{"href":"https:\/\/wonghoi.humgar.com\/blog\/wp-json\/wp\/v2\/media?parent=1477"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wonghoi.humgar.com\/blog\/wp-json\/wp\/v2\/categories?post=1477"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wonghoi.humgar.com\/blog\/wp-json\/wp\/v2\/tags?post=1477"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}