#requires -Version 5.1 <# admin_hklm_only.ps1 — minimal admin script for the two HKLM writes. SDK Debuggers are already extracted as flat files; this script only handles the things gflags + WER need that touch HKLM: 1. Configure WER LocalDumps for acclient.exe (auto-dumps on crash). 2. gflags +ust on acclient.exe (heap-allocation stack tagging on FUTURE acclient spawns; current ones won't pick it up). #> $ErrorActionPreference = 'Continue' $log = 'C:\Users\acbot\leakhunt\artifacts\soak\admin_hklm.log' Start-Transcript -Path $log -Force | Out-Null try { if (-not ([Security.Principal.WindowsPrincipal]::new( [Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole( [Security.Principal.WindowsBuiltInRole]::Administrator)) { Write-Host 'ERROR: not elevated. Aborting.' -ForegroundColor Red Stop-Transcript | Out-Null Read-Host 'press enter to close' exit 1 } Write-Host "=== admin_hklm_only.ps1 started @ $(Get-Date -Format o) ===" -ForegroundColor Cyan # [1/2] WER LocalDumps Write-Host '[1/2] Configuring WER LocalDumps for acclient.exe...' -ForegroundColor Cyan $dumpDir = 'C:\Users\acbot\leakhunt\artifacts\crashdumps' New-Item -ItemType Directory -Path $dumpDir -Force | Out-Null $werKey = 'HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\acclient.exe' New-Item -Path $werKey -Force | Out-Null New-ItemProperty -Path $werKey -Name 'DumpFolder' -Value $dumpDir -PropertyType ExpandString -Force | Out-Null New-ItemProperty -Path $werKey -Name 'DumpType' -Value 2 -PropertyType DWord -Force | Out-Null # 2 = Full New-ItemProperty -Path $werKey -Name 'DumpCount' -Value 25 -PropertyType DWord -Force | Out-Null Get-ItemProperty -Path $werKey | Format-List DumpFolder, DumpType, DumpCount # [2/2] gflags +ust $gflags = 'C:\Users\acbot\Tools\WindowsKits\Windows Kits\10\Debuggers\x86\gflags.exe' Write-Host '[2/2] Enabling gflags +ust on acclient.exe...' -ForegroundColor Cyan if (Test-Path $gflags) { & $gflags /i acclient.exe +ust " current image-file flags:" & $gflags /i acclient.exe } else { Write-Warning "gflags.exe not found at $gflags" } Write-Host "=== admin_hklm_only.ps1 finished @ $(Get-Date -Format o) ===" -ForegroundColor Green } catch { Write-Host "FATAL: $($_ | Out-String)" -ForegroundColor Red } Stop-Transcript | Out-Null Read-Host 'press enter to close'