#requires -Version 5.1 <# admin_setup.ps1 — one-time, ADMIN-ELEVATED setup for the leak hunt. RUN THIS FROM AN ELEVATED POWERSHELL. It does three things: 1. Installs the Windows SDK "Windows Desktop Debuggers" feature (~250 MB), giving us standalone cdb.exe, umdh.exe, gflags.exe under C:\Program Files (x86)\Windows Kits\10\Debuggers\. 2. Configures WER LocalDumps for acclient.exe so any future crash (OOM/AV/heap-corruption) auto-saves a full-memory dump to artifacts\crashdumps\. 3. Sets gflags +ust on acclient.exe (per-image-file flag in HKLM) so future acclient spawns tag every heap allocation with its call stack — required for Phase 5 attribution. NOTE: currently-running acclient processes will NOT pick up the gflags +ust setting. Only processes started after this runs will have stack tagging. Pre-existing leakers continue to leak, just without UST tags on their heap entries. After this finishes, you can close the elevated shell. The non-elevated session keeps running. #> $ErrorActionPreference = 'Continue' # don't crash window on first error $log = 'C:\Users\acbot\leakhunt\artifacts\soak\admin_setup.log' Start-Transcript -Path $log -Force | Out-Null try { if (-not ([Security.Principal.WindowsPrincipal]::new( [Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole( [Security.Principal.WindowsBuiltInRole]::Administrator)) { Write-Host "ERROR: not elevated. Aborting." -ForegroundColor Red Stop-Transcript | Out-Null Read-Host 'press enter to close' exit 1 } Write-Host "=== admin_setup.ps1 started @ $(Get-Date -Format o) ===" -ForegroundColor Cyan # ---- 1. Install Windows SDK Debuggers feature ---------------------------- $sdk = "$env:TEMP\winsdk\winsdksetup.exe" if (-not (Test-Path $sdk)) { Write-Host "SDK installer not present; downloading..." -ForegroundColor Yellow New-Item -ItemType Directory -Path "$env:TEMP\winsdk" -Force | Out-Null Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/?linkid=2272610" ` -OutFile $sdk -UseBasicParsing } Write-Host "[1/3] Installing Windows SDK Debuggers feature (silent)..." -ForegroundColor Cyan $args = @('/features','OptionId.WindowsDesktopDebuggers','/quiet','/norestart') $p = Start-Process -FilePath $sdk -ArgumentList $args -Wait -PassThru if ($p.ExitCode -ne 0) { Write-Warning "SDK setup exit code: $($p.ExitCode) (non-zero — see %TEMP%\winsdk\ logs)" } $cdb = 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\cdb.exe' $umdh = 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\umdh.exe' $gflags = 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x86\gflags.exe' foreach ($t in @($cdb, $umdh, $gflags)) { if (Test-Path $t) { Write-Host " OK $t" -ForegroundColor Green } else { Write-Host " MISSING $t" -ForegroundColor Red } } # ---- 2. WER LocalDumps for acclient.exe ---------------------------------- Write-Host "[2/3] Configuring WER LocalDumps for acclient.exe..." -ForegroundColor Cyan $dumpDir = 'C:\Users\acbot\leakhunt\artifacts\crashdumps' New-Item -ItemType Directory -Path $dumpDir -Force | Out-Null $werKey = 'HKLM:\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\acclient.exe' New-Item -Path $werKey -Force | Out-Null New-ItemProperty -Path $werKey -Name 'DumpFolder' -Value $dumpDir -PropertyType ExpandString -Force | Out-Null New-ItemProperty -Path $werKey -Name 'DumpType' -Value 2 -PropertyType DWord -Force | Out-Null # 2 = Full New-ItemProperty -Path $werKey -Name 'DumpCount' -Value 25 -PropertyType DWord -Force | Out-Null Get-ItemProperty -Path $werKey | Format-List DumpFolder, DumpType, DumpCount # ---- 3. gflags +ust on acclient.exe -------------------------------------- Write-Host "[3/3] Enabling gflags +ust on acclient.exe (FUTURE spawns only)..." -ForegroundColor Cyan if (Test-Path $gflags) { & $gflags /i acclient.exe +ust } else { Write-Warning "gflags.exe not found at $gflags — SDK install may have failed. Skipping +ust." } Write-Host "=== admin_setup.ps1 finished @ $(Get-Date -Format o) ===" -ForegroundColor Cyan Write-Host "You can close this elevated window now." -ForegroundColor Green } catch { Write-Host "FATAL: $($_ | Out-String)" -ForegroundColor Red } Stop-Transcript | Out-Null Read-Host 'press enter to close'