Huge thanks to Goldengamer842 for the following idea!

Hello, my friends! Let's hit 20K likes? Check out my website! https://enderman.ch
Today I am going to show you how to hack a Windows 10 S Mode system to run .exe and sideload .dll applications. Is that worth it? Probably not. Is that awesome? Hell yes. The way S Mode works is really simple, Microsoft just took their application control implementation and simply turned the Windows Defender Code Integrity service on with a signed Microsoft policy.

*DIY:*
1. Enter group policy editor, find the Device Guard policy. It is located in \\Computer Configuration\Administrative Templates\System.
2. Disable both settings.
3. Find the winsipolicy.p7b files in %systemroot%\Boot\EFI and %systemroot%\WinSxS and delete both files.
4. Reboot into PE (you will not be able to access ESP normally as no Command Prompt is available).
5. Mount ESP (EFI System Partition), locate winsipolicy.p7b in %root%\EFI\Microsoft\Boot and delete it as well.
6. Profit!

*Install command:* dism.exe /apply-image /imagefile:windows10shacked.wim /index:1 /applydir:?:\
*Install tutorial:* https://youtu.be/JxJ6a-PY1KA

*Links:*
Windows 10 S (Hacked) - https://files.enderman.ch/uploads/Windows10SHacked.wim

Windows 10 S (Installer) - https://files.enderman.ch/uploads/Windows10SInstaller5932.exe
Windows 10 S (ESD) - https://files.enderman.ch/uploads/16299.125.171213-1220.rs3_release_svc_refresh_CLIENTCONSUMER_RET_X64FRE_en-us.esd

Device Guard (in Russian) - https://www.outsidethebox.ms/18937/
WDAC - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control
P7B - https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies

*Password:*
mysubsarethebest

*Timestamps:*
0:00 - Intro
0:22 - History of S Mode
1:36 - Acquiring the image
2:59 - Installing
4:14 - Early ideas
5:14 - Boot Command Prompt Exploit (BCPE)
6:30 - Boot Task Manager Exploit (BTME)
7:25 - Major breakthrough
8:09 - Device Guard settings
9:29 - WDAC Policies
11:06 - Malware removal
13:00 - Outcome
13:36 - Final product
15:36 - Outro

Still got questions? Don't hesitate, send them to contact@enderman.ch!
Hope you have a great day!

#endermanch #experiments #windows