Jump to content

Recommended Posts

Posted

Run as TrustedInstaller using DLL (NSudoDM.dll, NSudoAPI.dll)
Is a tool for launching programs with similar privileges to TrustedInstaller. Itself or any other program.

Below is an example that reruns itself under TrustedInstaller privileges:

#RequireAdmin
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Compile_Both=y
#AutoIt3Wrapper_UseX64=y
#AutoIt3Wrapper_Res_requestedExecutionLevel=requireAdministrator
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include <File.au3>
#include <Array.au3>
#include <WinAPI.au3>
#include <Constants.au3>

Global Const $NSudo_Dll_Dir = (FileExists(@ScriptDir & '\NSudoAPI_x86.dll') And FileExists(@ScriptDir & '\NSudoAPI_x64.dll') And FileExists(@ScriptDir & '\NSudoDM_x86.dll') And FileExists(@ScriptDir & '\NSudoDM_x64.dll')) ? @ScriptDir : @TempDir
OnAutoItExitRegister("_OnExit_Clean")
Global Const $NSudoAPI_Dll_x86 = $NSudo_Dll_Dir & '\NSudoAPI_x86.dll'
Global Const $NSudoAPI_Dll_x64 = $NSudo_Dll_Dir & '\NSudoAPI_x64.dll'
Global Const $NSudoAPI_Dll = @AutoItX64 ? $NSudoAPI_Dll_x64 : $NSudoAPI_Dll_x86

Global Const $NSudoDM_Dll_x86 = $NSudo_Dll_Dir & '\NSudoDM_x86.dll'
Global Const $NSudoDM_Dll_x64 = $NSudo_Dll_Dir & '\NSudoDM_x64.dll'
Global Const $NSudoDM_Dll = @AutoItX64 ? $NSudoDM_Dll_x64 : $NSudoDM_Dll_x86
If $NSudo_Dll_Dir<> @ScriptDir Then
    FileInstall("NSudoDM_x86.dll",$NSudoDM_Dll_x86,1)
    FileInstall("NSudoDM_x64.dll",$NSudoDM_Dll_x64,1)
    FileInstall("NSudoAPI_x86.dll",$NSudoAPI_Dll_x86,1)
    FileInstall("NSudoAPI_x64.dll",$NSudoAPI_Dll_x64,1)
EndIf
Global Const $NSudoAPI_UserModeType_DEFAULT = 0 ; Run the program with the current user's access token. If User Account Control (UAC) is not disabled, the permissions of this mode are equivalent to those of a standard user
Global Const $NSudoAPI_UserModeType_TRUSTED_INSTALLER = 1 ; Run the program with the TrustedInstaller access token
Global Const $NSudoAPI_UserModeType_SYSTEM = 2 ; Run the program with the System access token
Global Const $NSudoAPI_UserModeType_CURRENT_USER = 3 ; Run the program with the elevated current user's access token. The permissions of this mode are equivalent to those of the elevated user
Global Const $NSudoAPI_UserModeType_CURRENT_PROCESS = 4 ; Run the program with the current process's access token. The permissions of this mode are equivalent to those of the elevated user
Global Const $NSudoAPI_UserModeType_CURRENT_PROCESS_DROP_RIGHT = 5 ; Run the program with the current process's LUA mode access token. The permissions of this mode are equivalent to those of a standard user and this implementation is consistent with the corresponding implementation in iertutil.dll in Internet Explorer
Global Const $NSudoAPI_PrivilegesModeType_DEFAULT = 0 ; default privileges
Global Const $NSudoAPI_PrivilegesModeType_ENABLE_ALL_PRIVILEGES = 1 ; enable all privileges
Global Const $NSudoAPI_PrivilegesModeType_DISABLE_ALL_PRIVILEGES = 2 ; disable all privileges
Global Const $NSudoAPI_MandatoryLabelType_UNTRUSTED = 0 ;Untrusted
Global Const $NSudoAPI_MandatoryLabelType_LOW = 1 ;Low
Global Const $NSudoAPI_MandatoryLabelType_MEDIUM = 2 ;Medium
Global Const $NSudoAPI_MandatoryLabelType_MEDIUM_PLUS = 3 ;Medium-high
Global Const $NSudoAPI_MandatoryLabelType_HIGH = 4 ;High
Global Const $NSudoAPI_MandatoryLabelType_SYSTEM = 5 ;System
Global Const $NSudoAPI_MandatoryLabelType_PROTECTED_PROCESS = 6 ;Protected process
Global Const $NSudoAPI_ProcessPriorityClassType_BELOW_NORMAL = 0 ;Below normal
Global Const $NSudoAPI_ProcessPriorityClassType_NORMAL = 1 ;Normal
Global Const $NSudoAPI_ProcessPriorityClassType_ABOVE_NORMAL = 2 ;Above normal
Global Const $NSudoAPI_ProcessPriorityClassType_HIGH = 3 ;High
Global Const $NSudoAPI_ProcessPriorityClassType_REALTIME = 4 ;Real time
Global Const $NSudoAPI_ShowWindowModeType_DEFAULT = 0 ;Default
Global Const $NSudoAPI_ShowWindowModeType_SHOW = 1 ;Show window
Global Const $NSudoAPI_ShowWindowModeType_HIDE = 2 ;Hide window
Global Const $NSudoAPI_ShowWindowModeType_MAXIMIZE = 3 ;Maximize
Global Const $NSudoAPI_ShowWindowModeType_MINIMIZE = 4 ;Minimize

Global $NSudoAPI_WaitInterval = 0 ; The time (in milliseconds) to wait for the created process.
Global $NSudoAPI_CreateNewConsole = True ; the new process will run in a new console window, otherwise it will run directly in the console window corresponding to the process (default setting).
If (@OSArch = "X64") And (@AutoItX64 = 0) Then
    _WinAPI_Wow64EnableWow64FsRedirection(False)
    DllCall("kernel32.dll", "boolean", "Wow64DisableWow64FsRedirection", "boolean", 1)         ;~ Turns On 64 Bit Redirection
EndIf

;The command line to be executed, the maximum length = MAX_PATH, i.e. 260 characters.
Global $NSudoAPI_CommandLine = @ScriptFullPath
;Used to specify the current directory of the process. A full path is required. UNC paths can be used. If this parameter is nullptr, the new process will use the current path used by the process that called this function.
Global $NSudoAPI_CurrentDirectory = @WorkingDir
Global $ProcessOwner = _ProcessGetOwner(@AutoItPID)
Global $DllCall_Error_Return = 0, $DllCall_Error_Name = 'unknow', $DllCall_Return = ''

_ConsoleWrite("! " & @YEAR & "/" & @MON & "/" & @MDAY & "-" & @HOUR & ":" & @MIN & ":" & @SEC & " !")
_ConsoleWrite("! " & @ScriptFullPath & " | User: " & @UserName & " | NSUDO_Dll_Dir: " & $NSudo_Dll_Dir)
_ConsoleWrite("! " & "ProcessPID:" & @AutoItPID & " | ProcessOwner: " & $ProcessOwner)

Global $NSudoDM_DllCall_Handle = _WinAPI_LoadLibrary($NSudoDM_Dll)
If @UserName <> "SYSTEM" And @UserName <> 'LOCAL SERVICE' Then
    _NSudoAPI_RUN()
Else
    ; TEST 1 =================================================================================================
    If FileExists(@WindowsDir & '\System32\sethc_.exe') Then ; Restore
        FileDelete(@WindowsDir & '\System32\sethc.exe')
        FileMove(@WindowsDir & '\System32\sethc_.exe', @WindowsDir & '\System32\sethc.exe', 1)
        If @AutoItX64 Then
            FileDelete(@WindowsDir & '\SysWOW64\sethc.exe')
            FileMove(@WindowsDir & '\SysWOW64\sethc_.exe', @WindowsDir & '\SysWOW64\sethc.exe', 1)
        EndIf
    Else ; Replace
        FileMove(@WindowsDir & '\System32\sethc.exe', @WindowsDir & '\System32\sethc_.exe', 1)
        FileCopy(@WindowsDir & '\System32\cmd.exe', @WindowsDir & '\System32\sethc.exe', 1)
        If @AutoItX64 Then
            FileMove(@WindowsDir & '\SysWOW64\sethc.exe', @WindowsDir & '\SysWOW64\sethc_.exe', 1)
            FileCopy(@WindowsDir & '\SysWOW64\cmd.exe', @WindowsDir & '\SysWOW64\sethc.exe', 1)
        EndIf
        Run(@WindowsDir & '\System32\sethc.exe')
    EndIf

    ; TEST 2 ========================================================================================================
    _ArrayDisplay(_FileListToArray(@HomeDrive & '\System Volume Information'), "ProcessOwner: " & $ProcessOwner)
EndIf

_WinAPI_FreeLibrary($NSudoDM_DllCall_Handle)

Func _NSudoAPI_RUN()
    _ConsoleWrite("- Call NSudoCreateProcess in Dll: " & $NSudoAPI_Dll)
;~  Local $NSudoAPI_DllCall_Handle = DllOpen($NSudoAPI_Dll)
    Local $NSudoAPI_DllCall_Result = DllCall($NSudoAPI_Dll, 'int', 'NSudoCreateProcess', _
            'int', $NSudoAPI_UserModeType_TRUSTED_INSTALLER, _             ; NSUDO_USER_MODE_TYPE
            'int', $NSudoAPI_PrivilegesModeType_ENABLE_ALL_PRIVILEGES, _             ; NSUDO_PRIVILEGES_MODE_TYPE
            'int', $NSudoAPI_MandatoryLabelType_SYSTEM, _            ; NSUDO_MANDATORY_LABEL_TYPE
            'int', $NSudoAPI_ProcessPriorityClassType_ABOVE_NORMAL, _            ; NSUDO_PROCESS_PRIORITY_CLASS_TYPE
            'int', $NSudoAPI_ShowWindowModeType_SHOW, _            ; NSUDO_SHOW_WINDOW_MODE_TYPE
            'dword', $NSudoAPI_WaitInterval, _            ; WaitInterval
            'bool', $NSudoAPI_CreateNewConsole, _            ; CreateNewConsole
            'wstr', $NSudoAPI_CommandLine, _            ; CommandLine
            'wstr', $NSudoAPI_CurrentDirectory)             ; CurrentDirectory
    $DllCall_Error_Return = @error
    If $DllCall_Error_Return > 0 Then
        _ConsoleWrite("! DllCall Error num: " & $DllCall_Error_Return)
        Switch $DllCall_Error_Return
            Case 1
                $DllCall_Error_Name = 'unable to use the DLL file'
            Case 2
                $DllCall_Error_Name = 'unknown "Return type"'
            Case 3
                $DllCall_Error_Name = '"function" not found in the DLL file'
            Case 4
                $DllCall_Error_Name = 'bad number of parameters'
            Case 5
                $DllCall_Error_Name = 'bad parameter'
        EndSwitch
        _ConsoleWrite("! DllCall Error Name: " & $DllCall_Error_Name)
    EndIf
    If IsArray($NSudoAPI_DllCall_Result) Then
        For $i = 0 To UBound($NSudoAPI_DllCall_Result) - 1
            $DllCall_Return &= $NSudoAPI_DllCall_Result[$i] & @CRLF
        Next
    EndIf
    _ConsoleWrite('- DllCall Return :(IsArray:' & IsArray($NSudoAPI_DllCall_Result) & ') > [[' & $DllCall_Return & ']]' & @CRLF & "- Error: " & $DllCall_Error_Name & @CRLF)

EndFunc   ;==>_NSudoAPI_RUN

Func _ConsoleWrite($sText)
    ConsoleWrite($sText & @CRLF)
    FileWriteLine(@ScriptFullPath & ".logs", $sText)
EndFunc   ;==>_ConsoleWrite

Func _ProcessGetOwner($ivPID)
    $ivPID = ProcessExists($ivPID)
    If Not $ivPID Then Return (SetError(1, 0, 0))
    Local Const $TOKEN_READ = 0x00020000 + 0x0008 ; STANDARD_RIGHTS_READ+TOKEN_QUERY
    Local $hvProcess = _WinAPI_OpenProcess($PROCESS_QUERY_INFORMATION, False, $ivPID, False)
    Local $hvToken = _Security__OpenProcessToken($hvProcess, $TOKEN_READ)
    Local $bvSID = _Security__GetTokenInformation($hvToken, $TOKENOWNER)
    Local $avRet = DllStructCreate("ulong", DllStructGetPtr($bvSID))
    $avRet = _Security__SidToStringSid(DllStructGetData($avRet, 1))
    $avRet = _Security__LookupAccountSid($avRet)
    _WinAPI_CloseHandle($hvProcess)
    _WinAPI_CloseHandle($hvToken)
    If Not IsArray($avRet) Then Return (SetError(1, 0, _GetProcessOwner($ivPID)))
    Return (SetError(0, $avRet[2], $avRet[0]))
EndFunc   ;==>_ProcessGetOwner

Func _GetProcessOwner($PID, $sComputer = ".")
    Local $objWMI, $colProcs, $sUserName, $sUserDomain
    $objWMI = ObjGet("winmgmts:\\" & $sComputer & "\root\cimv2")
    If IsObj($objWMI) Then
        $colProcs = $objWMI.ExecQuery("Select ProcessId From Win32_Process Where ProcessId=" & $PID)
        If IsObj($colProcs) Then
            For $Proc In $colProcs
                If $Proc.GetOwner($sUserName, $sUserDomain) = 0 Then Return $sUserName
            Next
        EndIf
    EndIf
EndFunc   ;==>_GetProcessOwner

Func _OnExit_Clean()
    If StringLower($NSudo_Dll_Dir) = StringLower(@ScriptDir) Then Exit
    FileDelete($NSudoAPI_Dll_x86)
    FileDelete($NSudoAPI_Dll_x64)
    FileDelete($NSudoDM_Dll_x86)
    FileDelete($NSudoDM_Dll_x64)
EndFunc   ;==>_OnExit_Clean

; Launch processes with TrustedInstaller privilege by Dao Van Trong - TRONG.PRO
; Dll from NSudo: https://github.com/M2TeamArchived/NSudo/releases

.

 

Download DLL from HERE: https://github.com/M2TeamArchived/NSudo/releases/download/9.0-Preview1/NSudo_9.0_Preview1_9.0.2676.0.zip

 

Attachments Maximum total size is: 4.26 kB 🤐

Regards,
 

Posted

Your dll uses SetThreadToken function to set token.

The same done via my link.

Also you can use not-documented NtImpersonateThread instead of SetThreadToken.

 

  • 2 weeks later...
Posted

@malcev is right, you don't need any external dll to run a process with the same priviledges as TrustedInstaller. To achieve this you can use the undocumented NtImpersonateThread() function (more info here) or simply documented WinAPIs.

#RequireAdmin
#include-once
#include <SecurityConstants.au3>
#include <StructureConstants.au3>
#include <ProcessConstants.au3>
#include <WinAPIProc.au3>

$iProcID = CreateProcessAsTI('cmd.exe', '/t:06')

Func CreateProcessAsTI($sAppName, $sCmdLine = '')
    Local $iPID = StartTIService()
    If @error Then Return SetError(1, @error, False)

    EnablePrivilege($SE_DEBUG_NAME)
    EnablePrivilege($SE_IMPERSONATE_NAME)
    ImpersonateSystem()

    Local $hTIProcess = _WinAPI_OpenProcess(BitOR($PROCESS_DUP_HANDLE, $PROCESS_QUERY_INFORMATION), False, $iPID)
    If @error Then SetError(2, 0, False)

    Local $hTIToken = _WinAPI_OpenProcessToken(0x2000000, $hTIProcess)
    If Not $hTIToken Then
        _WinAPI_CloseHandle($hTIProcess)
        Return SetError(3, 0, False)
    EndIf

    Local $tSECURITY_ATTRIBUTES = DllStructCreate($tagSECURITY_ATTRIBUTES)
    $tSECURITY_ATTRIBUTES.nLength = DllStructGetSize($tSECURITY_ATTRIBUTES)
    $tSECURITY_ATTRIBUTES.lpSecurityDescriptor = Null
    $tSECURITY_ATTRIBUTES.bInheritHandle = False
    Local $hDupToken = _WinAPI_DuplicateTokenEx($hTIToken, 0x2000000, $SECURITYIMPERSONATION, $TOKENIMPERSONATION, $tSECURITY_ATTRIBUTES)
    If $hDupToken = 0 Then
        _WinAPI_CloseHandle($hTIToken)
        Return SetError(4, 0, False)
    EndIf

    Local $tSTARTUPINFO = DllStructCreate($tagSTARTUPINFO)
    $tSTARTUPINFO.lpDesktop = 'Winsta0\\Default'
    Local $tPROCESS_INFORMATION = DllStructCreate($tagPROCESS_INFORMATION)

    If Not _WinAPI_CreateProcessWithToken($sAppName, $sCmdLine, $CREATE_UNICODE_ENVIRONMENT, $tSTARTUPINFO, $tPROCESS_INFORMATION, $hDupToken, $LOGON_WITH_PROFILE) Then
        _WinAPI_CloseHandle($hDupToken)
        _WinAPI_CloseHandle($hTIToken)
        Return SetError(5, 0, False)
    EndIf

    Return $tPROCESS_INFORMATION.ProcessID
EndFunc

Func StartTIService()
    Local $aCall

    $aCall = DllCall('Advapi32.dll', 'handle', 'OpenSCManagerW', 'wstr', Null, 'wstr', Null, 'dword', 0x20000000)
    If $aCall[0] = Null Then Return SetError(1, 0, 0)
    Local $hSCManager = $aCall[0]

    $aCall = DllCall('Advapi32.dll', 'handle', 'OpenServiceW', 'handle', $hSCManager, 'wstr', 'TrustedInstaller', 'dword', BitOR(0x80000000, 0x20000000))
    If $aCall[0] = Null Then Return SetError(2, 0, 0)
    Local $hService = $aCall[0]

    Local $iBufferBytes
    Local Static $tagSERVICE_STATUS_PROCESS = 'dword dwServiceType;dword dwCurrentState;dword dwControlsAccepted;dword dwWin32ExitCode;' & _
                        'dword dwServiceSpecificExitCode;dword dwCheckPoint;dword dwWaitHint;dword dwProcessId;dword dwServiceFlags;'
    Local $tStatusBuffer = DllStructCreate($tagSERVICE_STATUS_PROCESS)

    While True
        $aCall = DllCall('Advapi32.dll', 'bool', 'QueryServiceStatusEx', _
                        'handle', $hService, _
                        'int', 0, _         ; SC_STATUS_PROCESS_INFO
                        'ptr', DllStructGetPtr($tStatusBuffer), _
                        'dword', DllStructGetSize($tStatusBuffer), _
                        'dword*', $iBufferBytes)
        If Not $aCall[0] Then ExitLoop
        Switch $tStatusBuffer.dwCurrentState
            Case 0x00000001                 ; SERVICE_STOPPED
                $aCall = DllCall('Advapi32.dll', 'bool', 'StartServiceW', 'handle', $hService, 'dword', 0, 'wstr', Null)
                If Not $aCall[0] Then
                    DllCall('Advapi32.dll', 'bool', 'CloseServiceHandle', 'handle', $hService)
                    DllCall('Advapi32.dll', 'bool', 'CloseServiceHandle', 'handle', $hSCManager)
                    Return SetError(3, 0, 0)
                EndIf
            Case 0x00000002, 0x00000003     ; SERVICE_START_PENDING, SERVICE_STOP_PENDING
                Sleep($tStatusBuffer.dwWaitHint)
                ContinueLoop
            Case 0x00000004                 ; SERVICE_RUNNING
                DllCall('Advapi32.dll', 'bool', 'CloseServiceHandle', 'handle', $hService)
                DllCall('Advapi32.dll', 'bool', 'CloseServiceHandle', 'handle', $hSCManager)
                Return SetError(0, 0, $tStatusBuffer.dwProcessId)
        EndSwitch
    WEnd
    DllCall('Advapi32.dll', 'bool', 'CloseServiceHandle', 'handle', $hService)
    DllCall('Advapi32.dll', 'bool', 'CloseServiceHandle', 'handle', $hSCManager)
    Return SetError(4, 0, 0)
EndFunc

Func EnablePrivilege($sPrivilegeName)
    Local $hToken = _WinAPI_OpenProcessToken(BitOR($TOKEN_QUERY, $TOKEN_ADJUST_PRIVILEGES))
    If Not $hToken Then Return SetError(1, 0, False)

    Local $vLUID = _Security__LookupPrivilegeValue('', $sPrivilegeName)
    If Not $vLUID Then
        _WinAPI_CloseHandle($hToken)
        Return SetError(2, 0, False)
    EndIf

    Local $tTOKEN_PRIVILEGES = DllStructCreate('dword PrivilegeCount;align 4;int64 LUID;dword Attributes')
    $tTOKEN_PRIVILEGES.PrivilegeCount = 1
    $tTOKEN_PRIVILEGES.LUID = $vLUID
    $tTOKEN_PRIVILEGES.Attributes = $SE_PRIVILEGE_ENABLED
    If Not _Security__AdjustTokenPrivileges($hToken, False, DllStructGetPtr($tTOKEN_PRIVILEGES), DllStructGetSize($tTOKEN_PRIVILEGES), Null, Null) Then
        _WinAPI_CloseHandle($hToken)
        Return SetError(3, 0, False)
    EndIf

    _WinAPI_CloseHandle($hToken)

    Return SetError(0, 0, True)
EndFunc

Func GetProcessIDByName($sProcessName)
    Local $aSnapshot = DllCall('kernel32.dll', 'handle', 'CreateToolhelp32Snapshot', 'dword', 0x00000002, 'dword', 0)
    If $aSnapshot[0] = -1 Then Return SetError(1, 0, 0)
    Local $hSnapshot = $aSnapshot[0]

    Local $iPID = -1
    Local $tPROCESSENTRY32 = DllStructCreate($tagPROCESSENTRY32)
    $tPROCESSENTRY32.Size = DllStructGetSize($tPROCESSENTRY32)

    If Not DllCall('kernel32.dll', 'bool', 'Process32FirstW', 'handle', $hSnapshot, 'ptr', DllStructGetPtr($tPROCESSENTRY32))[0] Then
        _WinAPI_CloseHandle($hSnapshot)
        Return SetError(2, 0, 0)
    EndIf

    While DllCall('kernel32.dll', 'bool', 'Process32NextW', 'handle', $hSnapshot, 'ptr', DllStructGetPtr($tPROCESSENTRY32))[0]
        If $tPROCESSENTRY32.ExeFile = $sProcessName Then
            $iPID = $tPROCESSENTRY32.ProcessID
            ExitLoop
        EndIf
    WEnd

    If $iPID = -1 Then
        _WinAPI_CloseHandle($hSnapshot)
        Return SetError(3, 0, 0)
    EndIf

    _WinAPI_CloseHandle($hSnapshot)

    Return $iPID
EndFunc

Func ImpersonateSystem()
    Local $iPID = GetProcessIDByName('winlogon.exe')
    If @error Then SetError(1, @error, False)

    Local $hSystemProcess = _WinAPI_OpenProcess(BitOR($PROCESS_DUP_HANDLE, $PROCESS_QUERY_INFORMATION), False, $iPID)
    If @error Then SetError(2, @error, False)

    Local $hSystemToken = _WinAPI_OpenProcessToken(0x2000000, $hSystemProcess)
    If $hSystemToken = 0 Then
        _WinAPI_CloseHandle($hSystemProcess)
        Return SetError(3, 0, False)
    EndIf

    Local $tSECURITY_ATTRIBUTES = DllStructCreate($tagSECURITY_ATTRIBUTES)
    $tSECURITY_ATTRIBUTES.nLength = DllStructGetSize($tSECURITY_ATTRIBUTES)
    $tSECURITY_ATTRIBUTES.lpSecurityDescriptor = Null
    $tSECURITY_ATTRIBUTES.bInheritHandle = False
    Local $hDupToken = _WinAPI_DuplicateTokenEx($hSystemToken, 0x2000000, $SECURITYIMPERSONATION, $TOKENIMPERSONATION, $tSECURITY_ATTRIBUTES)
    If $hDupToken = 0 Then
        _WinAPI_CloseHandle($hSystemToken)
        Return SetError(4, 0, False)
    EndIf

    If Not DllCall('Advapi32.dll', 'bool', 'ImpersonateLoggedOnUser', 'handle', $hDupToken)[0] Then
        _WinAPI_CloseHandle($hDupToken)
        _WinAPI_CloseHandle($hSystemToken)
        Return SetError(5, 0, False)
    EndIf

    _WinAPI_CloseHandle($hDupToken)
    _WinAPI_CloseHandle($hSystemToken)
    Return SetError(0, 0, True)
EndFunc

PS: code based on this github repo

Posted
6 minutes ago, argumentum said:

I was expecting "nt authority\trustedinstaller". Am I wrong ?

What would be the difference? The reason behind this is to start a process as a user with higher priviledges than users from Administrators group, basically having access to pretty much all system objects.

Posted (edited)
5 minutes ago, Andreik said:

basically having access to pretty much all system objects

That's the thing. Some stuff are TrustedInstaller only and not even system level can touch. Hence the question.
But all this is out of curiosity. Am not going to thoroughly test any of this ( lack of time ). Nonetheless, thanks for sharing :) ( and completing the answer )

Edited by argumentum

Follow the link to my code contribution ( and other things too ).
FAQ - Please Read Before Posting.
autoit_scripter_blue_userbar.png

Posted
2 minutes ago, argumentum said:

Some stuff are TrustedInstaller only and not even system level can touch. Hence the question.

Give me one example. Or better, make a test for me in one of your VM. Start the script above and delete Windows Mail from Program Files that is owned by TrustedInstaller and let me know if it works.

PS: backup the folder before doing this operation :muttley:

Posted (edited)
4 hours ago, Andreik said:
$iProcID = CreateProcessAsTI('cmd.exe', '/t:06')
$iProcID = CreateProcessAsTI('', 'cmd.exe /k color 06 & title TrustedInstaller mode & whoami /groups /fo list |find "Group Name:"')

that way, I can see and be shown :tv_happy:

Edited by argumentum
better

Follow the link to my code contribution ( and other things too ).
FAQ - Please Read Before Posting.
autoit_scripter_blue_userbar.png

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...