Trong Posted July 23, 2024 Posted July 23, 2024 Run as TrustedInstaller using DLL (NSudoDM.dll, NSudoAPI.dll) Is a tool for launching programs with similar privileges to TrustedInstaller. Itself or any other program. Below is an example that reruns itself under TrustedInstaller privileges: expandcollapse popup#RequireAdmin #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Compile_Both=y #AutoIt3Wrapper_UseX64=y #AutoIt3Wrapper_Res_requestedExecutionLevel=requireAdministrator #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #include <File.au3> #include <Array.au3> #include <WinAPI.au3> #include <Constants.au3> Global Const $NSudo_Dll_Dir = (FileExists(@ScriptDir & '\NSudoAPI_x86.dll') And FileExists(@ScriptDir & '\NSudoAPI_x64.dll') And FileExists(@ScriptDir & '\NSudoDM_x86.dll') And FileExists(@ScriptDir & '\NSudoDM_x64.dll')) ? @ScriptDir : @TempDir OnAutoItExitRegister("_OnExit_Clean") Global Const $NSudoAPI_Dll_x86 = $NSudo_Dll_Dir & '\NSudoAPI_x86.dll' Global Const $NSudoAPI_Dll_x64 = $NSudo_Dll_Dir & '\NSudoAPI_x64.dll' Global Const $NSudoAPI_Dll = @AutoItX64 ? $NSudoAPI_Dll_x64 : $NSudoAPI_Dll_x86 Global Const $NSudoDM_Dll_x86 = $NSudo_Dll_Dir & '\NSudoDM_x86.dll' Global Const $NSudoDM_Dll_x64 = $NSudo_Dll_Dir & '\NSudoDM_x64.dll' Global Const $NSudoDM_Dll = @AutoItX64 ? $NSudoDM_Dll_x64 : $NSudoDM_Dll_x86 If $NSudo_Dll_Dir<> @ScriptDir Then FileInstall("NSudoDM_x86.dll",$NSudoDM_Dll_x86,1) FileInstall("NSudoDM_x64.dll",$NSudoDM_Dll_x64,1) FileInstall("NSudoAPI_x86.dll",$NSudoAPI_Dll_x86,1) FileInstall("NSudoAPI_x64.dll",$NSudoAPI_Dll_x64,1) EndIf Global Const $NSudoAPI_UserModeType_DEFAULT = 0 ; Run the program with the current user's access token. If User Account Control (UAC) is not disabled, the permissions of this mode are equivalent to those of a standard user Global Const $NSudoAPI_UserModeType_TRUSTED_INSTALLER = 1 ; Run the program with the TrustedInstaller access token Global Const $NSudoAPI_UserModeType_SYSTEM = 2 ; Run the program with the System access token Global Const $NSudoAPI_UserModeType_CURRENT_USER = 3 ; Run the program with the elevated current user's access token. The permissions of this mode are equivalent to those of the elevated user Global Const $NSudoAPI_UserModeType_CURRENT_PROCESS = 4 ; Run the program with the current process's access token. The permissions of this mode are equivalent to those of the elevated user Global Const $NSudoAPI_UserModeType_CURRENT_PROCESS_DROP_RIGHT = 5 ; Run the program with the current process's LUA mode access token. The permissions of this mode are equivalent to those of a standard user and this implementation is consistent with the corresponding implementation in iertutil.dll in Internet Explorer Global Const $NSudoAPI_PrivilegesModeType_DEFAULT = 0 ; default privileges Global Const $NSudoAPI_PrivilegesModeType_ENABLE_ALL_PRIVILEGES = 1 ; enable all privileges Global Const $NSudoAPI_PrivilegesModeType_DISABLE_ALL_PRIVILEGES = 2 ; disable all privileges Global Const $NSudoAPI_MandatoryLabelType_UNTRUSTED = 0 ;Untrusted Global Const $NSudoAPI_MandatoryLabelType_LOW = 1 ;Low Global Const $NSudoAPI_MandatoryLabelType_MEDIUM = 2 ;Medium Global Const $NSudoAPI_MandatoryLabelType_MEDIUM_PLUS = 3 ;Medium-high Global Const $NSudoAPI_MandatoryLabelType_HIGH = 4 ;High Global Const $NSudoAPI_MandatoryLabelType_SYSTEM = 5 ;System Global Const $NSudoAPI_MandatoryLabelType_PROTECTED_PROCESS = 6 ;Protected process Global Const $NSudoAPI_ProcessPriorityClassType_BELOW_NORMAL = 0 ;Below normal Global Const $NSudoAPI_ProcessPriorityClassType_NORMAL = 1 ;Normal Global Const $NSudoAPI_ProcessPriorityClassType_ABOVE_NORMAL = 2 ;Above normal Global Const $NSudoAPI_ProcessPriorityClassType_HIGH = 3 ;High Global Const $NSudoAPI_ProcessPriorityClassType_REALTIME = 4 ;Real time Global Const $NSudoAPI_ShowWindowModeType_DEFAULT = 0 ;Default Global Const $NSudoAPI_ShowWindowModeType_SHOW = 1 ;Show window Global Const $NSudoAPI_ShowWindowModeType_HIDE = 2 ;Hide window Global Const $NSudoAPI_ShowWindowModeType_MAXIMIZE = 3 ;Maximize Global Const $NSudoAPI_ShowWindowModeType_MINIMIZE = 4 ;Minimize Global $NSudoAPI_WaitInterval = 0 ; The time (in milliseconds) to wait for the created process. Global $NSudoAPI_CreateNewConsole = True ; the new process will run in a new console window, otherwise it will run directly in the console window corresponding to the process (default setting). If (@OSArch = "X64") And (@AutoItX64 = 0) Then _WinAPI_Wow64EnableWow64FsRedirection(False) DllCall("kernel32.dll", "boolean", "Wow64DisableWow64FsRedirection", "boolean", 1) ;~ Turns On 64 Bit Redirection EndIf ;The command line to be executed, the maximum length = MAX_PATH, i.e. 260 characters. Global $NSudoAPI_CommandLine = @ScriptFullPath ;Used to specify the current directory of the process. A full path is required. UNC paths can be used. If this parameter is nullptr, the new process will use the current path used by the process that called this function. Global $NSudoAPI_CurrentDirectory = @WorkingDir Global $ProcessOwner = _ProcessGetOwner(@AutoItPID) Global $DllCall_Error_Return = 0, $DllCall_Error_Name = 'unknow', $DllCall_Return = '' _ConsoleWrite("! " & @YEAR & "/" & @MON & "/" & @MDAY & "-" & @HOUR & ":" & @MIN & ":" & @SEC & " !") _ConsoleWrite("! " & @ScriptFullPath & " | User: " & @UserName & " | NSUDO_Dll_Dir: " & $NSudo_Dll_Dir) _ConsoleWrite("! " & "ProcessPID:" & @AutoItPID & " | ProcessOwner: " & $ProcessOwner) Global $NSudoDM_DllCall_Handle = _WinAPI_LoadLibrary($NSudoDM_Dll) If @UserName <> "SYSTEM" And @UserName <> 'LOCAL SERVICE' Then _NSudoAPI_RUN() Else ; TEST 1 ================================================================================================= If FileExists(@WindowsDir & '\System32\sethc_.exe') Then ; Restore FileDelete(@WindowsDir & '\System32\sethc.exe') FileMove(@WindowsDir & '\System32\sethc_.exe', @WindowsDir & '\System32\sethc.exe', 1) If @AutoItX64 Then FileDelete(@WindowsDir & '\SysWOW64\sethc.exe') FileMove(@WindowsDir & '\SysWOW64\sethc_.exe', @WindowsDir & '\SysWOW64\sethc.exe', 1) EndIf Else ; Replace FileMove(@WindowsDir & '\System32\sethc.exe', @WindowsDir & '\System32\sethc_.exe', 1) FileCopy(@WindowsDir & '\System32\cmd.exe', @WindowsDir & '\System32\sethc.exe', 1) If @AutoItX64 Then FileMove(@WindowsDir & '\SysWOW64\sethc.exe', @WindowsDir & '\SysWOW64\sethc_.exe', 1) FileCopy(@WindowsDir & '\SysWOW64\cmd.exe', @WindowsDir & '\SysWOW64\sethc.exe', 1) EndIf Run(@WindowsDir & '\System32\sethc.exe') EndIf ; TEST 2 ======================================================================================================== _ArrayDisplay(_FileListToArray(@HomeDrive & '\System Volume Information'), "ProcessOwner: " & $ProcessOwner) EndIf _WinAPI_FreeLibrary($NSudoDM_DllCall_Handle) Func _NSudoAPI_RUN() _ConsoleWrite("- Call NSudoCreateProcess in Dll: " & $NSudoAPI_Dll) ;~ Local $NSudoAPI_DllCall_Handle = DllOpen($NSudoAPI_Dll) Local $NSudoAPI_DllCall_Result = DllCall($NSudoAPI_Dll, 'int', 'NSudoCreateProcess', _ 'int', $NSudoAPI_UserModeType_TRUSTED_INSTALLER, _ ; NSUDO_USER_MODE_TYPE 'int', $NSudoAPI_PrivilegesModeType_ENABLE_ALL_PRIVILEGES, _ ; NSUDO_PRIVILEGES_MODE_TYPE 'int', $NSudoAPI_MandatoryLabelType_SYSTEM, _ ; NSUDO_MANDATORY_LABEL_TYPE 'int', $NSudoAPI_ProcessPriorityClassType_ABOVE_NORMAL, _ ; NSUDO_PROCESS_PRIORITY_CLASS_TYPE 'int', $NSudoAPI_ShowWindowModeType_SHOW, _ ; NSUDO_SHOW_WINDOW_MODE_TYPE 'dword', $NSudoAPI_WaitInterval, _ ; WaitInterval 'bool', $NSudoAPI_CreateNewConsole, _ ; CreateNewConsole 'wstr', $NSudoAPI_CommandLine, _ ; CommandLine 'wstr', $NSudoAPI_CurrentDirectory) ; CurrentDirectory $DllCall_Error_Return = @error If $DllCall_Error_Return > 0 Then _ConsoleWrite("! DllCall Error num: " & $DllCall_Error_Return) Switch $DllCall_Error_Return Case 1 $DllCall_Error_Name = 'unable to use the DLL file' Case 2 $DllCall_Error_Name = 'unknown "Return type"' Case 3 $DllCall_Error_Name = '"function" not found in the DLL file' Case 4 $DllCall_Error_Name = 'bad number of parameters' Case 5 $DllCall_Error_Name = 'bad parameter' EndSwitch _ConsoleWrite("! DllCall Error Name: " & $DllCall_Error_Name) EndIf If IsArray($NSudoAPI_DllCall_Result) Then For $i = 0 To UBound($NSudoAPI_DllCall_Result) - 1 $DllCall_Return &= $NSudoAPI_DllCall_Result[$i] & @CRLF Next EndIf _ConsoleWrite('- DllCall Return :(IsArray:' & IsArray($NSudoAPI_DllCall_Result) & ') > [[' & $DllCall_Return & ']]' & @CRLF & "- Error: " & $DllCall_Error_Name & @CRLF) EndFunc ;==>_NSudoAPI_RUN Func _ConsoleWrite($sText) ConsoleWrite($sText & @CRLF) FileWriteLine(@ScriptFullPath & ".logs", $sText) EndFunc ;==>_ConsoleWrite Func _ProcessGetOwner($ivPID) $ivPID = ProcessExists($ivPID) If Not $ivPID Then Return (SetError(1, 0, 0)) Local Const $TOKEN_READ = 0x00020000 + 0x0008 ; STANDARD_RIGHTS_READ+TOKEN_QUERY Local $hvProcess = _WinAPI_OpenProcess($PROCESS_QUERY_INFORMATION, False, $ivPID, False) Local $hvToken = _Security__OpenProcessToken($hvProcess, $TOKEN_READ) Local $bvSID = _Security__GetTokenInformation($hvToken, $TOKENOWNER) Local $avRet = DllStructCreate("ulong", DllStructGetPtr($bvSID)) $avRet = _Security__SidToStringSid(DllStructGetData($avRet, 1)) $avRet = _Security__LookupAccountSid($avRet) _WinAPI_CloseHandle($hvProcess) _WinAPI_CloseHandle($hvToken) If Not IsArray($avRet) Then Return (SetError(1, 0, _GetProcessOwner($ivPID))) Return (SetError(0, $avRet[2], $avRet[0])) EndFunc ;==>_ProcessGetOwner Func _GetProcessOwner($PID, $sComputer = ".") Local $objWMI, $colProcs, $sUserName, $sUserDomain $objWMI = ObjGet("winmgmts:\\" & $sComputer & "\root\cimv2") If IsObj($objWMI) Then $colProcs = $objWMI.ExecQuery("Select ProcessId From Win32_Process Where ProcessId=" & $PID) If IsObj($colProcs) Then For $Proc In $colProcs If $Proc.GetOwner($sUserName, $sUserDomain) = 0 Then Return $sUserName Next EndIf EndIf EndFunc ;==>_GetProcessOwner Func _OnExit_Clean() If StringLower($NSudo_Dll_Dir) = StringLower(@ScriptDir) Then Exit FileDelete($NSudoAPI_Dll_x86) FileDelete($NSudoAPI_Dll_x64) FileDelete($NSudoDM_Dll_x86) FileDelete($NSudoDM_Dll_x64) EndFunc ;==>_OnExit_Clean ; Launch processes with TrustedInstaller privilege by Dao Van Trong - TRONG.PRO ; Dll from NSudo: https://github.com/M2TeamArchived/NSudo/releases . Download DLL from HERE: https://github.com/M2TeamArchived/NSudo/releases/download/9.0-Preview1/NSudo_9.0_Preview1_9.0.2676.0.zip Attachments Maximum total size is: 4.26 kB 🤐 Danyfirex 1 Regards,
Nine Posted July 23, 2024 Posted July 23, 2024 Hmmm, MS Defender detects virus into your zip file ! “They did not know it was impossible, so they did it” ― Mark Twain Spoiler Block all input without UAC Save/Retrieve Images to/from Text Monitor Management (VCP commands) Tool to search in text (au3) files Date Range Picker Virtual Desktop Manager Sudoku Game 2020 Overlapped Named Pipe IPC HotString 2.0 - Hot keys with string x64 Bitwise Operations Multi-keyboards HotKeySet Recursive Array Display Fast and simple WCD IPC Multiple Folders Selector Printer Manager GIF Animation (cached) Screen Scraping Multi-Threading Made Easy
Trong Posted July 24, 2024 Author Posted July 24, 2024 Precompiled Dll is used in many viruses, edit it yourself from source! You can compile the dll yourself from open source: : https://github.com/M2TeamArchived/NSudo/ Regards,
Trong Posted July 31, 2024 Author Posted July 31, 2024 You are confused about the functionality this UDF provides! Regards,
malcev Posted July 31, 2024 Posted July 31, 2024 Your dll uses SetThreadToken function to set token. The same done via my link. Also you can use not-documented NtImpersonateThread instead of SetThreadToken. Andreik 1
Andreik Posted August 13, 2024 Posted August 13, 2024 @malcev is right, you don't need any external dll to run a process with the same priviledges as TrustedInstaller. To achieve this you can use the undocumented NtImpersonateThread() function (more info here) or simply documented WinAPIs. expandcollapse popup#RequireAdmin #include-once #include <SecurityConstants.au3> #include <StructureConstants.au3> #include <ProcessConstants.au3> #include <WinAPIProc.au3> $iProcID = CreateProcessAsTI('cmd.exe', '/t:06') Func CreateProcessAsTI($sAppName, $sCmdLine = '') Local $iPID = StartTIService() If @error Then Return SetError(1, @error, False) EnablePrivilege($SE_DEBUG_NAME) EnablePrivilege($SE_IMPERSONATE_NAME) ImpersonateSystem() Local $hTIProcess = _WinAPI_OpenProcess(BitOR($PROCESS_DUP_HANDLE, $PROCESS_QUERY_INFORMATION), False, $iPID) If @error Then SetError(2, 0, False) Local $hTIToken = _WinAPI_OpenProcessToken(0x2000000, $hTIProcess) If Not $hTIToken Then _WinAPI_CloseHandle($hTIProcess) Return SetError(3, 0, False) EndIf Local $tSECURITY_ATTRIBUTES = DllStructCreate($tagSECURITY_ATTRIBUTES) $tSECURITY_ATTRIBUTES.nLength = DllStructGetSize($tSECURITY_ATTRIBUTES) $tSECURITY_ATTRIBUTES.lpSecurityDescriptor = Null $tSECURITY_ATTRIBUTES.bInheritHandle = False Local $hDupToken = _WinAPI_DuplicateTokenEx($hTIToken, 0x2000000, $SECURITYIMPERSONATION, $TOKENIMPERSONATION, $tSECURITY_ATTRIBUTES) If $hDupToken = 0 Then _WinAPI_CloseHandle($hTIToken) Return SetError(4, 0, False) EndIf Local $tSTARTUPINFO = DllStructCreate($tagSTARTUPINFO) $tSTARTUPINFO.lpDesktop = 'Winsta0\\Default' Local $tPROCESS_INFORMATION = DllStructCreate($tagPROCESS_INFORMATION) If Not _WinAPI_CreateProcessWithToken($sAppName, $sCmdLine, $CREATE_UNICODE_ENVIRONMENT, $tSTARTUPINFO, $tPROCESS_INFORMATION, $hDupToken, $LOGON_WITH_PROFILE) Then _WinAPI_CloseHandle($hDupToken) _WinAPI_CloseHandle($hTIToken) Return SetError(5, 0, False) EndIf Return $tPROCESS_INFORMATION.ProcessID EndFunc Func StartTIService() Local $aCall $aCall = DllCall('Advapi32.dll', 'handle', 'OpenSCManagerW', 'wstr', Null, 'wstr', Null, 'dword', 0x20000000) If $aCall[0] = Null Then Return SetError(1, 0, 0) Local $hSCManager = $aCall[0] $aCall = DllCall('Advapi32.dll', 'handle', 'OpenServiceW', 'handle', $hSCManager, 'wstr', 'TrustedInstaller', 'dword', BitOR(0x80000000, 0x20000000)) If $aCall[0] = Null Then Return SetError(2, 0, 0) Local $hService = $aCall[0] Local $iBufferBytes Local Static $tagSERVICE_STATUS_PROCESS = 'dword dwServiceType;dword dwCurrentState;dword dwControlsAccepted;dword dwWin32ExitCode;' & _ 'dword dwServiceSpecificExitCode;dword dwCheckPoint;dword dwWaitHint;dword dwProcessId;dword dwServiceFlags;' Local $tStatusBuffer = DllStructCreate($tagSERVICE_STATUS_PROCESS) While True $aCall = DllCall('Advapi32.dll', 'bool', 'QueryServiceStatusEx', _ 'handle', $hService, _ 'int', 0, _ ; SC_STATUS_PROCESS_INFO 'ptr', DllStructGetPtr($tStatusBuffer), _ 'dword', DllStructGetSize($tStatusBuffer), _ 'dword*', $iBufferBytes) If Not $aCall[0] Then ExitLoop Switch $tStatusBuffer.dwCurrentState Case 0x00000001 ; SERVICE_STOPPED $aCall = DllCall('Advapi32.dll', 'bool', 'StartServiceW', 'handle', $hService, 'dword', 0, 'wstr', Null) If Not $aCall[0] Then DllCall('Advapi32.dll', 'bool', 'CloseServiceHandle', 'handle', $hService) DllCall('Advapi32.dll', 'bool', 'CloseServiceHandle', 'handle', $hSCManager) Return SetError(3, 0, 0) EndIf Case 0x00000002, 0x00000003 ; SERVICE_START_PENDING, SERVICE_STOP_PENDING Sleep($tStatusBuffer.dwWaitHint) ContinueLoop Case 0x00000004 ; SERVICE_RUNNING DllCall('Advapi32.dll', 'bool', 'CloseServiceHandle', 'handle', $hService) DllCall('Advapi32.dll', 'bool', 'CloseServiceHandle', 'handle', $hSCManager) Return SetError(0, 0, $tStatusBuffer.dwProcessId) EndSwitch WEnd DllCall('Advapi32.dll', 'bool', 'CloseServiceHandle', 'handle', $hService) DllCall('Advapi32.dll', 'bool', 'CloseServiceHandle', 'handle', $hSCManager) Return SetError(4, 0, 0) EndFunc Func EnablePrivilege($sPrivilegeName) Local $hToken = _WinAPI_OpenProcessToken(BitOR($TOKEN_QUERY, $TOKEN_ADJUST_PRIVILEGES)) If Not $hToken Then Return SetError(1, 0, False) Local $vLUID = _Security__LookupPrivilegeValue('', $sPrivilegeName) If Not $vLUID Then _WinAPI_CloseHandle($hToken) Return SetError(2, 0, False) EndIf Local $tTOKEN_PRIVILEGES = DllStructCreate('dword PrivilegeCount;align 4;int64 LUID;dword Attributes') $tTOKEN_PRIVILEGES.PrivilegeCount = 1 $tTOKEN_PRIVILEGES.LUID = $vLUID $tTOKEN_PRIVILEGES.Attributes = $SE_PRIVILEGE_ENABLED If Not _Security__AdjustTokenPrivileges($hToken, False, DllStructGetPtr($tTOKEN_PRIVILEGES), DllStructGetSize($tTOKEN_PRIVILEGES), Null, Null) Then _WinAPI_CloseHandle($hToken) Return SetError(3, 0, False) EndIf _WinAPI_CloseHandle($hToken) Return SetError(0, 0, True) EndFunc Func GetProcessIDByName($sProcessName) Local $aSnapshot = DllCall('kernel32.dll', 'handle', 'CreateToolhelp32Snapshot', 'dword', 0x00000002, 'dword', 0) If $aSnapshot[0] = -1 Then Return SetError(1, 0, 0) Local $hSnapshot = $aSnapshot[0] Local $iPID = -1 Local $tPROCESSENTRY32 = DllStructCreate($tagPROCESSENTRY32) $tPROCESSENTRY32.Size = DllStructGetSize($tPROCESSENTRY32) If Not DllCall('kernel32.dll', 'bool', 'Process32FirstW', 'handle', $hSnapshot, 'ptr', DllStructGetPtr($tPROCESSENTRY32))[0] Then _WinAPI_CloseHandle($hSnapshot) Return SetError(2, 0, 0) EndIf While DllCall('kernel32.dll', 'bool', 'Process32NextW', 'handle', $hSnapshot, 'ptr', DllStructGetPtr($tPROCESSENTRY32))[0] If $tPROCESSENTRY32.ExeFile = $sProcessName Then $iPID = $tPROCESSENTRY32.ProcessID ExitLoop EndIf WEnd If $iPID = -1 Then _WinAPI_CloseHandle($hSnapshot) Return SetError(3, 0, 0) EndIf _WinAPI_CloseHandle($hSnapshot) Return $iPID EndFunc Func ImpersonateSystem() Local $iPID = GetProcessIDByName('winlogon.exe') If @error Then SetError(1, @error, False) Local $hSystemProcess = _WinAPI_OpenProcess(BitOR($PROCESS_DUP_HANDLE, $PROCESS_QUERY_INFORMATION), False, $iPID) If @error Then SetError(2, @error, False) Local $hSystemToken = _WinAPI_OpenProcessToken(0x2000000, $hSystemProcess) If $hSystemToken = 0 Then _WinAPI_CloseHandle($hSystemProcess) Return SetError(3, 0, False) EndIf Local $tSECURITY_ATTRIBUTES = DllStructCreate($tagSECURITY_ATTRIBUTES) $tSECURITY_ATTRIBUTES.nLength = DllStructGetSize($tSECURITY_ATTRIBUTES) $tSECURITY_ATTRIBUTES.lpSecurityDescriptor = Null $tSECURITY_ATTRIBUTES.bInheritHandle = False Local $hDupToken = _WinAPI_DuplicateTokenEx($hSystemToken, 0x2000000, $SECURITYIMPERSONATION, $TOKENIMPERSONATION, $tSECURITY_ATTRIBUTES) If $hDupToken = 0 Then _WinAPI_CloseHandle($hSystemToken) Return SetError(4, 0, False) EndIf If Not DllCall('Advapi32.dll', 'bool', 'ImpersonateLoggedOnUser', 'handle', $hDupToken)[0] Then _WinAPI_CloseHandle($hDupToken) _WinAPI_CloseHandle($hSystemToken) Return SetError(5, 0, False) EndIf _WinAPI_CloseHandle($hDupToken) _WinAPI_CloseHandle($hSystemToken) Return SetError(0, 0, True) EndFunc PS: code based on this github repo Tony4219 1
argumentum Posted August 13, 2024 Posted August 13, 2024 tried in Win10 and 11. I get : C:\Windows\System32>whoami nt authority\system is that all the same ? I was expecting "nt authority\trustedinstaller". Am I wrong ? Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
Andreik Posted August 13, 2024 Posted August 13, 2024 6 minutes ago, argumentum said: I was expecting "nt authority\trustedinstaller". Am I wrong ? What would be the difference? The reason behind this is to start a process as a user with higher priviledges than users from Administrators group, basically having access to pretty much all system objects.
argumentum Posted August 13, 2024 Posted August 13, 2024 (edited) 5 minutes ago, Andreik said: basically having access to pretty much all system objects That's the thing. Some stuff are TrustedInstaller only and not even system level can touch. Hence the question. But all this is out of curiosity. Am not going to thoroughly test any of this ( lack of time ). Nonetheless, thanks for sharing ( and completing the answer ) Edited August 13, 2024 by argumentum Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
Andreik Posted August 13, 2024 Posted August 13, 2024 2 minutes ago, argumentum said: Some stuff are TrustedInstaller only and not even system level can touch. Hence the question. Give me one example. Or better, make a test for me in one of your VM. Start the script above and delete Windows Mail from Program Files that is owned by TrustedInstaller and let me know if it works. PS: backup the folder before doing this operation
argumentum Posted August 13, 2024 Posted August 13, 2024 4 minutes ago, Andreik said: PS: backup the folder before doing this ... I'll do when I get some time The thing I love about Hyper-V: copy/ZIP/whatnot, the drive and restore it after done destroying the OS Andreik 1 Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
argumentum Posted August 14, 2024 Posted August 14, 2024 ok, ok. I should have run whoami /groups to know if the user in that cmd.exe is part of "NT SERVICE\TrustedInstaller" and in fact is. 💯 Andreik 1 Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
argumentum Posted August 14, 2024 Posted August 14, 2024 (edited) 4 hours ago, Andreik said: $iProcID = CreateProcessAsTI('cmd.exe', '/t:06') $iProcID = CreateProcessAsTI('', 'cmd.exe /k color 06 & title TrustedInstaller mode & whoami /groups /fo list |find "Group Name:"') that way, I can see and be shown Edited August 14, 2024 by argumentum better Tony4219 1 Follow the link to my code contribution ( and other things too ). FAQ - Please Read Before Posting.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now