Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


  • Content count

  • Donations

  • Joined

  • Last visited

Community Reputation

0 Neutral

About RobW

Profile Information

  • OS
    none specified
  1. Based on the previous answers, I've created a batch script which opens a cmd screen under TrustedInstaller.exe. But since TrustedInstaller.exe is running under SYSTEM, I'm not sure how the method gives me the permissions of TrustedInstaller. The script has been tested in Windows 7 and 8 x86. Instead of injecting "cmd", I inject a batch file which slightly modifies the output, because otherwise the command is returned twice. For example: C:>@echo test @echo test test The script uses ncat from nmap.org and Session0Injector. The script expects these dependencies to be located in a subfolder called "deps". runasti.cmd - Has to be run as administrator :: Inspired by http://www.msfn.org/board/topic/155910-taking-back-the-registry-from-trustedinstaller/page__st__20#entry993083 :: This is the 32bit version. For 64bits, change Session0Cmd to Session0Cmd_x64 :: Edit this script to execute a shell under any process, replace "trustedinstaller" in FIND with ... :: Run as ADMINISTRATOR :: Pick a random port between 10000 and 42767 and assume that it's free. @SET /A PORT=%random% + 10000 @SET Session0Cmd=%~dp0deps\Session0Cmd.exe @SET NETCAT=%~dp0deps\ncat.exe @SET EXECUTE=%~dp0init.cmd @echo off IF NOT EXIST "%Session0Cmd%" ( echo Session0Injector is required. echo Get it from http://reboot.pro/files/download/171-payload-execution-tools/ goto:eof ) IF NOT EXIST "%NETCAT%" ( echo Ncat is required. echo Get it from http://nmap.org/ncat/ goto:eof ) echo Starting TrustedInstaller if not started... SC query "trustedinstaller" | FIND /i "RUNNING" > NUL || NET start TrustedInstaller SETLOCAL EnableDelayedExpansion echo Getting PID for TrustedInstaller.exe... FOR /F "tokens=2,3" %%P in ('tasklist ^|FIND /i "trustedinstaller"') DO SET PID=%%P IF "%PID%"=="" ( echo Pid not found. Cannot continue. ) ELSE ( echo Starting server (logging messages at %%tmp%%\runasti.log "%Session0Cmd%" %PID% "%NETCAT% -l -p %PORT% -e %EXECUTE%" >> "%tmp%\runasti.log" echo Connecting server... "%NETCAT%" localhost %PORT% ) ENDLOCAL init.cmd - This script will be injected in the process, and spawn a new cmd. :: Set token file. When this file is deleted, all childs should terminate @set token=%tmp%\ti_shell_%random% @type nul > "%token%" :keepalive @cmd /c ""%~dp0subshell.cmd" token "%token%"" 2>&1 :: The subshell will die for syntax errors. Keep reviving, unless the token file has been deleted. @if exist "%token%" @goto:keepalive subshell.cmd - This one processes commands. When a syntax error occurs (e.g. using a pipe as a command), the batch script terminates. That's why I choose to run a main batch process, which start child processes. This behaviour is controlled by a temporary file in %tmp%: When this file is deleted, the main process assumes that the user issued "exit". @echo off :: This script should never run without parent @if not "%~1"=="token" goto:eof @setlocal EnableDelayedExpansion @for /f "tokens=*" %%u in ('whoami') do echo Running as %%u @set Path=%path%;%~fd0 :repeat @if not exist "%~f2" goto:eof :: Get user input @set command= @set /p command=*%cd%^> :: When command is "exit", delete token file and exit @if /i "!command:~0,4!"=="exit" del "%~f2" && goto:eof :: Execute command, and repeat @for /f "tokens=*" %%C in ('echo %command%') do @%%C @goto:repeat runasti.cmd init.cmd subshell.cmd