Jump to content

Taking back the Registry from TrustedInstaller


fdv

Recommended Posts

Sorry to resume this old thread but I believe those  RunAsSystem, RunFromToken and Devxexec   are the only commands that can help me.

I am trying to build a windows7 with the highst performances possible when logged in with a specific user. The goal is to run psychological experiments.

My idea was to create a simple batch that stops, eg., the antivirus program, specifically it's a System Center Endpoint which is hardened by microsoft and I found out that only the "TrustedInstaller" is able to stop it. 

Infact if I run the above commands as written in this thread I am able to stop the  MsMpSVC service.

 

 

so I was wondering if they can work if run from inside  TaskScheduler, as SYSTEM  i suppose.

 

thanks

Link to comment
Share on other sites


  • 6 months later...

Good evening, I'm new to this forum. I should add a registry key on the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] phat in regedit. the problem is that makes me do it only if I open regedit as TrustedInstaller. I was able to open it as TrustedInstaller using an executable found on the net "RunAsTI64". in this way,owhether I have to do it manually, I wanted to do was to create an executable or .bat file that adds the key, someone can help me? thank you
Simone

Link to comment
Share on other sites

Yes :), "RunAsTI64" is the "evolution" of the programs talked here, joakim (Joakim Shicht) released it on github:

https://github.com/jschicht/RunAsTI

 

 

RunAsTI or RunAsTrustedInstaller

Is a tool to launch a program of choice (usually cmd.exe) with the same privileges as the TrustedInstaller. That privilege is very powerfull! Actually the tool makes a clone of the token from TrustedInstaller, and thus the newly created process has an identical token.

Why would you need it? Sometimes it is just not enough to just be running as "nt authority\system". Maybe it's a file or a registry key that is locked. Running a tool with this powerfull privilege most likely solve that. Usually such an issue may be due to Windows Resource Protection (WRP) protecting it (previously called Windows File Protection (WFP)); http://msdn.microsoft.com/en-us/library/windows/desktop/aa382503(v=vs.85).aspx

How do you run it? Simply double click it and cmd.exe will launch. Or pass it the program to launch as parameter.

The tool is actually a merge of 2 previous tools; RunAsSystem and RunFromToken. The curious ones might notice that RunFromToken is attached as a resource.

The tool only runs on nt6.x (Vista and later), since TrustedInstaller does not exist on earlier Windows versions.

Requirement: Administrator. 

 

 

So what is the question? :unsure:

Which program to use as parameter?

A batch with REG.EXE command(s) should do nicely, maybe even directly a REG.EXE ADD command .

https://technet.microsoft.com/en-us/library/cc732643.aspx

https://technet.microsoft.com/en-us/library/cc742162.aspx#BKMK_examples

 

jaclaz

Link to comment
Share on other sites

Hi,

i run runasti64 by pass it the program to launch as parameter, i create this batch file and i try to use the reg add command but it dont work

 

this is a batch file i use to call runasti64

runasti64.exe reg import C:\Users\d.reg

and this is the d.reg file that i need to add

Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]"mykey"="H:\\\\program.exe"

where im wrong?

I hope I explained myself better,

 

thanks simone.

Edited by simonetaddei
Link to comment
Share on other sites

yes, the file has the two blank lines at the end, but not working.
it give me this message:

 

post-410805-0-48164100-1447426780_thumb.

 

post-410805-0-78397400-1447426787_thumb.

 

post-410805-0-03043500-1447426790_thumb.

but if I open runasti64 double clicking on the icon, and then from the command prompt that opens write d.reg prompt adds the key correctly.

 

post-410805-0-18561000-1447426884_thumb.

post-410805-0-91747700-1447426884_thumb.

 

i dont understand what im doing wrong...

someone can help me?

thanks

Simone

Edited by simonetaddei
Link to comment
Share on other sites

Try it this other way, running a batch instead:

runasti64.exe mynicecmd.cmd

 

 

Contents of mynicecmd.cmd:

::This file runs reg.exe to import a .reg fileECHO OFFECHO This is a batch fileECHO Next command will be reg.exe import C:\users\d.regPAUSEreg.exe import C:\Users\d.regPAUSE

It is possible that RunasTI does not pass all parameters correctly (or only accepts a single parameter, i.e. the name of the executable), the error you are experiencing is most probably in the third screenshot (syntax of reg.exe) which is the same you get if running reg.exe with no parameters.

 

jaclaz

Link to comment
Share on other sites

Hi, i try this way but it dont work, now it give me this message error:

attachicon.gif3.png

 

thanks for your help,

Simone

No. :no: it's difficult to follow you this way.

You should try running the batch I posted and post the whole thing, including the command line you issued.

 

What you posted seems like an error because the system cannot find the file mynicecmd.cmd, it is possible that you need to specify a full path to it, *like*:

runasti64.exe C:\users\mynicecmd.cmd

 

 

@dencorso

Maybe you could split the topic to a new thread, so that we can go through assisting simonetaddei without taking the original trustedinstaller topic too OT. :unsure:

 

jaclaz

Link to comment
Share on other sites

thanks, it work!! :yes:

 

I still made a split of the topic here

 

http://www.msfn.org/board/topic/174785-how-to-use-runasti64exe-without-asking-confirm-at-user-split-from-httpwwwmsfnorgboardtopic155910-taking-back-the-registry-from-trustedinstallerpage-3/

 

because I had another question.

thank you so much for helping me.
Simone

Link to comment
Share on other sites

  • 3 weeks later...

I ran runasti on my vi.6.1 32-bit system, and got it to run cmd.exe.

 

From this cmd.exe session, I launched programs, like fcw.exe (a File Commander/W, a port of an OS/2 program), and change to the gwx directory (\windows\system32\gwx).  I renamed all the .EXE and .?AT files to .EX_ and .?A_  

 

So I imagine the trick is to fire up cmd.exe and run the various batch files in order from that prompt.  I do the same thing with my setup, where batch 0xxxx are run first, then 1xxxx  etc.  If you make a change to something like 1xxxx , then the various later ones have to be run.

 

Jolly good show, and another happy camper here!

Link to comment
Share on other sites

It's even more interesting. 

 

I started "runasti cmd.exe" and this gives me a command prompt.

 

I then use fcw to find the GWX files as above.

 

I then run autoruns.exe (Sysinternals), and kill all of the GWX proggies out of there.  It says it can't find the EXEs.

 

From GWX control panel, the program can't even find the EXEs.

 

The system boots nicely, and it is no longer a case of 'you are allowed to run your system between updates"

Link to comment
Share on other sites

Oh yes, you can indeed fire up your favourite reg editor, and like all god-mode things, you can poke your nose into areas normally denied, such as SAM and SECURITY. 

 

The more i explore GWX, the more it looks like these browser-extension viruses like bonzo search engines. 

 

Autoruns will happily launch the tasks programs, so it seems that it's pretty awesome version of 'power-prompt'. 

 

I should imagine that it is the right place to run batches in.  CDF (which is my generic W2K batch written around Frank Westlake's 'conset') works.  This batch runs under cmd.exe, and changes drive and directory to any named directory in the shell directories, and you can create in registry, your own 'shell-folder' set, so eg "cdf batch" changes to the batch folder.

 

It also can open the registery at the appropriate page so you can have a peek.

 

So i should imagine it's not hard to make a registry entry for 'tweaks', and cdf tweaks, and run your batch files from there. 

 

Use regmagik or regjump to handle the reg:hklm thing.  Both of them support it.

 

@echo off:: cd shell folder.set zdir=set zshf=Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Foldersif /i "%1"=="/m" goto :hklmif /i "%1"=="/u" goto :hkcuif /i "%1"=="/w" goto :hkweif /i "%1"=="/i" goto :imageset zcmd=chdirset zhere=%*if "%1"=="/o" set zcmd=openif "%1"=="/o" set zhere=%zhere:~3%conset /q /k zdir=HKLM\%zshf%\%zhere%if not "%zdir%"=="" goto :doitconset /q /k zdir=HKCU\%zshf%\%zhere%if not "%zdir%"=="" goto :doitconset /q /k zdir=HKLM\Software\Wendy\Folders\%zhere%if not "%zdir%"=="" goto :doitgoto :end:hklmshelexec reg:hklm\%zshf%goto :end:hkcushelexec reg:hkcu\%zshf%goto :end:hkweshelexec reg:hklm\software\wendy\foldersgoto :end:imageset zdir=Microsoft\Windows NT\CurrentVersion\Image File Execution Optionsshelexec reg:hklm\software\%zdir%goto :end:doitset zcxm=if %zcmd%==chdir cd /d %zdir%if %zcmd%==open shelexec %zdir%:endset zdir=
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...