Okay. For those of you just tuning in, Joakim
has actually managed to do what several folks including myself had said was not possible -- open a CMD prompt with TrustedInstaller permissions.
Life happens fast, and so did this thread. Here's how to do it in one post. Thanks to all of you who contributed your wisdom. Like CoffeeFiend I'm also kind of lost as to how we managed to get here
------------How to open a CMD prompt with TrustedInstaller permissions
Install PSList - http://technet.micro...ernals/bb896682
Install Procexp - http://technet.micro...ernals/bb896653
Install Session0Injectors from Payload Execution Tools v.2 - http://reboot.pro/fi...xecution-tools/
Install netcat - http://www.securityfocus.com/tools/139
You must do the next part fairly quickly, because once you start the TrustedInstaller service, it's not going to run all day... it stays running for a short while and stops.
Scroll to Windows Modules Installer
Right click, select 'start'
Open a command prompt and type pslist trustedinstaller and get the PID or launch ProcExp and get the PID
Let's call that number '4321' (of course it will be different on your system)
Let's also pick a port to run netcat on -- say '6789'
"Now run netcat as a daemon serving cmd.exe for you on port 6789 by typing the following"
Session0Cmd 4321 "nc -l -p 6789 -d -e cmd"
(By the way, that -l is the letter l not the digit one. If your system is 64 bit Windows, you'll use Session0Cmd_x64 here))
If you got an error about an invalid PID, it means that the TrustedInstaller service stopped again. Go restart it. (When you do it will have yet another PID).
"Now netcat is running as a daemon and serving cmd.exe for you on port 6789. To connect to it and obtain the actual TI-privileged cmd, open a cmd window and use this command"
nc localhost 6789
Thanks again to Joakim
for this bit of cleverness!
(I'm sure you'll all let me know if I need to make edits...)
Edited by fdv, 21 March 2012 - 01:07 AM.