Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Taking back the Registry from TrustedInstaller


  • Please log in to reply
59 replies to this topic

#51
jaclaz

jaclaz

    The Finder

  • Developer
  • 14,654 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
If I may :unsure: , it seems to me like we are in a CATCH22 situation :w00t: .
joakim needs some feedback to hopefully fix the issue but does not provide an EXACT set of instructions/list of tests needed.
tommyp needs the utility working and is willing to do tests but doesn't know which EXACT tests to carry and HOW EXACTLY to report them.
Additionally it seems to me like there is a lot of mixing between two tools, the RunFromToken one and the RunasSystem, additionally made complex by the existence of a 32 and of a 64 bit version.

Maybe if a list of what tests are useful and how to exactly perform them with the various programs and on the different platforms was given, some progress could be made....

jaclaz


How to remove advertisement from MSFN

#52
joakim

joakim

    Member

  • Member
  • PipPip
  • 154 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag
In short, and as the name could imply, RunasSystem will let open any program in your session as local system. That is nice and very easy.

However, sometimes you may want to mimick a certain token by creating a new process with a duplicated token, with more power that what winlogon.exe would give you, for instance the trustedinstaller. But for creating a true duplicate (something devxexec actually don't) of the trustedinstaller's token, we must be local system in the first place, hence the requirement for the strange procedure that not everybody understood. It is thus for that reason that RunasSystem must launch RunFromToken, in order to access and create a primary token (duplicate) of for instance the trustedinstaller. This requirement may not be necessary when creating duplicates of other less picky process tokens.

In addition, to the above requirement, I noticed that you may need certain privileges on the process in order to use the functions like CreateProcessAsUserW and CreateProcessWithTokenW. That is for both the tools, as both of them use those functions. OK, I'll upload new version of both tools later today, that will also add to your account the necessary right if missing (so that it can also be enabled when necessary on the fly).

#53
joakim

joakim

    Member

  • Member
  • PipPip
  • 154 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag
Now both tools have been updated to fix the issues described. Please report back any issues with it.

Available: http://reboot.pro/fi...d-runfromtoken/

#54
tommyp

tommyp

    MSFN Addict

  • Developer
  • 1,681 posts
  • Joined 09-January 04
  • OS:none specified
  • Country: Country Flag
Oh so close... I've test out the latest and tried deleting a few things from the mounted install.wim's registry. Is there a way I can get trustedinstaller rights?
Posted Image

#55
joakim

joakim

    Member

  • Member
  • PipPip
  • 154 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag

Oh so close... I've test out the latest and tried deleting a few things from the mounted install.wim's registry. Is there a way I can get trustedinstaller rights?


Of course! If you succeed in creating a process with a duplicated token of the trustedinstaller, your process will hold a true duplicated token, and your system will not be able to distinguish it from the trustedinstaller.exe itself, at least when it comes to privileges.

If you did not succeed in creating such a duplictade token with the tool, the console output should give an indication of what the issue is. So please post it if that's the case, or else it's pointless.

Either way, bear in mind that certain registry key have rare permissions set. For instance 1 weird account has access, but not the trustedinstaller. If that's the case, then not even the trustedinstaller will have access. However, a process with such a powerful token, should have no problem adding the necessary permission to those keys, so try that.

#56
tommyp

tommyp

    MSFN Addict

  • Developer
  • 1,681 posts
  • Joined 09-January 04
  • OS:none specified
  • Country: Country Flag
Hope this info helps...
First I opened a cmd prompt in the runassystem working directory. I typed in net start trustedinstaller and got this
The Windows Modules Installer service is starting.
The Windows Modules Installer service was started successfully.

In that same cmd window, I typed in runassystem64 cmd and got this:
Now setting privilege: SeDebugPrivilege
Now setting privilege: SeAssignPrimaryTokenPrivilege
Now setting privilege: SeIncreaseQuotaPrivilege
Running in session: 1
Host PID: 624
New process created successfully: 2336
A new cmd window pops up. Inside that new window I type in whoami and got this:
nt authority\system

Basically I was hoping to use this program to alter mounted wim images with a script I've generated. Mounted wim images seem to have trustedinstaller permissions set so when I'm reducing it (1000's of files and folders), the takeown and icacls seems to take so long. Running with trustedinstaller rights will vastly speed things up, but I just can't seem to get there.

BTW, thanks for helping me out!
Posted Image

#57
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,016 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

A new cmd window pops up. Inside that new window I type in whoami and got this:

nt authority\system

Basically I was hoping to use this program to alter mounted wim images with a script I've generated. Mounted wim images seem to have trustedinstaller permissions set so when I'm reducing it (1000's of files and folders), the takeown and icacls seems to take so long. Running with trustedinstaller rights will vastly speed things up, but I just can't seem to get there.

Well, up to where you reported, everything happened as it was supposed to happen... But, at this point, you should still have to issue this command:

C:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"
in order to get TrustedInstaller rights. What happens when you do?

#58
tommyp

tommyp

    MSFN Addict

  • Developer
  • 1,681 posts
  • Joined 09-January 04
  • OS:none specified
  • Country: Country Flag
Man, I feel like such a stupid a**. I've tried every combination of commands, and I'm still not getting trustedinstaller. I do not get errors, I still see the same (or similar) "now setting privilege" on the cmd window where I type in the runassystem and/or runfromtoken commands. Can someone help the stupid a** (me) and post step by step on what to do? I had forgot to mention that I'm running admin rights on the machine and admin rights in the cmd box.
Posted Image

#59
joakim

joakim

    Member

  • Member
  • PipPip
  • 154 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag
Lets try another approach then.. What makes you think it does not work for you? (elaborate)

#60
tommyp

tommyp

    MSFN Addict

  • Developer
  • 1,681 posts
  • Joined 09-January 04
  • OS:none specified
  • Country: Country Flag
I see said the blind man. I thought I was going to see trustedinstaller when I typed whoami. But all is fine. I can readily delete items from the wim's mounted registry now. In fact, it shaved 20 minutes from my script execution time! This is a great utility! Thanks!
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users