Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Taking back the Registry from TrustedInstaller


  • Please log in to reply
74 replies to this topic

#51
jaclaz

jaclaz

    The Finder

  • Developer
  • 16,627 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag
If I may :unsure: , it seems to me like we are in a CATCH22 situation :w00t: .
joakim needs some feedback to hopefully fix the issue but does not provide an EXACT set of instructions/list of tests needed.
tommyp needs the utility working and is willing to do tests but doesn't know which EXACT tests to carry and HOW EXACTLY to report them.
Additionally it seems to me like there is a lot of mixing between two tools, the RunFromToken one and the RunasSystem, additionally made complex by the existence of a 32 and of a 64 bit version.

Maybe if a list of what tests are useful and how to exactly perform them with the various programs and on the different platforms was given, some progress could be made....

jaclaz


How to remove advertisement from MSFN

#52
joakim

joakim

    Member

  • Member
  • PipPip
  • 153 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag
In short, and as the name could imply, RunasSystem will let open any program in your session as local system. That is nice and very easy.

However, sometimes you may want to mimick a certain token by creating a new process with a duplicated token, with more power that what winlogon.exe would give you, for instance the trustedinstaller. But for creating a true duplicate (something devxexec actually don't) of the trustedinstaller's token, we must be local system in the first place, hence the requirement for the strange procedure that not everybody understood. It is thus for that reason that RunasSystem must launch RunFromToken, in order to access and create a primary token (duplicate) of for instance the trustedinstaller. This requirement may not be necessary when creating duplicates of other less picky process tokens.

In addition, to the above requirement, I noticed that you may need certain privileges on the process in order to use the functions like CreateProcessAsUserW and CreateProcessWithTokenW. That is for both the tools, as both of them use those functions. OK, I'll upload new version of both tools later today, that will also add to your account the necessary right if missing (so that it can also be enabled when necessary on the fly).

#53
joakim

joakim

    Member

  • Member
  • PipPip
  • 153 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag
Now both tools have been updated to fix the issues described. Please report back any issues with it.

Available: http://reboot.pro/fi...d-runfromtoken/

#54
tommyp

tommyp

    MSFN Addict

  • Developer
  • 1,681 posts
  • Joined 09-January 04
  • OS:none specified
  • Country: Country Flag
Oh so close... I've test out the latest and tried deleting a few things from the mounted install.wim's registry. Is there a way I can get trustedinstaller rights?
Posted Image

#55
joakim

joakim

    Member

  • Member
  • PipPip
  • 153 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag

Oh so close... I've test out the latest and tried deleting a few things from the mounted install.wim's registry. Is there a way I can get trustedinstaller rights?


Of course! If you succeed in creating a process with a duplicated token of the trustedinstaller, your process will hold a true duplicated token, and your system will not be able to distinguish it from the trustedinstaller.exe itself, at least when it comes to privileges.

If you did not succeed in creating such a duplictade token with the tool, the console output should give an indication of what the issue is. So please post it if that's the case, or else it's pointless.

Either way, bear in mind that certain registry key have rare permissions set. For instance 1 weird account has access, but not the trustedinstaller. If that's the case, then not even the trustedinstaller will have access. However, a process with such a powerful token, should have no problem adding the necessary permission to those keys, so try that.

#56
tommyp

tommyp

    MSFN Addict

  • Developer
  • 1,681 posts
  • Joined 09-January 04
  • OS:none specified
  • Country: Country Flag
Hope this info helps...
First I opened a cmd prompt in the runassystem working directory. I typed in net start trustedinstaller and got this
The Windows Modules Installer service is starting.
The Windows Modules Installer service was started successfully.

In that same cmd window, I typed in runassystem64 cmd and got this:
Now setting privilege: SeDebugPrivilege
Now setting privilege: SeAssignPrimaryTokenPrivilege
Now setting privilege: SeIncreaseQuotaPrivilege
Running in session: 1
Host PID: 624
New process created successfully: 2336
A new cmd window pops up. Inside that new window I type in whoami and got this:
nt authority\system

Basically I was hoping to use this program to alter mounted wim images with a script I've generated. Mounted wim images seem to have trustedinstaller permissions set so when I'm reducing it (1000's of files and folders), the takeown and icacls seems to take so long. Running with trustedinstaller rights will vastly speed things up, but I just can't seem to get there.

BTW, thanks for helping me out!
Posted Image

#57
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,377 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

A new cmd window pops up. Inside that new window I type in whoami and got this:

nt authority\system

Basically I was hoping to use this program to alter mounted wim images with a script I've generated. Mounted wim images seem to have trustedinstaller permissions set so when I'm reducing it (1000's of files and folders), the takeown and icacls seems to take so long. Running with trustedinstaller rights will vastly speed things up, but I just can't seem to get there.

Well, up to where you reported, everything happened as it was supposed to happen... But, at this point, you should still have to issue this command:

C:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"
in order to get TrustedInstaller rights. What happens when you do?

#58
tommyp

tommyp

    MSFN Addict

  • Developer
  • 1,681 posts
  • Joined 09-January 04
  • OS:none specified
  • Country: Country Flag
Man, I feel like such a stupid a**. I've tried every combination of commands, and I'm still not getting trustedinstaller. I do not get errors, I still see the same (or similar) "now setting privilege" on the cmd window where I type in the runassystem and/or runfromtoken commands. Can someone help the stupid a** (me) and post step by step on what to do? I had forgot to mention that I'm running admin rights on the machine and admin rights in the cmd box.
Posted Image

#59
joakim

joakim

    Member

  • Member
  • PipPip
  • 153 posts
  • Joined 18-November 09
  • OS:none specified
  • Country: Country Flag
Lets try another approach then.. What makes you think it does not work for you? (elaborate)

#60
tommyp

tommyp

    MSFN Addict

  • Developer
  • 1,681 posts
  • Joined 09-January 04
  • OS:none specified
  • Country: Country Flag
I see said the blind man. I thought I was going to see trustedinstaller when I typed whoami. But all is fine. I can readily delete items from the wim's mounted registry now. In fact, it shaved 20 minutes from my script execution time! This is a great utility! Thanks!
Posted Image

#61
pink0

pink0
  • Member
  • 2 posts
  • Joined 24-April 15
  • OS:Windows 7 x64
  • Country: Country Flag

Sorry to resume this old thread but I believe those  RunAsSystem, RunFromToken and Devxexec   are the only commands that can help me.

I am trying to build a windows7 with the highst performances possible when logged in with a specific user. The goal is to run psychological experiments.

My idea was to create a simple batch that stops, eg., the antivirus program, specifically it's a System Center Endpoint which is hardened by microsoft and I found out that only the "TrustedInstaller" is able to stop it. 

Infact if I run the above commands as written in this thread I am able to stop the  MsMpSVC service.

 

 

so I was wondering if they can work if run from inside  TaskScheduler, as SYSTEM  i suppose.

 

thanks



#62
pink0

pink0
  • Member
  • 2 posts
  • Joined 24-April 15
  • OS:Windows 7 x64
  • Country: Country Flag
WTF!
it worked right after I posted the message...
 
sorry :P

#63
simonetaddei

simonetaddei
  • Member
  • 9 posts
  • Joined 10-November 15
  • OS:Windows 8 x64
  • Country: Country Flag

Good evening, I'm new to this forum. I should add a registry key on the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] phat in regedit. the problem is that makes me do it only if I open regedit as TrustedInstaller. I was able to open it as TrustedInstaller using an executable found on the net "RunAsTI64". in this way,owhether I have to do it manually, I wanted to do was to create an executable or .bat file that adds the key, someone can help me? thank you
Simone



#64
jaclaz

jaclaz

    The Finder

  • Developer
  • 16,627 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Yes :), "RunAsTI64" is the "evolution" of the programs talked here, joakim (Joakim Shicht) released it on github:

https://github.com/jschicht/RunAsTI

 

 

RunAsTI or RunAsTrustedInstaller

Is a tool to launch a program of choice (usually cmd.exe) with the same privileges as the TrustedInstaller. That privilege is very powerfull! Actually the tool makes a clone of the token from TrustedInstaller, and thus the newly created process has an identical token.

Why would you need it? Sometimes it is just not enough to just be running as "nt authority\system". Maybe it's a file or a registry key that is locked. Running a tool with this powerfull privilege most likely solve that. Usually such an issue may be due to Windows Resource Protection (WRP) protecting it (previously called Windows File Protection (WFP)); http://msdn.microsof...3(v=vs.85).aspx

How do you run it? Simply double click it and cmd.exe will launch. Or pass it the program to launch as parameter.

The tool is actually a merge of 2 previous tools; RunAsSystem and RunFromToken. The curious ones might notice that RunFromToken is attached as a resource.

The tool only runs on nt6.x (Vista and later), since TrustedInstaller does not exist on earlier Windows versions.

Requirement: Administrator. 

 

 

So what is the question? :unsure:

Which program to use as parameter?

A batch with REG.EXE command(s) should do nicely, maybe even directly a REG.EXE ADD command .

https://technet.micr...y/cc732643.aspx

https://technet.micr...x#BKMK_examples

 

jaclaz



#65
simonetaddei

simonetaddei
  • Member
  • 9 posts
  • Joined 10-November 15
  • OS:Windows 8 x64
  • Country: Country Flag

Hi,

i run runasti64 by pass it the program to launch as parameter, i create this batch file and i try to use the reg add command but it dont work

 

this is a batch file i use to call runasti64

runasti64.exe reg import C:\Users\d.reg

and this is the d.reg file that i need to add

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
"mykey"="H:\\\\program.exe"

where im wrong?

I hope I explained myself better,

 

thanks simone.


Edited by simonetaddei, 11 November 2015 - 02:27 AM.


#66
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,377 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

Make sure the d.reg has at least two blank lines at the end.



#67
simonetaddei

simonetaddei
  • Member
  • 9 posts
  • Joined 10-November 15
  • OS:Windows 8 x64
  • Country: Country Flag

yes, the file has the two blank lines at the end, but not working.
it give me this message:

 

Attached File  1.png   148.6KB   0 downloads

 

Attached File  2.png   160.71KB   0 downloads

 

Attached File  Untitled.png   56.75KB   0 downloads

but if I open runasti64 double clicking on the icon, and then from the command prompt that opens write d.reg prompt adds the key correctly.

 

Attached File  Untitled1.png   22.07KB   0 downloads

Attached File  Untitled2.png   5.35KB   0 downloads

 

i dont understand what im doing wrong...

someone can help me?

thanks

Simone


Edited by simonetaddei, 13 November 2015 - 09:05 AM.


#68
jaclaz

jaclaz

    The Finder

  • Developer
  • 16,627 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Try it this other way, running a batch instead:

runasti64.exe mynicecmd.cmd

 

 

Contents of mynicecmd.cmd:

::This file runs reg.exe to import a .reg file
ECHO OFF
ECHO This is a batch file
ECHO Next command will be reg.exe import C:\users\d.reg

PAUSE
reg.exe import C:\Users\d.reg
PAUSE

It is possible that RunasTI does not pass all parameters correctly (or only accepts a single parameter, i.e. the name of the executable), the error you are experiencing is most probably in the third screenshot (syntax of reg.exe) which is the same you get if running reg.exe with no parameters.

 

jaclaz



#69
simonetaddei

simonetaddei
  • Member
  • 9 posts
  • Joined 10-November 15
  • OS:Windows 8 x64
  • Country: Country Flag

Hi, i try this way but it dont work, now it give me this message error:

Attached File  3.png   93.31KB   0 downloads

 

thanks for your help,

Simone

 



#70
jaclaz

jaclaz

    The Finder

  • Developer
  • 16,627 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Hi, i try this way but it dont work, now it give me this message error:

attachicon.gif3.png

 

thanks for your help,

Simone

No. :no: it's difficult to follow you this way.

You should try running the batch I posted and post the whole thing, including the command line you issued.

 

What you posted seems like an error because the system cannot find the file mynicecmd.cmd, it is possible that you need to specify a full path to it, *like*:

runasti64.exe C:\users\mynicecmd.cmd

 

 

@dencorso

Maybe you could split the topic to a new thread, so that we can go through assisting simonetaddei without taking the original trustedinstaller topic too OT. :unsure:

 

jaclaz



#71
simonetaddei

simonetaddei
  • Member
  • 9 posts
  • Joined 10-November 15
  • OS:Windows 8 x64
  • Country: Country Flag

thanks, it work!! :yes:

 

I still made a split of the topic here

 

http://www.msfn.org/...nstallerpage-3/

 

because I had another question.

thank you so much for helping me.
Simone



#72
os2fan2

os2fan2

    Advanced Member

  • Member
  • PipPipPip
  • 427 posts
  • Joined 09-September 04

I ran runasti on my vi.6.1 32-bit system, and got it to run cmd.exe.

 

From this cmd.exe session, I launched programs, like fcw.exe (a File Commander/W, a port of an OS/2 program), and change to the gwx directory (\windows\system32\gwx).  I renamed all the .EXE and .?AT files to .EX_ and .?A_  

 

So I imagine the trick is to fire up cmd.exe and run the various batch files in order from that prompt.  I do the same thing with my setup, where batch 0xxxx are run first, then 1xxxx  etc.  If you make a change to something like 1xxxx , then the various later ones have to be run.

 

Jolly good show, and another happy camper here!


  • dencorso likes this

#73
os2fan2

os2fan2

    Advanced Member

  • Member
  • PipPipPip
  • 427 posts
  • Joined 09-September 04

It's even more interesting. 

 

I started "runasti cmd.exe" and this gives me a command prompt.

 

I then use fcw to find the GWX files as above.

 

I then run autoruns.exe (Sysinternals), and kill all of the GWX proggies out of there.  It says it can't find the EXEs.

 

From GWX control panel, the program can't even find the EXEs.

 

The system boots nicely, and it is no longer a case of 'you are allowed to run your system between updates"



#74
dencorso

dencorso

    Iuvat plus qui nihil obstat

  • Supervisor
  • 6,377 posts
  • Joined 07-April 07
  • OS:98SE
  • Country: Country Flag

Donator

From a command prompt impersonating the TrustedInstaller one can also freely edit the registry with Regedit... :)



#75
os2fan2

os2fan2

    Advanced Member

  • Member
  • PipPipPip
  • 427 posts
  • Joined 09-September 04

Oh yes, you can indeed fire up your favourite reg editor, and like all god-mode things, you can poke your nose into areas normally denied, such as SAM and SECURITY. 

 

The more i explore GWX, the more it looks like these browser-extension viruses like bonzo search engines. 

 

Autoruns will happily launch the tasks programs, so it seems that it's pretty awesome version of 'power-prompt'. 

 

I should imagine that it is the right place to run batches in.  CDF (which is my generic W2K batch written around Frank Westlake's 'conset') works.  This batch runs under cmd.exe, and changes drive and directory to any named directory in the shell directories, and you can create in registry, your own 'shell-folder' set, so eg "cdf batch" changes to the batch folder.

 

It also can open the registery at the appropriate page so you can have a peek.

 

So i should imagine it's not hard to make a registry entry for 'tweaks', and cdf tweaks, and run your batch files from there. 

 

Use regmagik or regjump to handle the reg:hklm thing.  Both of them support it.

 

@echo off
:: cd shell folder.
set zdir=
set zshf=Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
if /i "%1"=="/m" goto :hklm
if /i "%1"=="/u" goto :hkcu
if /i "%1"=="/w" goto :hkwe
if /i "%1"=="/i" goto :image
set zcmd=chdir
set zhere=%*
if "%1"=="/o" set zcmd=open
if "%1"=="/o" set zhere=%zhere:~3%
conset /q /k zdir=HKLM\%zshf%\%zhere%
if not "%zdir%"=="" goto :doit
conset /q /k zdir=HKCU\%zshf%\%zhere%
if not "%zdir%"=="" goto :doit
conset /q /k zdir=HKLM\Software\Wendy\Folders\%zhere%
if not "%zdir%"=="" goto :doit
goto :end
:hklm
shelexec reg:hklm\%zshf%
goto :end
:hkcu
shelexec reg:hkcu\%zshf%
goto :end
:hkwe
shelexec reg:hklm\software\wendy\folders
goto :end
:image
set zdir=Microsoft\Windows NT\CurrentVersion\Image File Execution Options
shelexec reg:hklm\software\%zdir%
goto :end

:doit
set zcxm=
if %zcmd%==chdir cd /d %zdir%
if %zcmd%==open shelexec %zdir%
:end
set zdir=





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users