[GrofLuigi]

joakim, on 08 April 2012 - 12:45 PM, said:

On my windows api journey, I discovered this neat little tool that achieves kind of the same thing, just very differently (and less complicated); http://developex.com...e/devxexec.html

It is based on token duplication and not remote threads as I described.

Devxexec works very well. It can launch cmd.exe or regedit.exe as Trusted Installer or as System. I don't really need anything more for my sabotages against the system.

GL

This post has been edited by GrofLuigi: 24 July 2012 - 08:42 AM

[GrofLuigi]

Wouldn't the simplest solution be to grant ourselves full privileges under the key:

HKEY_LOCAL_MACHINE\SECURITY\Policy\Accounts\S-1-5-21-645709764-2570854657-2333822770-500\Privilgs

or whatever the SID of our account is? But one has to figure out first what the format of the key is, or, if brave enough, to copy the registry value from another overprivileged account.

I imagine it as a quick guerilla operation: Change permissions, get in, change value, get out, restore permissions.

What do you guys think about that?

GL

This post has been edited by GrofLuigi: 03 August 2012 - 03:41 AM

[dencorso]

This is just to provide an update to those of you who don't usually follow things on reboot.pro... Heads up, friends, there's good news!!!
joakim has kept working on this matter, and has released two very interesting apps there, at the thread: "RunasSystem and RunFromToken".
Thanks joakim, you do rock!

[CharlotteTheHarlot]

dencorso, on 27 September 2012 - 09:20 PM, said:

This is just to provide an update to those of you who don't usually follow things on reboot.pro... Heads up, friends, there's good news!!!
joakim has kept working on this matter, and has released two very interesting apps there, at the thread: "RunasSystem and RunFromToken".
Thanks joakim, you do rock!

Thanks for the tip!

[GrofLuigi]

(just theoretical, haven't tried it yet)

Quote

On one of my systems I have this simpel batch on my desktop to get quick access to my special power cmd:

net start trustedinstaller
C:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"

With that command shell you have rather extreme control. Now go crazy on your system.

Would this help some more (with any of the tools mentioned):

net start UI0Detect
net start trustedinstaller
C:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"

?

(Don't know about others, but I have set UI0Detect to manual).

And thanks joakim for the tools.

GL

[tommyp]

The runassystem utility looks like it will save tons of time with a little win7 slipstream/reduction program I've been working on. I can't seem to get it to work right. My CMD prompt is always administrator and I'm in a CMD box in the working directory of the utility. I've run an example command on v1.0.0.2:

runassystem_x64 regedit

The resulting output is:

Running in session: 1
Host PID: 872
CreateProcessAsUserW / CreateProcessWithTokenW: A required privilege is not held by the client.

Am I supposed to be doing something different? FWIW, I'm running win7/x64.

[jaclaz]

tommyp, on 30 September 2012 - 09:19 AM, said:

Am I supposed to be doing something different? FWIW, I'm running win7/x64.

Check the release topic on reboot.pro:
http://reboot.pro/17501/

Another user has the same or similar problem and Joakim is working on it, there is already a new versionposted, but not yet feedback from the OP.

jaclaz

[joakim]

Yes feedback would be nice in order to solve it.. Did the test version work better for instance?

[tommyp]

The test runassystemtoken version isn't the same as the runassystem. I can say that I did try the token program out, and quite honestly, I'm not too sure how to use that one for my specific need. In order to test out your program, I'd be more than happy to try out any commands you like, and I can plop the output here.

[joakim]

There is only a test version of RunFromToken because that one require certain privileges enabled on its process. That's why I was hoping for some feedback on how the test version behaved in regards to that. As already explained at reboot.pro there is a chance that the right/privilege is not added your account, which will prevent you from enabling it if it does not exist in the first place. That too, I already have a version for, but I'm awaiting some feedback

[jaclaz]

If I may , it seems to me like we are in a CATCH22 situation .
joakim needs some feedback to hopefully fix the issue but does not provide an EXACT set of instructions/list of tests needed.
tommyp needs the utility working and is willing to do tests but doesn't know which EXACT tests to carry and HOW EXACTLY to report them.
Additionally it seems to me like there is a lot of mixing between two tools, the RunFromToken one and the RunasSystem, additionally made complex by the existence of a 32 and of a 64 bit version.

Maybe if a list of what tests are useful and how to exactly perform them with the various programs and on the different platforms was given, some progress could be made....

jaclaz

[joakim]

In short, and as the name could imply, RunasSystem will let open any program in your session as local system. That is nice and very easy.

However, sometimes you may want to mimick a certain token by creating a new process with a duplicated token, with more power that what winlogon.exe would give you, for instance the trustedinstaller. But for creating a true duplicate (something devxexec actually don't) of the trustedinstaller's token, we must be local system in the first place, hence the requirement for the strange procedure that not everybody understood. It is thus for that reason that RunasSystem must launch RunFromToken, in order to access and create a primary token (duplicate) of for instance the trustedinstaller. This requirement may not be necessary when creating duplicates of other less picky process tokens.

In addition, to the above requirement, I noticed that you may need certain privileges on the process in order to use the functions like CreateProcessAsUserW and CreateProcessWithTokenW. That is for both the tools, as both of them use those functions. OK, I'll upload new version of both tools later today, that will also add to your account the necessary right if missing (so that it can also be enabled when necessary on the fly).

[joakim]

Now both tools have been updated to fix the issues described. Please report back any issues with it.

Available: http://reboot.pro/fi...d-runfromtoken/

[tommyp]

Oh so close... I've test out the latest and tried deleting a few things from the mounted install.wim's registry. Is there a way I can get trustedinstaller rights?

[joakim]

tommyp, on 04 October 2012 - 03:10 PM, said:

Oh so close... I've test out the latest and tried deleting a few things from the mounted install.wim's registry. Is there a way I can get trustedinstaller rights?

Of course! If you succeed in creating a process with a duplicated token of the trustedinstaller, your process will hold a true duplicated token, and your system will not be able to distinguish it from the trustedinstaller.exe itself, at least when it comes to privileges.

If you did not succeed in creating such a duplictade token with the tool, the console output should give an indication of what the issue is. So please post it if that's the case, or else it's pointless.

Either way, bear in mind that certain registry key have rare permissions set. For instance 1 weird account has access, but not the trustedinstaller. If that's the case, then not even the trustedinstaller will have access. However, a process with such a powerful token, should have no problem adding the necessary permission to those keys, so try that.

[tommyp]

Hope this info helps...
First I opened a cmd prompt in the runassystem working directory. I typed in net start trustedinstaller and got this

The Windows Modules Installer service is starting.
The Windows Modules Installer service was started successfully.

In that same cmd window, I typed in runassystem64 cmd and got this:

Now setting privilege: SeDebugPrivilege
Now setting privilege: SeAssignPrimaryTokenPrivilege
Now setting privilege: SeIncreaseQuotaPrivilege
Running in session: 1
Host PID: 624
New process created successfully: 2336

A new cmd window pops up. Inside that new window I type in whoami and got this:

nt authority\system

Basically I was hoping to use this program to alter mounted wim images with a script I've generated. Mounted wim images seem to have trustedinstaller permissions set so when I'm reducing it (1000's of files and folders), the takeown and icacls seems to take so long. Running with trustedinstaller rights will vastly speed things up, but I just can't seem to get there.

BTW, thanks for helping me out!

[dencorso]

tommyp, on 05 October 2012 - 03:51 AM, said:

A new cmd window pops up. Inside that new window I type in whoami and got this:

nt authority\system

Basically I was hoping to use this program to alter mounted wim images with a script I've generated. Mounted wim images seem to have trustedinstaller permissions set so when I'm reducing it (1000's of files and folders), the takeown and icacls seems to take so long. Running with trustedinstaller rights will vastly speed things up, but I just can't seem to get there.

Well, up to where you reported, everything happened as it was supposed to happen... But, at this point, you should still have to issue this command:

C:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"

in order to get TrustedInstaller rights. What happens when you do?

[tommyp]

Man, I feel like such a stupid a**. I've tried every combination of commands, and I'm still not getting trustedinstaller. I do not get errors, I still see the same (or similar) "now setting privilege" on the cmd window where I type in the runassystem and/or runfromtoken commands. Can someone help the stupid a** (me) and post step by step on what to do? I had forgot to mention that I'm running admin rights on the machine and admin rights in the cmd box.

[joakim]

Lets try another approach then.. What makes you think it does not work for you? (elaborate)

[tommyp]

I see said the blind man. I thought I was going to see trustedinstaller when I typed whoami. But all is fine. I can readily delete items from the wim's mounted registry now. In fact, it shaved 20 minutes from my script execution time! This is a great utility! Thanks!