Doing Stuff While Impersonating Trusted Installer

Which is technically the same thing as

Running Programs as NT System Authority in Vista, 7, etc

So, me and the guys at MSFN were talking about TrustedInstaller a while back.

Some of those guys are very "next generation" and have mastered Windows Vista, 7/8, 2008/2012 in ways that make my XP/2003 slipstreaming / DLL hacking material look like the cave scratchings of a caveman.

After much back and forth, a method was devised whereby a lowly admin may:

• Remove Trusted Installer permissions from the CLSIDs in the HKCR/HKLM (or any) branches of the Registry very quickly and easily

• Execute commands as NT AUTHORITY\SYSTEM

The first one's easy, you need SetACL from helgeklein (scroll down to it, it's item #3, EXE version) and this batch file you run as admin after putting SetACL(64) in system32.

It's the second one that's a bit of a feat and what we're going to go into today.

You need RunasSystem and RunFromToken from Joakim and the Sysinternals utilities suite from Microsoft.

Make your life easy and dump all the binaries into C:\windows\system32. Do this whether you have a 32 or a 64 bit system. BTW I often use C:\windows\system for little utilities like the Sysinternals utilities. The 16 bit legacy system directory can literally be emptied on every NT OS from Windows 2000 foward prior to installing. (In 2000/XP/2003, you do it by altering SYSSETUP.IN_, TXTSETUP, LAYOUT, and SYSSETUP.DLL, remember?) But for the sake of making things easy, I'm writing this using system32. By the way, if you want to run a SYSTEM shell in 2k/XP/2k3, use grootshell instead.

RunasSystem is pretty self-explanatory. Running a program as system isn't enough, though.

What we're going to do is pretty damned clever -- we're going to run a process with the token of another process... and the process we're going to use is none other than TRUSTEDINSTALLER.EXE, and we're going to launch the token impersonation using RunasSystem. If you didn't quite get that, don't worry about it.

Make a batch file. That is to say, open NOTEPAD and copy and past this into it and save it as PROCEXPTI.BAT (I use that for "PROCEss EXPlorer as Trusted Installer" but you can name it whatever you like).

net stop trustedinstaller
net start trustedinstaller
C:\Windows\system32\runassystem64.exe "C:\Windows\system32\runfromtoken64.exe trustedinstaller.exe 1 C:\Windows\system32\procexp.exe"

You see that 64 in there? Obviously you want to omit that if you are in 32 bit Windows. You will note that we first stop TI and then start it. We do this because TI only runs for a limited time (it's a service). It only needs to run long enough to allow us to use it as a springboard. Once we launch a program with System permissions, we're done with TI and it will shut itself down. At any given moment, however, it might already be running, so we make sure it's actually off before starting it.

Here's visual proof of what's happening.

I'll leave it to you to determine the usefulness of this. You could use CMD.EXE if you wanted and get a command prompt that's a step above "elevated." If you're kind of at a loss, then go ahead and try this:

1. Make a batch file like the one above that launches EXPLORER.EXE.
2. Using Process Explorer, shut down the current instance of explorer
3. Go to File, Run and run the batch file to launch explorer as NT Authority.

Q: Wait... I can seriously do that?!
A: Yup. Below you will see two instances of explorer running on my PC under two separate accounts. One is regular Admin, the other is TI. Notably, the desktop wallpaper stays the same but the desktop icons are different, as if Windows had attempted to create a new profile. Killing explorer and re-starting it will only restart it as NT Authority again. You have to actually reboot to return the icons on your desktop to normal.


April 5, 2013