runas...
runas...
Hello everyone.
How can I launch any process in the Trusted Installer?
Let's take a standard console as an example (as target). I've seen codes on this forum many times to increase/improve the privileges for the current process. To get debugger-level privileges. This runs without error. Good. But what to do next? If I start console now, then cmd-process will not have 'System' specified. Yes, I have admin rights. I also know that this trick can be done using the task scheduler. But maybe someone knows another way? No services or third-party software like psexec, Advanced Run by Nirsoft etc.
Thank you.
How can I launch any process in the Trusted Installer?
Let's take a standard console as an example (as target). I've seen codes on this forum many times to increase/improve the privileges for the current process. To get debugger-level privileges. This runs without error. Good. But what to do next? If I start console now, then cmd-process will not have 'System' specified. Yes, I have admin rights. I also know that this trick can be done using the task scheduler. But maybe someone knows another way? No services or third-party software like psexec, Advanced Run by Nirsoft etc.
Thank you.
Re: runas...
Sorry If I Kept You Waiting... This could be a start for you.
https://github.com/bgeraghty/cwc-TI-Bac ... in/main.pb
https://github.com/bgeraghty/cwc-TI-Bac ... in/main.pb
SolveMyIssue_() - No QuickHelp available.
Re: runas...
bgeraghty, thank you very much for your response.
It is interesting. As I expected, this is done using the task scheduler (via ps-script). I'll look at this in more detail a bit later.
Attention! powershell can take a long time to launch. At least when it starts for the first time.
Anyway, thanks again for sharing this.
It is interesting. As I expected, this is done using the task scheduler (via ps-script). I'll look at this in more detail a bit later.
Attention! powershell can take a long time to launch. At least when it starts for the first time.
Anyway, thanks again for sharing this.
Re: runas...
Hi ZX80,
See Windows Services & Other Stuff\Other_Stuff\RunExeAsSYSTEM\REaS.pb.
1. Type cmd in the available field; hit the Enter key or press the Run button.
2. Type whoami /all in the Command Prompt window; hit the Enter key.
NB*: Added the option to include the rights associated with Truster Installer.
See Windows Services & Other Stuff\Other_Stuff\RunExeAsSYSTEM\REaS.pb.
1. Type cmd in the available field; hit the Enter key or press the Run button.
2. Type whoami /all in the Command Prompt window; hit the Enter key.
NB*: Added the option to include the rights associated with Truster Installer.
Last edited by JHPJHP on Sat Dec 03, 2022 10:16 pm, edited 7 times in total.
Re: runas...
Until now I was using NSudo
But I will consider using your tool JHPJHP, it worked well
But I will consider using your tool JHPJHP, it worked well
Code: Select all
C:\Windows\system32>whoami
autorite nt\système
Re: runas...
To distinguish, if you running as Admin, System or TrustedInstaller.
Code: Select all
EnableExplicit
Import "advapi32.lib"
CheckTokenMembership(a, b, c)
EndImport
Procedure GetAdminLevel()
Protected bIsAdmin.l, bIsToken.l
Protected pSidAdministrator, pSidSystem, pSidTrustedInstaller
Protected NtAuthority.SID_IDENTIFIER_AUTHORITY
NtAuthority\Value[5]=5 ; SECURITY_NT_AUTHORITY
AllocateAndInitializeSid_(@NtAuthority,
2,
#SECURITY_BUILTIN_DOMAIN_RID,
#DOMAIN_ALIAS_RID_ADMINS,
0,
0,
0,
0,
0,
0,
@pSidAdministrator)
AllocateAndInitializeSid_(@NtAuthority,
1,
#SECURITY_LOCAL_SYSTEM_RID,
0,
0,
0,
0,
0,
0,
0,
@pSidSystem)
#SECURITY_SERVICE_ID_RID_COUNT = 6
#SECURITY_SERVICE_ID_BASE_RID = $50
#SECURITY_TRUSTED_INSTALLER_RID1 = 956008885
#SECURITY_TRUSTED_INSTALLER_RID2 = 3418522649
#SECURITY_TRUSTED_INSTALLER_RID3 = 1831038044
#SECURITY_TRUSTED_INSTALLER_RID4 = 1853292631
#SECURITY_TRUSTED_INSTALLER_RID5 = 2271478464
AllocateAndInitializeSid_(@NtAuthority,
#SECURITY_SERVICE_ID_RID_COUNT,
#SECURITY_SERVICE_ID_BASE_RID,
#SECURITY_TRUSTED_INSTALLER_RID1,
#SECURITY_TRUSTED_INSTALLER_RID2,
#SECURITY_TRUSTED_INSTALLER_RID3,
#SECURITY_TRUSTED_INSTALLER_RID4,
#SECURITY_TRUSTED_INSTALLER_RID5,
0,
0,
@pSidTrustedInstaller)
CheckTokenMembership(#Null, pSidAdministrator, @bIsToken)
If bIsToken : bIsAdmin = 1 : EndIf
bIsToken = 0
CheckTokenMembership(#Null, pSidSystem, @bIsToken)
If bIsToken : bIsAdmin = 2 : EndIf
bIsToken = 0
CheckTokenMembership(#Null, pSidTrustedInstaller, @bIsToken)
If bIsToken : bIsAdmin = 3 : EndIf
ProcedureReturn bIsAdmin
EndProcedure
CompilerIf #PB_Compiler_IsMainFile
Debug GetAdminLevel()
CompilerEndIf
Re: runas...
Thanks fryquez, good addition
It's all good with PB 6.0 C or ASM. Not a concern for me but just to let know, with PB 5.73, there is a Polink error: unresolved external symbol 'CheckTokenMembership'
I Understood with GetAdminLevel, NSudo gives access to TrustedInstaller in addition to System
Thanks AZJIO for the other code to run the application with system rights, to clean the registry or other needs
Re: runas...
Wow
An old theme revived !
To be honest, I didn't expect to see so many replies here. Thanks everyone.
ChrisR, see if it works for you.
AZJIO, thank you.
I have already seen this code.
fryquez, thank you too.
It will be very helpful.
JHPJHP, thank you.
I really appreciate your contribution, but...
I used to be able to look at your work without any problems, including the source codes. But since some time it became impossible. I'm sorry.
P.S. Sorry, this popup is a bit confusing.
Anyway, thanks for not passing by this topic.
An old theme revived !
To be honest, I didn't expect to see so many replies here. Thanks everyone.
ChrisR, see if it works for you.
Code: Select all
EnableExplicit
Prototype.i CheckTokenMembership(TokenHandle, pSidToCheck, pIsMember)
Global CheckTokenMembership.CheckTokenMembership
Prototype.i AllocateAndInitializeSid(pIdentifierAuthority, nSubAuthorityCount, dwSubAuthority0, dwSubAuthority1, dwSubAuthority2, dwSubAuthority3, dwSubAuthority4, dwSubAuthority5, dwSubAuthority6, dwSubAuthority7, pSid)
Global AllocateAndInitializeSid.AllocateAndInitializeSid
Prototype.i FreeSid(pSid)
Global FreeSid.FreeSid
Procedure GetAdminLevel()
Protected dll
Protected bIsAdmin.l, bIsToken.l
Protected pSidAdministrator, pSidSystem, pSidTrustedInstaller
Protected NtAuthority.SID_IDENTIFIER_AUTHORITY
NtAuthority\Value[5]=5 ; SECURITY_NT_AUTHORITY
dll=OpenLibrary(#PB_Any,"advapi32.dll")
If dll
CheckTokenMembership = GetFunction(dll,"CheckTokenMembership")
If CheckTokenMembership
AllocateAndInitializeSid = GetFunction(dll, "AllocateAndInitializeSid")
If AllocateAndInitializeSid
FreeSid = GetFunction(dll, "FreeSid")
If FreeSid
AllocateAndInitializeSid(@NtAuthority,
2,
#SECURITY_BUILTIN_DOMAIN_RID,
#DOMAIN_ALIAS_RID_ADMINS,
0,
0,
0,
0,
0,
0,
@pSidAdministrator)
AllocateAndInitializeSid(@NtAuthority,
1,
#SECURITY_LOCAL_SYSTEM_RID,
0,
0,
0,
0,
0,
0,
0,
@pSidSystem)
#SECURITY_SERVICE_ID_RID_COUNT = 6
#SECURITY_SERVICE_ID_BASE_RID = $50
#SECURITY_TRUSTED_INSTALLER_RID1 = 956008885
#SECURITY_TRUSTED_INSTALLER_RID2 = 3418522649
#SECURITY_TRUSTED_INSTALLER_RID3 = 1831038044
#SECURITY_TRUSTED_INSTALLER_RID4 = 1853292631
#SECURITY_TRUSTED_INSTALLER_RID5 = 2271478464
AllocateAndInitializeSid(@NtAuthority,
#SECURITY_SERVICE_ID_RID_COUNT,
#SECURITY_SERVICE_ID_BASE_RID,
#SECURITY_TRUSTED_INSTALLER_RID1,
#SECURITY_TRUSTED_INSTALLER_RID2,
#SECURITY_TRUSTED_INSTALLER_RID3,
#SECURITY_TRUSTED_INSTALLER_RID4,
#SECURITY_TRUSTED_INSTALLER_RID5,
0,
0,
@pSidTrustedInstaller)
CheckTokenMembership(#Null, pSidAdministrator, @bIsToken)
If bIsToken : bIsAdmin = 1 : EndIf
bIsToken = 0
CheckTokenMembership(#Null, pSidSystem, @bIsToken)
If bIsToken : bIsAdmin = 2 : EndIf
bIsToken = 0
CheckTokenMembership(#Null, pSidTrustedInstaller, @bIsToken)
If bIsToken : bIsAdmin = 3 : EndIf
FreeSid(pSidAdministrator)
FreeSid(pSidSystem)
FreeSid(pSidTrustedInstaller)
EndIf
EndIf
EndIf
CloseLibrary(dll)
EndIf
ProcedureReturn bIsAdmin
EndProcedure
CompilerIf #PB_Compiler_IsMainFile
Debug GetAdminLevel()
CompilerEndIf
I have already seen this code.
fryquez, thank you too.
It will be very helpful.
JHPJHP, thank you.
I really appreciate your contribution, but...
I used to be able to look at your work without any problems, including the source codes. But since some time it became impossible. I'm sorry.
P.S. Sorry, this popup is a bit confusing.
Anyway, thanks for not passing by this topic.
Re: runas...
Yes,it works fine with PB 5.73 and with the prototypes and GetFunction addition.
Advapi32.lib has been updated in PB 6.0 and the import is enough.