|
|
Paul:
Are you familiar with this one?
https://winaero.com/comment.php?comment.news.1843 -dan z- -- Someone who thinks logically provides a nice contrast to the real world. (Anonymous) |
Paul:
slate_leeper wrote:
Are you familiar with this one? https://winaero.com/comment.php?comment.news.1843 -dan z- Not that particular one. How they work, is a particular service has to be running. A "token" is transferred from the service before you can "do stuff" as TrustedInstaller. So this is not the usual impersonation mechanism, but involves an additional step. To go from Administrator to SYSTEM, I think that's impersonation. Whereas Administrator to TrustedInstaller also involves the transfer of the token from the service that provides it. It's not really an account. There's no TrustedInstaller Home directory. Neither is there a TrustedInstaller password. If the service that provides the token isn't set running first (which is usually triggered by install activity such as Setup.exe, some.msi, or maybe some Windows Update activity), then you cannot copy the token and use it. You can see in the messages, what privileges it asserts to do this. In this example, I'm acquiring TrustedInstaller token so I can delete something from Program Files. I'm working in Command Prompt windows. I don't know if launching Regedit that way works properly or not. https://s22.postimg.cc/ktpilht29/ele..._installer.gif psexec -hsi cmd (make sure Windows Module Installer service is running now...) RunFromToken.exe trustedinstaller.exe 1 cmd cd /d C:\Program Files\7-Zip del 7z.exe The "RunasSystem.exe" and "RunasSystem_x64.exe" programs which came out at the same time, is similar to the "psexec" from Sysinternals.com. The RunFromToken concept, I don't think Sysinternals has an equivalent. Paul |
| All times are GMT +1. The time now is 11:40 PM. |
Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright © 2004 - 2006 PCbanter
Comments are property of their posters