slate_leeper wrote:
Are you familiar with this one?

https://winaero.com/comment.php?comment.news.1843


-dan z-

Not that particular one.

How they work, is a particular service has to be running.
A "token" is transferred from the service before you
can "do stuff" as TrustedInstaller.

So this is not the usual impersonation mechanism, but
involves an additional step.

To go from Administrator to SYSTEM, I think that's
impersonation. Whereas Administrator to TrustedInstaller
also involves the transfer of the token from the service
that provides it. It's not really an account. There's
no TrustedInstaller Home directory. Neither is there
a TrustedInstaller password. If the service that
provides the token isn't set running first (which
is usually triggered by install activity such as
Setup.exe, some.msi, or maybe some Windows Update
activity), then you cannot copy the token and use it.

You can see in the messages, what privileges it asserts to do this.

In this example, I'm acquiring TrustedInstaller token
so I can delete something from Program Files. I'm working
in Command Prompt windows. I don't know if launching
Regedit that way works properly or not.

https://s22.postimg.cc/ktpilht29/ele..._installer.gif

psexec -hsi cmd

(make sure Windows Module Installer service is running now...)

RunFromToken.exe trustedinstaller.exe 1 cmd

cd /d C:\Program Files\7-Zip
del 7z.exe

The "RunasSystem.exe" and "RunasSystem_x64.exe" programs which came
out at the same time, is similar to the "psexec" from Sysinternals.com.

The RunFromToken concept, I don't think Sysinternals has an equivalent.

Paul