Attn: Paul

Are you familiar with this program?

https://www.sordum.org/9416/powerrun...st-privileges/


-dan z-


--
Someone who thinks logically provides
a nice contrast to the real world.
(Anonymous)

slate_leeper wrote:
Are you familiar with this program?

https://www.sordum.org/9416/powerrun...st-privileges/


-dan z-

I use psexec/psexec64 for SYSTEM account.

https://docs.microsoft.com/en-us/sys...wnloads/psexec

psexec -hsi cmd === 32 bit OS, opens SYSTEM cmd.exe window
psexec64 -hsi cmd === 64 bit OS, opens SYSTEM cmd.exe window

https://s9.postimg.cc/vwioz43f3/WIN10_delete_ENUM.gif

Then in the new command window, this is an example of a command
that causes the OS to rediscover all hardware.

reg delete HKLM\SYSTEM\CurrentControlSet\Enum /f

You've seen this one before.

RunFromToken.exe trustedinstaller.exe 1 cmd

(Worked example of RunFromToken, deleting a file from Program Files)



http://al.howardknight.net/msgid.cgi...nt-email.me%3E

*******

Highest privileges is a relative thing.

Everything in Windows now is the "IT two-step",
requiring more than one operation to get what
you want.

Paul

On Sat, 25 Aug 2018 16:03:04 -0400, Paul
wrote:

slate_leeper wrote:
Are you familiar with this program?

https://www.sordum.org/9416/powerrun...st-privileges/


-dan z-

I use psexec/psexec64 for SYSTEM account.

https://docs.microsoft.com/en-us/sys...wnloads/psexec

psexec -hsi cmd === 32 bit OS, opens SYSTEM cmd.exe window
psexec64 -hsi cmd === 64 bit OS, opens SYSTEM cmd.exe window

https://s9.postimg.cc/vwioz43f3/WIN10_delete_ENUM.gif

Then in the new command window, this is an example of a command
that causes the OS to rediscover all hardware.

reg delete HKLM\SYSTEM\CurrentControlSet\Enum /f

You've seen this one before.

RunFromToken.exe trustedinstaller.exe 1 cmd

(Worked example of RunFromToken, deleting a file from Program Files)



http://al.howardknight.net/msgid.cgi...nt-email.me%3E

*******

Highest privileges is a relative thing.

Everything in Windows now is the "IT two-step",
requiring more than one operation to get what
you want.

Paul


This program is supposed to get you to TrustedInstaller level.
I couldn't get to it with the RunFromToken. ("Process ID not found.
Are you sure the process is running?")

I am just wondering if you knew if this program is legitimate.

-dan -z


--
Someone who thinks logically provides
a nice contrast to the real world.
(Anonymous)

slate_leeper wrote:
On Sat, 25 Aug 2018 16:03:04 -0400, Paul
wrote:

slate_leeper wrote:
Are you familiar with this program?

https://www.sordum.org/9416/powerrun...st-privileges/


-dan z-
I use psexec/psexec64 for SYSTEM account.

https://docs.microsoft.com/en-us/sys...wnloads/psexec

psexec -hsi cmd === 32 bit OS, opens SYSTEM cmd.exe window
psexec64 -hsi cmd === 64 bit OS, opens SYSTEM cmd.exe window

https://s9.postimg.cc/vwioz43f3/WIN10_delete_ENUM.gif

Then in the new command window, this is an example of a command
that causes the OS to rediscover all hardware.

reg delete HKLM\SYSTEM\CurrentControlSet\Enum /f

You've seen this one before.

RunFromToken.exe trustedinstaller.exe 1 cmd

(Worked example of RunFromToken, deleting a file from Program Files)



http://al.howardknight.net/msgid.cgi...nt-email.me%3E

*******

Highest privileges is a relative thing.

Everything in Windows now is the "IT two-step",
requiring more than one operation to get what
you want.

Paul


This program is supposed to get you to TrustedInstaller level.
I couldn't get to it with the RunFromToken. ("Process ID not found.
Are you sure the process is running?")

I am just wondering if you knew if this program is legitimate.

-dan -z



To get RunFromToken to work, you have to manually start
the WMI service, before executing the RunFromToken command.
I suspect that's why it didn't work for you - missing step.

I think that step was in my instructions.

The people who write programs like this, their experience
level is high, and they can basically do anything they want
to your machine. You run their program as administrator,
and they copy the token from WMI so it can be used
elsewhere. That involves a pretty high level of trust.
And scanning the file with an AV, doesn't tell you all
that much. You can upload it to Virustotal.com and see what
the result is.

Paul