15

Using only the Command Prompt and/or PowerShell, but without external programs or commands, how can you run an application as TrustedInstaller or SYSTEM?

Giacomo1968
  • 58,727
Anonymous
  • 543

4 Answers4

7

BTW, here's a .ps1 script made out of @hasto's commands:

$ConfirmPreference = "None"
$isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
if (-not $isAdmin) {
    Start-Process powershell -ArgumentList "-NoProfile -File `"$PSCommandPath`"" -Verb RunAs
    exit
}
Set-ExecutionPolicy -ExecutionPolicy bypass
Install-Module -Name NtObjectManager
Start-Service -Name TrustedInstaller
$parent = Get-NtProcess -ServiceName TrustedInstaller
$proc = New-Win32Process cmd.exe -CreationFlags NewConsole -ParentProcess $parent
$ConfirmPreference = "High"
Giacomo1968
  • 58,727
mirage0x0000
  • 71
4

AFAIK, there is no simple way to log in as SYSTEM or as TrustedInstaller without using third-party tools such as Microsoft's own (well, actually Russinovich's Sysinternals') PsExec, Nirsoft's NirCmd or Sordum's PowerRun.

It is easy, however, to make use of these tools appear to be native to Windows GUI, i.e., as a context menu item for executables, with a Registry tweak that adds the particular tool to the right-click menu.

[Even with those privileges, at times it may be impossible to perform simple tasks, such as using Regedit to modify a key owned by TrustedInstaller, without taking ownership.]

DrMoishe Pippik
  • 37,887
4

From https://www.tiraniddo.dev/2017/08/the-art-of-becoming-trustedinstaller.html, here are the steps I try in my machine

  1. Open your powershell (as administrator)
  2. PS> Install-Module -Name NtObjectManager
  3. PS> Start-Service -Name TrustedInstaller
  4. PS> $parent = Get-NtProcess -ServiceName TrustedInstaller
  5. PS> $proc = New-Win32Process cmd.exe -CreationFlags NewConsole -ParentProcess $parent

Notes:
Install-Module only need run once to import module. https://www.powershellgallery.com/packages/NtObjectManager/

After step-5 new command prompt will open, in there we can check by running whoami it will show nt authority\system

hasto
  • 41
  • 2
2

Given that the existing answers all use external tools, I'd like to point out the technique described here: The Art of Becoming TrustedInstaller - Task Scheduler Edition

In an elevated powershell:

$a = New-ScheduledTaskAction -Execute notepad.exe
Register-ScheduledTask -TaskName 'TestTask' -Action $a

$svc = New-Object -ComObject 'Schedule.Service'
$svc.Connect()


$user = 'NT SERVICE\TrustedInstaller'
$folder = $svc.GetFolder('')
$task = $folder.GetTask('TestTask')
$task.RunEx($null, 0, 0, $user)

This lets the process run as Trusted Installer but sadly not interactive.

T S
  • 253