Based on the previous answers, I've created a batch script which opens a cmd screen under TrustedInstaller.exe. But since TrustedInstaller.exe is running under SYSTEM, I'm not sure how the method gives me the permissions of TrustedInstaller. The script has been tested in Windows 7 and 8 x86. Instead of injecting "cmd", I inject a batch file which slightly modifies the output, because otherwise the command is returned twice. For example: C:>@echo test @echo test test The script uses ncat from nmap.org and Session0Injector. The script expects these dependencies to be located in a subfolder called "deps". runasti.cmd - Has to be run as administrator :: Inspired by http://www.msfn.org/board/topic/155910-taking-back-the-registry-from-trustedinstaller/page__st__20#entry993083 :: This is the 32bit version. For 64bits, change Session0Cmd to Session0Cmd_x64 :: Edit this script to execute a shell under any process, replace "trustedinstaller" in FIND with ... :: Run as ADMINISTRATOR :: Pick a random port between 10000 and 42767 and assume that it's free. @SET /A PORT=%random% + 10000 @SET Session0Cmd=%~dp0deps\Session0Cmd.exe @SET NETCAT=%~dp0deps\ncat.exe @SET EXECUTE=%~dp0init.cmd @echo off IF NOT EXIST "%Session0Cmd%" ( echo Session0Injector is required. echo Get it from http://reboot.pro/files/download/171-payload-execution-tools/ goto:eof ) IF NOT EXIST "%NETCAT%" ( echo Ncat is required. echo Get it from http://nmap.org/ncat/ goto:eof ) echo Starting TrustedInstaller if not started... SC query "trustedinstaller" | FIND /i "RUNNING" > NUL || NET start TrustedInstaller SETLOCAL EnableDelayedExpansion echo Getting PID for TrustedInstaller.exe... FOR /F "tokens=2,3" %%P in ('tasklist ^|FIND /i "trustedinstaller"') DO SET PID=%%P IF "%PID%"=="" ( echo Pid not found. Cannot continue. ) ELSE ( echo Starting server (logging messages at %%tmp%%\runasti.log "%Session0Cmd%" %PID% "%NETCAT% -l -p %PORT% -e %EXECUTE%" >> "%tmp%\runasti.log" echo Connecting server... "%NETCAT%" localhost %PORT% ) ENDLOCAL init.cmd - This script will be injected in the process, and spawn a new cmd. :: Set token file. When this file is deleted, all childs should terminate @set token=%tmp%\ti_shell_%random% @type nul > "%token%" :keepalive @cmd /c ""%~dp0subshell.cmd" token "%token%"" 2>&1 :: The subshell will die for syntax errors. Keep reviving, unless the token file has been deleted. @if exist "%token%" @goto:keepalive subshell.cmd - This one processes commands. When a syntax error occurs (e.g. using a pipe as a command), the batch script terminates. That's why I choose to run a main batch process, which start child processes. This behaviour is controlled by a temporary file in %tmp%: When this file is deleted, the main process assumes that the user issued "exit". @echo off :: This script should never run without parent @if not "%~1"=="token" goto:eof @setlocal EnableDelayedExpansion @for /f "tokens=*" %%u in ('whoami') do echo Running as %%u @set Path=%path%;%~fd0 :repeat @if not exist "%~f2" goto:eof :: Get user input @set command= @set /p command=*%cd%^> :: When command is "exit", delete token file and exit @if /i "!command:~0,4!"=="exit" del "%~f2" && goto:eof :: Execute command, and repeat @for /f "tokens=*" %%C in ('echo %command%') do @%%C @goto:repeat runasti.cmd init.cmd subshell.cmd
