Taking back the Registry from TrustedInstaller

[tommyp]

The runassystem utility looks like it will save tons of time with a little win7 slipstream/reduction program I've been working on. I can't seem to get it to work right. My CMD prompt is always administrator and I'm in a CMD box in the working directory of the utility. I've run an example command on v1.0.0.2:

runassystem_x64 regedit

The resulting output is:

Running in session: 1
Host PID: 872
CreateProcessAsUserW / CreateProcessWithTokenW: A required privilege is not held by the client.

Am I supposed to be doing something different? FWIW, I'm running win7/x64.

[jaclaz]

Am I supposed to be doing something different? FWIW, I'm running win7/x64.

Check the release topic on reboot.pro:

http://reboot.pro/17501/

Another user has the same or similar problem and Joakim is working on it, there is already a new versionposted, but not yet feedback from the OP.

jaclaz

[joakim]

Yes feedback would be nice in order to solve it.. Did the test version work better for instance?

[tommyp]

The test runassystemtoken version isn't the same as the runassystem. I can say that I did try the token program out, and quite honestly, I'm not too sure how to use that one for my specific need. In order to test out your program, I'd be more than happy to try out any commands you like, and I can plop the output here.

[joakim]

There is only a test version of RunFromToken because that one require certain privileges enabled on its process. That's why I was hoping for some feedback on how the test version behaved in regards to that. As already explained at reboot.pro there is a chance that the right/privilege is not added your account, which will prevent you from enabling it if it does not exist in the first place. That too, I already have a version for, but I'm awaiting some feedback

[jaclaz]

If I may , it seems to me like we are in a CATCH22 situation .

joakim needs some feedback to hopefully fix the issue but does not provide an EXACT set of instructions/list of tests needed.

tommyp needs the utility working and is willing to do tests but doesn't know which EXACT tests to carry and HOW EXACTLY to report them.

Additionally it seems to me like there is a lot of mixing between two tools, the RunFromToken one and the RunasSystem, additionally made complex by the existence of a 32 and of a 64 bit version.

Maybe if a list of what tests are useful and how to exactly perform them with the various programs and on the different platforms was given, some progress could be made....

jaclaz

[joakim]

In short, and as the name could imply, RunasSystem will let open any program in your session as local system. That is nice and very easy.

However, sometimes you may want to mimick a certain token by creating a new process with a duplicated token, with more power that what winlogon.exe would give you, for instance the trustedinstaller. But for creating a true duplicate (something devxexec actually don't) of the trustedinstaller's token, we must be local system in the first place, hence the requirement for the strange procedure that not everybody understood. It is thus for that reason that RunasSystem must launch RunFromToken, in order to access and create a primary token (duplicate) of for instance the trustedinstaller. This requirement may not be necessary when creating duplicates of other less picky process tokens.

In addition, to the above requirement, I noticed that you may need certain privileges on the process in order to use the functions like CreateProcessAsUserW and CreateProcessWithTokenW. That is for both the tools, as both of them use those functions. OK, I'll upload new version of both tools later today, that will also add to your account the necessary right if missing (so that it can also be enabled when necessary on the fly).

[joakim]

Now both tools have been updated to fix the issues described. Please report back any issues with it.

Available: http://reboot.pro/files/file/237-runassystem-and-runfromtoken/

[tommyp]

Oh so close... I've test out the latest and tried deleting a few things from the mounted install.wim's registry. Is there a way I can get trustedinstaller rights?

[joakim]

Oh so close... I've test out the latest and tried deleting a few things from the mounted install.wim's registry. Is there a way I can get trustedinstaller rights?

Of course! If you succeed in creating a process with a duplicated token of the trustedinstaller, your process will hold a true duplicated token, and your system will not be able to distinguish it from the trustedinstaller.exe itself, at least when it comes to privileges.

If you did not succeed in creating such a duplictade token with the tool, the console output should give an indication of what the issue is. So please post it if that's the case, or else it's pointless.

Either way, bear in mind that certain registry key have rare permissions set. For instance 1 weird account has access, but not the trustedinstaller. If that's the case, then not even the trustedinstaller will have access. However, a process with such a powerful token, should have no problem adding the necessary permission to those keys, so try that.

[tommyp]

Hope this info helps...

First I opened a cmd prompt in the runassystem working directory. I typed in net start trustedinstaller and got this

The Windows Modules Installer service is starting.
The Windows Modules Installer service was started successfully.

In that same cmd window, I typed in runassystem64 cmd and got this:

Now setting privilege: SeDebugPrivilege
Now setting privilege: SeAssignPrimaryTokenPrivilege
Now setting privilege: SeIncreaseQuotaPrivilege
Running in session: 1
Host PID: 624
New process created successfully: 2336

A new cmd window pops up. Inside that new window I type in whoami and got this:

nt authority\system

Basically I was hoping to use this program to alter mounted wim images with a script I've generated. Mounted wim images seem to have trustedinstaller permissions set so when I'm reducing it (1000's of files and folders), the takeown and icacls seems to take so long. Running with trustedinstaller rights will vastly speed things up, but I just can't seem to get there.

BTW, thanks for helping me out!

[dencorso]

A new cmd window pops up. Inside that new window I type in whoami and got this:

nt authority\system

Basically I was hoping to use this program to alter mounted wim images with a script I've generated. Mounted wim images seem to have trustedinstaller permissions set so when I'm reducing it (1000's of files and folders), the takeown and icacls seems to take so long. Running with trustedinstaller rights will vastly speed things up, but I just can't seem to get there.

Well, up to where you reported, everything happened as it was supposed to happen... But, at this point, you should still have to issue this command:

C:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"

in order to get TrustedInstaller rights. What happens when you do?

[tommyp]

Man, I feel like such a stupid a**. I've tried every combination of commands, and I'm still not getting trustedinstaller. I do not get errors, I still see the same (or similar) "now setting privilege" on the cmd window where I type in the runassystem and/or runfromtoken commands. Can someone help the stupid a** (me) and post step by step on what to do? I had forgot to mention that I'm running admin rights on the machine and admin rights in the cmd box.

[joakim]

Lets try another approach then.. What makes you think it does not work for you? (elaborate)

[tommyp]

I see said the blind man. I thought I was going to see trustedinstaller when I typed whoami. But all is fine. I can readily delete items from the wim's mounted registry now. In fact, it shaved 20 minutes from my script execution time! This is a great utility! Thanks!