pink0 Posted April 24, 2015 Posted April 24, 2015 Sorry to resume this old thread but I believe those RunAsSystem, RunFromToken and Devxexec are the only commands that can help me.I am trying to build a windows7 with the highst performances possible when logged in with a specific user. The goal is to run psychological experiments.My idea was to create a simple batch that stops, eg., the antivirus program, specifically it's a System Center Endpoint which is hardened by microsoft and I found out that only the "TrustedInstaller" is able to stop it. Infact if I run the above commands as written in this thread I am able to stop the MsMpSVC service. so I was wondering if they can work if run from inside TaskScheduler, as SYSTEM i suppose. thanks
pink0 Posted April 24, 2015 Posted April 24, 2015 WTF! it worked right after I posted the message... sorry
simonetaddei Posted November 10, 2015 Posted November 10, 2015 Good evening, I'm new to this forum. I should add a registry key on the [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\] phat in regedit. the problem is that makes me do it only if I open regedit as TrustedInstaller. I was able to open it as TrustedInstaller using an executable found on the net "RunAsTI64". in this way,owhether I have to do it manually, I wanted to do was to create an executable or .bat file that adds the key, someone can help me? thank youSimone
jaclaz Posted November 10, 2015 Posted November 10, 2015 Yes , "RunAsTI64" is the "evolution" of the programs talked here, joakim (Joakim Shicht) released it on github:https://github.com/jschicht/RunAsTI RunAsTI or RunAsTrustedInstallerIs a tool to launch a program of choice (usually cmd.exe) with the same privileges as the TrustedInstaller. That privilege is very powerfull! Actually the tool makes a clone of the token from TrustedInstaller, and thus the newly created process has an identical token.Why would you need it? Sometimes it is just not enough to just be running as "nt authority\system". Maybe it's a file or a registry key that is locked. Running a tool with this powerfull privilege most likely solve that. Usually such an issue may be due to Windows Resource Protection (WRP) protecting it (previously called Windows File Protection (WFP)); http://msdn.microsoft.com/en-us/library/windows/desktop/aa382503(v=vs.85).aspxHow do you run it? Simply double click it and cmd.exe will launch. Or pass it the program to launch as parameter.The tool is actually a merge of 2 previous tools; RunAsSystem and RunFromToken. The curious ones might notice that RunFromToken is attached as a resource.The tool only runs on nt6.x (Vista and later), since TrustedInstaller does not exist on earlier Windows versions.Requirement: Administrator. So what is the question? Which program to use as parameter?A batch with REG.EXE command(s) should do nicely, maybe even directly a REG.EXE ADD command .https://technet.microsoft.com/en-us/library/cc732643.aspxhttps://technet.microsoft.com/en-us/library/cc742162.aspx#BKMK_examples jaclaz
simonetaddei Posted November 11, 2015 Posted November 11, 2015 (edited) Hi,i run runasti64 by pass it the program to launch as parameter, i create this batch file and i try to use the reg add command but it dont work this is a batch file i use to call runasti64runasti64.exe reg import C:\Users\d.regand this is the d.reg file that i need to addWindows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]"mykey"="H:\\\\program.exe"where im wrong?I hope I explained myself better, thanks simone. Edited November 11, 2015 by simonetaddei
dencorso Posted November 12, 2015 Posted November 12, 2015 Make sure the d.reg has at least two blank lines at the end.
simonetaddei Posted November 13, 2015 Posted November 13, 2015 (edited) yes, the file has the two blank lines at the end, but not working.it give me this message: but if I open runasti64 double clicking on the icon, and then from the command prompt that opens write d.reg prompt adds the key correctly. i dont understand what im doing wrong...someone can help me?thanksSimone Edited November 13, 2015 by simonetaddei
jaclaz Posted November 13, 2015 Posted November 13, 2015 Try it this other way, running a batch instead:runasti64.exe mynicecmd.cmd Contents of mynicecmd.cmd:::This file runs reg.exe to import a .reg fileECHO OFFECHO This is a batch fileECHO Next command will be reg.exe import C:\users\d.regPAUSEreg.exe import C:\Users\d.regPAUSEIt is possible that RunasTI does not pass all parameters correctly (or only accepts a single parameter, i.e. the name of the executable), the error you are experiencing is most probably in the third screenshot (syntax of reg.exe) which is the same you get if running reg.exe with no parameters. jaclaz
simonetaddei Posted November 16, 2015 Posted November 16, 2015 Hi, i try this way but it dont work, now it give me this message error: thanks for your help,Simone
jaclaz Posted November 16, 2015 Posted November 16, 2015 Hi, i try this way but it dont work, now it give me this message error:3.png thanks for your help,SimoneNo. it's difficult to follow you this way.You should try running the batch I posted and post the whole thing, including the command line you issued. What you posted seems like an error because the system cannot find the file mynicecmd.cmd, it is possible that you need to specify a full path to it, *like*:runasti64.exe C:\users\mynicecmd.cmd @dencorsoMaybe you could split the topic to a new thread, so that we can go through assisting simonetaddei without taking the original trustedinstaller topic too OT. jaclaz
simonetaddei Posted November 16, 2015 Posted November 16, 2015 thanks, it work!! I still made a split of the topic here http://www.msfn.org/board/topic/174785-how-to-use-runasti64exe-without-asking-confirm-at-user-split-from-httpwwwmsfnorgboardtopic155910-taking-back-the-registry-from-trustedinstallerpage-3/ because I had another question.thank you so much for helping me.Simone
os2fan2 Posted December 4, 2015 Posted December 4, 2015 I ran runasti on my vi.6.1 32-bit system, and got it to run cmd.exe. From this cmd.exe session, I launched programs, like fcw.exe (a File Commander/W, a port of an OS/2 program), and change to the gwx directory (\windows\system32\gwx). I renamed all the .EXE and .?AT files to .EX_ and .?A_ So I imagine the trick is to fire up cmd.exe and run the various batch files in order from that prompt. I do the same thing with my setup, where batch 0xxxx are run first, then 1xxxx etc. If you make a change to something like 1xxxx , then the various later ones have to be run. Jolly good show, and another happy camper here! 1
os2fan2 Posted December 5, 2015 Posted December 5, 2015 It's even more interesting. I started "runasti cmd.exe" and this gives me a command prompt. I then use fcw to find the GWX files as above. I then run autoruns.exe (Sysinternals), and kill all of the GWX proggies out of there. It says it can't find the EXEs. From GWX control panel, the program can't even find the EXEs. The system boots nicely, and it is no longer a case of 'you are allowed to run your system between updates"
dencorso Posted December 5, 2015 Posted December 5, 2015 From a command prompt impersonating the TrustedInstaller one can also freely edit the registry with Regedit...
os2fan2 Posted December 5, 2015 Posted December 5, 2015 Oh yes, you can indeed fire up your favourite reg editor, and like all god-mode things, you can poke your nose into areas normally denied, such as SAM and SECURITY. The more i explore GWX, the more it looks like these browser-extension viruses like bonzo search engines. Autoruns will happily launch the tasks programs, so it seems that it's pretty awesome version of 'power-prompt'. I should imagine that it is the right place to run batches in. CDF (which is my generic W2K batch written around Frank Westlake's 'conset') works. This batch runs under cmd.exe, and changes drive and directory to any named directory in the shell directories, and you can create in registry, your own 'shell-folder' set, so eg "cdf batch" changes to the batch folder. It also can open the registery at the appropriate page so you can have a peek. So i should imagine it's not hard to make a registry entry for 'tweaks', and cdf tweaks, and run your batch files from there. Use regmagik or regjump to handle the reg:hklm thing. Both of them support it. @echo off:: cd shell folder.set zdir=set zshf=Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Foldersif /i "%1"=="/m" goto :hklmif /i "%1"=="/u" goto :hkcuif /i "%1"=="/w" goto :hkweif /i "%1"=="/i" goto :imageset zcmd=chdirset zhere=%*if "%1"=="/o" set zcmd=openif "%1"=="/o" set zhere=%zhere:~3%conset /q /k zdir=HKLM\%zshf%\%zhere%if not "%zdir%"=="" goto :doitconset /q /k zdir=HKCU\%zshf%\%zhere%if not "%zdir%"=="" goto :doitconset /q /k zdir=HKLM\Software\Wendy\Folders\%zhere%if not "%zdir%"=="" goto :doitgoto :end:hklmshelexec reg:hklm\%zshf%goto :end:hkcushelexec reg:hkcu\%zshf%goto :end:hkweshelexec reg:hklm\software\wendy\foldersgoto :end:imageset zdir=Microsoft\Windows NT\CurrentVersion\Image File Execution Optionsshelexec reg:hklm\software\%zdir%goto :end:doitset zcxm=if %zcmd%==chdir cd /d %zdir%if %zcmd%==open shelexec %zdir%:endset zdir=
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now