SHARE
TWEET

runasTI

aveyo Oct 5th, 2019 (edited) 372 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. @echo off & title AveYo`s :runasTI snippet usage showcase (final)
  2.  
  3. :: First handle command line parameters (for example via Send to) to run as TrustedInstaller AllPrivileges
  4. if /i "%~dp0" equ "%APPDATA%\Microsoft\Windows\SendTo\" call :runasTI 1 %* &exit/b
  5.  
  6. echo(
  7. echo  Fully portable, compact, plain-text runas TrustedInstaller or SYSTEM snippet v20191019
  8. echo ========================================================================================
  9. echo  - now includes workaround for ( ) characters in command line
  10. echo  - now also supports short common programs names such as cmd, regedit, powershell..
  11. echo  - now sets console buffer so that the scrollbars are visible!
  12. echo  - should work even on naked Windows 7 with powershell 2.0, both x64 and x86
  13. echo  - snippet is minified for size but still very readeable
  14. echo  - just copy-paste the 18 lines in your own batch scripts and call the snippet as needed!
  15. echo  - can also be used from the right-click - Send to menu (entry appears after 1st run)
  16. echo(
  17. timeout /t 5 >nul
  18.  
  19. :: If this script is already elevated to SYSTEM prevent loop and just print a message
  20. whoami /user|findstr "S-1-5-18">nul && (
  21.   whoami /all
  22.   echo Script %~dnx0 has activated TrustedInstaller/SYSTEM [DefPrivileges] command line!
  23.   echo argument1: "%~1"
  24.   exit/b
  25. )
  26.  
  27. :: Elevate just once to ADMIN instead of uac nagging 6 times..
  28. reg query HKU\S-1-5-19 >nul 2>nul || powershell -nop -c "start cmd -ArgumentList '/c call \"%~f0\"' -verb runas" &&exit
  29.  
  30. :: Open four powershell windows for each supported mode
  31. call :runasTI 0 powershell -noexit -c "whoami /priv /groups;write-host -fore magenta :runasTI 0 = TrustedInstaller DefPrivileges"
  32. call :runasTI 1 powershell -noexit -c "whoami /priv /groups;write-host -fore magenta :runasTI 1 = TrustedInstaller AllPrivileges"
  33. call :runasTI 2 powershell -noexit -c "whoami /priv /groups;write-host -fore    cyan :runasTI 2 = System DefPrivileges"
  34. call :runasTI 3 powershell -noexit -c "whoami /priv /groups;write-host -fore    cyan :runasTI 3 = System AllPrivileges"
  35.  
  36. :: Open REGEDIT as TrustedInstaller DefPrivileges
  37. rem call :runasTI 0 regedit
  38.  
  39. :: This script could also be used from the right-click - Send to menu to launch any program as TI / System
  40. if /i "%~dp0" neq "%APPDATA%\Microsoft\Windows\SendTo\" copy /y "%~f0" "%APPDATA%\Microsoft\Windows\SendTo\_runasTI.bat"
  41.  
  42. :: Elevate itself to TrustedInstaller DefPrivileges once
  43. whoami /user|findstr "S-1-5-18">nul || call :runasTI 0 cmd /k call "%~f0" "C:\Program Files (x86)\test!!!" &&exit
  44.  
  45. echo HALT! How did I reach this line?!
  46. timeout -1
  47.  
  48. exit/b
  49.  
  50. :runasTI [0-3] [cmd] AveYo`s Lean and Mean runas TrustedInstaller / System snippet v20191010                 pastebin.com/AtejMKLj
  51. set ">>=('-nop -c ',[char]34,'$mode=%1; $cmd=''%*''; iex(([io.file]::ReadAllText(''%~f0'')-split '':ps_TI\:.*'')[1])',[char]34)"
  52. whoami/user|findstr "S-1-5-18">nul||powershell -nop -c "start powershell -win 1 -verb runas -Arg %>>:"=\\\"% " && exit/b  :ps_TI:[
  53. $P="public";$U='CharSet=CharSet.Unicode';$DA="[DllImport(`"advapi32`",$U)]static extern bool"; $DK=$DA.Replace("advapi","kernel");
  54. $T="[StructLayout(LayoutKind.Sequential,$U)]$P struct"; $S="string"; $I="IntPtr"; $Z="IntPtr.Zero"; $CH='CloseHandle'; $TI=@"
  55. using System;using System.Diagnostics;using System.Runtime.InteropServices; $P class AveYo{   $T SA {$P uint l;$P $I d;$P bool i;}
  56. $T SI {$P int cb;$S b;$S c;$S d;int e;int f;int g;int h;$P int X;$P int Y;int k;$P int W;Int16 m;Int16 n;$I o;$I p;$I r;$I s;}
  57. $T SIEX {$P SI e;$P $I l;} $($T.Replace(",",",Pack=1,")) TL {$P UInt32 c; $P long l;$P int a;} $DA SetThreadToken($I h,$I t);
  58. $DA CreateProcessWithTokenW($I t,uint l,$S a,$S c,uint f,$I e,$S d,ref SIEX s); $DA OpenProcessToken($I p,uint a,ref $I t);
  59. $DA DuplicateToken($I h,int l,out $I d); $DA AdjustTokenPrivileges($I h,bool d,ref TL n,int l,int p,int r); $DK CloseHandle($I h);
  60. $DA DuplicateTokenEx($I t,uint a,ref SA s,Int32 i,Int32 f,ref $I d);  $P static void RunAs(int mode,$S cmd){ SIEX si=new SIEX();
  61. SA sa=new SA(); $I t,d; t=d=$Z; try{ $I p=Process.GetProcessesByName("lsass")[0].Handle; OpenProcessToken(p,6,ref t); if(mode<2){
  62. Process[] ar=Process.GetProcessesByName("TrustedInstaller");if(ar.Length>0){ DuplicateToken(t,3,out d); SetThreadToken($Z,d);
  63. $CH(p);$CH(t);$CH(d); p=ar[0].Handle; OpenProcessToken(p,6,ref t);}} DuplicateTokenEx(t,268435456,ref sa,3,1,ref d); if(mode%2>0){
  64. TL tk=new TL(); tk.c=1; tk.a=2; for(int i=0;i<37;i++){ tk.l=i; AdjustTokenPrivileges(d,false,ref tk,0,0,0); }}
  65. si.e.cb=Marshal.SizeOf(si); si.e.X=131; si.e.Y=9999; si.e.W=8; CreateProcessWithTokenW(d,0,null,cmd,1024,$Z,null,ref si);
  66. }finally{ if(t!=$Z) $CH(t); if(d!=$Z) $CH(d); if(sa.d!=$Z) $CH(sa.d); if(si.l!=$Z) $CH(si.l); } }}
  67. "@;Add-Type -TypeDefinition $TI;if($mode -lt 2){net start TrustedInstaller >$nul} [AveYo]::RunAs($mode,$cmd.substring(2))#:ps_TI:]
  68. :-_-:
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
Top