File Name: RunasSystem and RunFromToken
File Submitter: joakim
File Submitted: 13 Sep 2012
File Updated: 03 Oct 2012
File Category: Tools
Here's two simpel and powerful utilities to facilitate running programs extremely elevated. Sometimes your account, whether Administrator or not, just don't have access to perform certain operations on your system. Stuff protected by the Windows Resource Protection (trustedinstaller); http://msdn.microsof...3(v=vs.85).aspx is one good example (many files and registry keys are guarded). Running as local system is good enough for many operation (use RunasSystem), but sometimes you need a different token in your process, like the one from the trustedinstaller (use RunFromToken). There is no need to switch sessions, as you can specify which session to start your process in. This is actually very handy for a power user. You will get access to almost any part of your system accessible from usermode. Kernelmode (ring0) is a different thing, and can't be accessed without a kernel driver. And forget about protected processes; http://msdn.microsof...e/gg463417.aspx
Both tools are with source included and can easily be modified to suite your needs. They are based on user wraithdu's sample at the autoit forums; http://www.autoitscr...system-account/
Will launch a process from the local system account. Target process to start can be supplied on commandline as parameter (full path to executable if not in path). If no parameter is given, cmd.exe is started.
Sample command to start regedit:
Will start a process with the token of a given process. Obviouly the process that you duplicate the token of, must be running. Preferrably launch this one from RunasSystem
RunFromToken TargetProcessName SessionId ProgramToStart
Sample command to start cmd.exe in session 1 with the token of the trustedinstaller:
RunasSystem "RunFromToken trustedinstaller.exe 1 cmd"
These tools are meant for nt6.x, and have been tested on Vista x86, Windows 7 x64 and Windows 8 x64. They don't work on nt5.x (XP and 2k3).
Administrator privilege. Possibly UAC turned off.
On one of my systems I have this simpel batch on my desktop to get quick access to my special power cmd:
net start trustedinstaller C:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"
With that command shell you have rather extreme control. Now go crazy on your system.
Click here to download this file