Jump to content











Photo
- - - - -

RunasSystem and RunFromToken


  • Please log in to reply
22 replies to this topic

#1 joakim

joakim

    Silver Member

  • Team Reboot
  • 883 posts
  • Location:Bergen
  •  
    Norway

Posted 13 September 2012 - 08:24 PM

Posted Image

File Name: RunasSystem and RunFromToken
File Submitter: joakim
File Submitted: 13 Sep 2012
File Updated: 03 Oct 2012
File Category: Tools

Here's two simpel and powerful utilities to facilitate running programs extremely elevated. Sometimes your account, whether Administrator or not, just don't have access to perform certain operations on your system. Stuff protected by the Windows Resource Protection (trustedinstaller); http://msdn.microsof...3(v=vs.85).aspx is one good example (many files and registry keys are guarded). Running as local system is good enough for many operation (use RunasSystem), but sometimes you need a different token in your process, like the one from the trustedinstaller (use RunFromToken). There is no need to switch sessions, as you can specify which session to start your process in. This is actually very handy for a power user. You will get access to almost any part of your system accessible from usermode. Kernelmode (ring0) is a different thing, and can't be accessed without a kernel driver. And forget about protected processes; http://msdn.microsof...e/gg463417.aspx

Both tools are with source included and can easily be modified to suite your needs. They are based on user wraithdu's sample at the autoit forums; http://www.autoitscr...system-account/

Short description

RunasSystem
Will launch a process from the local system account. Target process to start can be supplied on commandline as parameter (full path to executable if not in path). If no parameter is given, cmd.exe is started.
Sample command to start regedit:

RunasSystem regedit


RunFromToken
Will start a process with the token of a given process. Obviouly the process that you duplicate the token of, must be running. Preferrably launch this one from RunasSystem

Syntax is:

RunFromToken TargetProcessName SessionId ProgramToStart


Sample command to start cmd.exe in session 1 with the token of the trustedinstaller:

RunasSystem "RunFromToken trustedinstaller.exe 1 cmd"


These tools are meant for nt6.x, and have been tested on Vista x86, Windows 7 x64 and Windows 8 x64. They don't work on nt5.x (XP and 2k3).

Requirements
Administrator privilege. Possibly UAC turned off.

On one of my systems I have this simpel batch on my desktop to get quick access to my special power cmd:

net start trustedinstaller

C:\windows\system32\runassystem_x64 "C:\windows\system32\runfromtoken_x64 trustedinstaller.exe 1 cmd"


With that command shell you have rather extreme control. Now go crazy on your system.

Click here to download this file

#2 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,529 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 14 September 2012 - 07:38 AM

NIce litlle tools :).
Wonko approves of these. :thumbup:

For the record (and for the other dinosaurs) still running NT 5.x I would like to mention Grubletrang's PowerPrompt:
http://www.grubletra...app=PowerPrompt

which does more or less the same as RunasSystem (actually it opens a command prompt with System credentials).
Cannot say if the list of privileges allowed is the same or not :unsure:


:cheers:
Wonko

#3 joakim

joakim

    Silver Member

  • Team Reboot
  • 883 posts
  • Location:Bergen
  •  
    Norway

Posted 14 September 2012 - 09:37 AM

NIce litlle tools :).
Wonko approves of these. :thumbup:

For the record (and for the other dinosaurs) still running NT 5.x I would like to mention Grubletrang's PowerPrompt:
http://www.grubletra...app=PowerPrompt

which does more or less the same as RunasSystem (actually it opens a command prompt with System credentials).
Cannot say if the list of privileges allowed is the same or not :unsure:


:cheers:
Wonko


Yes, it does the job good on nt 5.x, but is useless on nt6.x (Vista and later). Maybe not surprising as it was updated last time in 2005. I don't know about internals of that app so can't say about the privs.

There also exist a related tool called devxexec; http://developex.com...e/devxexec.html But I noticed from a quick comparison of the tokens' privileges as generated from the two apps that mine generates a true duplicate, whereas devxexec does not. Have not investigated it further, but I think it contradicts a little with what is decribed about the tool in the above reference. Also, it is closed source..

Anyway, tools like this is a must-have for any power user or admin, unless you are happy with facing "Access denied".

#4 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 14 September 2012 - 03:25 PM

RunasSystem
Will launch a process from the local system account. Target process to start can be supplied on commandline as parameter (full path to executable if not in path). If no parameter is given, cmd.exe is started.

How is it different from psexec with "-s" switch?

#5 joakim

joakim

    Silver Member

  • Team Reboot
  • 883 posts
  • Location:Bergen
  •  
    Norway

Posted 14 September 2012 - 06:25 PM

How is it different from psexec with "-s" switch?

The main difference is that psexec don't manipulate sessionid and uses network connection for the communication. The result is the same, ie a program running from the system account. However, in my opinion psexec has more limitations because of that (excluding the fact that it can launch process remotely, which of course is great). What I mean is that because it does not set sessionid, you have limited options to what programs you can run from the system account using that method. For instance regedit will not be possible to interact with since psexec starts it in session 0, although the process starts. In that sense the psexec method is more similar to what I explained earlier with my session0cmd (using netcat to provide a remote shell in session 0 on localhost). Of course session0cmd is much more rude, and its method (injecting processes into remote threads) will likely never be implemented by psexec. The point is that gui programs must have the correct sessionid set in order to interact with them (Interactive Services Detection helps overcome this when not using network communication though). Moreover, it is not possible to start a process as the TrustedInstaller by using psexec.

#6 Max_Real Qnx

Max_Real Qnx

    Gold Member

  • Patrician
  • 1,378 posts
  • Location:Istanbul
  • Interests:To be or not to be that is the question.
  •  
    Turkey

Posted 15 September 2012 - 04:33 PM

Thank you for this nice tool. :cheers:

#7 brundleflyguy

brundleflyguy
  • Members
  • 2 posts
  •  
    Canada

Posted 26 September 2012 - 03:34 PM

I'm trying to run this command:
net start trustedinstaller
C:windowssystem32runassystem_x64 "C:windowssystem32runfromtoken_x64 trustedinstaller.exe 1 C:windowssystem32cmd.exe"

and I get the message:

Running in session: 1
Host PID: 628
CreateProcessAsUserW / CreateProcessWithTokenW: The system cannot find the file specified.

I've also tried
net start trustedinstaller
C:windowssystem32runassystem_x64 "C:windowssystem32runfromtoken_x64 trustedinstaller.exe 1 cmd.exe"

and

net start trustedinstaller
C:windowssystem32runassystem_x64 "C:windowssystem32runfromtoken_x64 trustedinstaller.exe 1 cmd"

with the same result. What am I doing wrong?

Thanks!

#8 joakim

joakim

    Silver Member

  • Team Reboot
  • 883 posts
  • Location:Bergen
  •  
    Norway

Posted 26 September 2012 - 07:38 PM

A few questions:

What is your OS?
Are you admin?
Are you sure the runfromtoken utility actually is found inside C:WINDOWSSystem32 ?
Are you able to just launch runassystem without params to obtain cmd, and verify that you are "nt authoritysystem" by issuing the command whoami?

#9 brundleflyguy

brundleflyguy
  • Members
  • 2 posts
  •  
    Canada

Posted 27 September 2012 - 02:22 PM

Thanks for getting back to me so quickly. I'm running 7 Pro 64 bit, and I'm running as admin with UAC turned off.

I recopied all the files to c:windowssystem32 just in case one got messed up, and now runfromtoken and runassystem are defintely there.

When I run runassystem and then run whoami, it says "nt authoritysystem".

Now when I run
runassystem_x64 "runfromtoken_x64 trustedinstaller.exe 1 %windir%system32cmd.exe"

It says "Running in session: 1
Host PID: 628
CreateProcessAsUserW / CreateProcessWithTokenW: A required privilege is not held by the client."

Which seems to be an improvement, so I think you were right and a file was missing from windowssystem earlier.

#10 joakim

joakim

    Silver Member

  • Team Reboot
  • 883 posts
  • Location:Bergen
  •  
    Norway

Posted 27 September 2012 - 03:24 PM

That makes sense. Most likely the privileges SeAssignPrimaryTokenPrivilege and SeIncreaseQuotaPrivilege are missing. I'll compile a new version for you to test.

#11 joakim

joakim

    Silver Member

  • Team Reboot
  • 883 posts
  • Location:Bergen
  •  
    Norway

Posted 27 September 2012 - 03:35 PM

Please try this version and report how it went; http://www.mediafire...lsgbpnajojpo62k

#12 joakim

joakim

    Silver Member

  • Team Reboot
  • 883 posts
  • Location:Bergen
  •  
    Norway

Posted 28 September 2012 - 05:40 PM

Without any feedback it is hard to say, but I would guess that if the account does not have the right (read privilege) added to it in the first place, then configuring it is not possible. I already have some code to handle that, so we'll see. But if a right is missing and needs to be added, I think a reboot is necessary for it to activate.

#13 joakim

joakim

    Silver Member

  • Team Reboot
  • 883 posts
  • Location:Bergen
  •  
    Norway

Posted 03 October 2012 - 08:35 AM

New version of both tools are made available that should fix the issue of missing rights on accounts, which would prevent a necessary privileges from being enabled. Report back issues with it please.

#14 Magno

Magno
  • Members
  • 7 posts
  •  
    Belgium

Posted 12 October 2012 - 09:51 AM

Is anybody else experiencing RunAsSystem starting itself over and over?

#15 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,529 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 October 2012 - 10:21 AM

Is anybody else experiencing RunAsSystem starting itself over and over?

Yes/No.
http://homepage.ntlw...no-answers.html
If you have an issue, knowing whether other people suffers from the same problem doesn't help you solve it.
Follow the Standard Litany:
http://homepage.ntlw...ard-litany.html
and hopefully someone will be able to help you with your issue.

:cheers:
Wonko

#16 Magno

Magno
  • Members
  • 7 posts
  •  
    Belgium

Posted 12 October 2012 - 11:49 AM

Yes/No.
http://homepage.ntlw...no-answers.html
If you have an issue, knowing whether other people suffers from the same problem doesn't help you solve it.
Follow the Standard Litany:
http://homepage.ntlw...ard-litany.html
and hopefully someone will be able to help you with your issue.

:cheers:
Wonko


fair enough :)

Situation:
2008 R2 Terminal Server
made a bat file:
runassystem regedit
ran the bat file.


Expected: Registry opening as system

What happened:
dos prompt like screen opens with title runassystem
runs itself and closes
the new one does the same
and over and over again

unable to kill, because it is continuously a new process started
solution: Logged off terminal

had the issue both with normal as x64 version.
Running the exe directly forces the same thing.

#17 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,529 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 October 2012 - 12:09 PM

Test:
Open a cmd prompt console (navigate to where runassystem is if not in the PATH).
Type in it:
whoami
and press [ENTER]
What do you get?
Type in it:
runassystem
and press [ENTER]
What do you get?

Type in it (again):
whoami
and press [ENTER]
What do you get?

:cheers:
Wonko

#18 Magno

Magno
  • Members
  • 7 posts
  •  
    Belgium

Posted 12 October 2012 - 12:23 PM

Well, cmd is disabled, so in 1 batch file:

whoami
runassystem
whoami

returns:

my username

runassystem starts , keeps opening a new instance of itself and closing the current

my username


powershell does work but does the same thing. It took me a while to get the second whoami though, because the new runassystem exes keep jumping on top.
oh, and logoff didn't work great with the powershell open as well. I needed to press kill process a bunch of times...


EDIT:
Just read about administrator privilige required. So probably that's the problem :(

Edited by Magno, 12 October 2012 - 12:27 PM.


#19 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,529 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 October 2012 - 02:00 PM

With cmd disabled, you need to re-enable it (temporarily) to troubleshoot.

Which version are you testing?

:cheers:
Wonko

#20 Magno

Magno
  • Members
  • 7 posts
  •  
    Belgium

Posted 12 October 2012 - 02:12 PM

I downloaded the latest version just today.

I cannot enable cmd... I was trying to get into regedit with more rights to change a few keys from policies (run disabled)
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer DWORD NoRun
I can open regedit, but not change the keys...

#21 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,529 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 October 2012 - 02:33 PM

I cannot enable cmd... I was trying to get into regedit with more rights to change a few keys from policies (run disabled)
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer DWORD NoRun
I can open regedit, but not change the keys...

I am losing you...
... or things have changed in Vista :ph34r: and later? :dubbio:
http://www.msfn.org/...disable-cmdexe/

But apart form this, it is simple, you either do have Administrator credentials or you have not, if not this tool won't work for you.

:cheers:
Wonko

#22 Magno

Magno
  • Members
  • 7 posts
  •  
    Belgium

Posted 12 October 2012 - 02:40 PM

I am losing you...
... or things have changed in Vista :ph34r: and later? :dubbio:
http://www.msfn.org/...disable-cmdexe/

But apart form this, it is simple, you either do have Administrator credentials or you have not, if not this tool won't work for you.

:cheers:
Wonko


No admin, no cmd, no run.
All GPEdit changes are also in registry.
At another company I was able to change the registry to allow run/cmd which I use a lot.

Here there is more security in the registry.
I tried running the tool so I could change this...

But as you said, no admin, no go...

Thanks for the assistance anyway :)

#23 joakim

joakim

    Silver Member

  • Team Reboot
  • 883 posts
  • Location:Bergen
  •  
    Norway

Posted 14 October 2012 - 07:28 AM

If you are not admin, the tool is useless, and that is how it is supposed to be. Think about it, if a guest user, or any restricted account user, was able to run processes from the SYSTEM account this easy, then something seriously would be wrong in the security model of Windows.

That said, the old GP setting to restrict cmd and regedit, can be fixed by replacing the string (can't remember what it was, search for "disable" in the exe), and placing the exe into a directory where you can run executables. For instance, try to run it in %tmp%. But note, that you will still be restricted in terms of what cmd.exe could do in such a way. Also, although regedit would start and you can browse/read registry, you will not be able to write to it..




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users