Becoming NT SERVICE\TrustedInstaller

I just recently had two reasons to act as TrustedInstaller. I wanted to test to change the executable that is started when you press the <Ctrl>-<+> shortcut that usually starts the magnifier accessibility tool. I wanted to make it start a command window instead. It would be started as the logged in user if you press the shortcut while logged in on the desktop, but as NT AUTHORITY\SYSTEM if pressed on the secure desktop (“Do you want to allow this app to make changes to your device?”)(“Run as Administrator…”) or the login screen. Neither useful nor secure but sort of interesting.

I also found a bug in the PowerShell DeliveryOptimization module (build 19041.84 (“C:\Windows\System32\WindowsPowerShell\v1.0\Modules\DeliveryOptimization\DeliveryOptimizationStatus.psm1“), The command Get-DOPercentageMaxBackgroundBandwidth defined its output type as the non-existent [uint8], so that function could not be used nor the module imported by the command browser in e.g. PowerShell ISE (what was why I wanted the import to work, the commands I wanted to execute worked fine without explicitly import the module) . The module folder/files were also owned and writable only by TrustedInstaller. The function Get-DOPercentageMinBackgroundBandwidth defined in the same module file had its output type set to [uint32] though so the fix was trivial. Accessing the file was not.

One of the easiest solutions is to use a program like Process Hacker 2, find a process that has TI access, select it and “Run as this user…”. An easy way to to find such a process is to start the TrustedInstaller/”Windows Module Installer”-service and TrustedInstaller.exe will run long enough for us to have time to find it in the process list and to impersonate it or use it as a parent process for say a new powershell.exe instance. 

I read this excellent article (one among many on that site) from which I’ve pretty much stolen the rest of this post.

The Art of Becoming TrustedInstaller

You’ll need his excellent NtObjectManager powershell module. Then you can for example start a new powershell process with TrustedInstaller as parent;

Start-Service TrustedInstaller
$p = Get-NtProcess -Name TrustedInstaller.exe -FilterScript { -not $_.IsDeleting } | Sort-Object ProcessId -Descending
$proc = New-Win32Process powershell.exe -CreationFlags NewConsole -ParentProcess $p[0]

Or change the current thread to impersonate it (not opening a new powershell console window):

Start-Service TrustedInstaller
$p = Get-NtProcess -Name TrustedInstaller.exe -FilterScript { -not $_.IsDeleting }  | Sort-Object ProcessId -Descending
$th = $p[0].GetFirstThread()
$current = Get-NtThread -Current -PseudoHandle
$imper = $current.ImpersonateThread($th)

Now we can change those files and registry keys without first having to take ownership of them and give our user write permissions, and then try to restore the original permissions and owner (a bit tricky as some special permissions doesn’t seem to to have arithmetically combined human-readable aliases but only have numerical representations).

An example of restoring the magnifier accessibility start executable after trying it as cmd.exe for a while. First just using an administrative shell, then after impersonating a TrustedInstaller.exe thread.

Magnify.exe

# BEFORE
# PS C:\WINDOWS\system32> (Get-NtToken -Effective).User 
# 
# Name                           Attributes                    
# ----                           ----------                    
# PERSEPHONEWL\mignon            None                          
#
# 
# PS C:\WINDOWS\system32> (Get-NtToken -Effective).Groups | ft -AutoSize
# 
# Name                                                          Attributes                                   
# ----                                                          ----------                                   
# Mandatory Label\High Mandatory Level                          Integrity, IntegrityEnabled                  
# Everyone                                                      Mandatory, EnabledByDefault, Enabled         
# NT AUTHORITY\Local account and member of Administrators group Mandatory, EnabledByDefault, Enabled         
# PERSEPHONEWL\Ssh Users                                        Mandatory, EnabledByDefault, Enabled         
# BUILTIN\Administrators                                        Mandatory, EnabledByDefault, Enabled, Owner  
# BUILTIN\Performance Log Users                                 Mandatory, EnabledByDefault, Enabled         
# BUILTIN\Users                                                 Mandatory, EnabledByDefault, Enabled         
# NT AUTHORITY\INTERACTIVE                                      Mandatory, EnabledByDefault, Enabled         
# CONSOLE LOGON                                                 Mandatory, EnabledByDefault, Enabled         
# NT AUTHORITY\Authenticated Users                              Mandatory, EnabledByDefault, Enabled         
# NT AUTHORITY\This Organization                                Mandatory, EnabledByDefault, Enabled         
# MicrosoftAccount\xxxxxxxxxxxxxxxxx                            Mandatory, EnabledByDefault, Enabled         
# NT AUTHORITY\Local account                                    Mandatory, EnabledByDefault, Enabled         
# NT AUTHORITY\LogonSessionId_0_467797                          Mandatory, EnabledByDefault, Enabled, LogonId
# LOCAL                                                         Mandatory, EnabledByDefault, Enabled         
# NT AUTHORITY\Cloud Account Authentication                     Mandatory, EnabledByDefault, Enabled 

# AFTER
# PS C:\Users\mignon> (Get-NtToken -Effective).User | ft -AutoSize
# 
# Name                           Attributes
# ----                           ----------
# NT AUTHORITY\SYSTEM            None      
#  
#
# PS C:\Users\mignon> (Get-NtToken -Effective).EnabledGroups | ft -AutoSize
# 
# Name                                   Attributes                                          
# ----                                   ----------                                          
# Everyone                               Mandatory, EnabledByDefault, Enabled                
# BUILTIN\Users                          Mandatory, EnabledByDefault, Enabled                
# NT AUTHORITY\SERVICE                   Mandatory, EnabledByDefault, Enabled                
# CONSOLE LOGON                          Mandatory, EnabledByDefault, Enabled                
# NT AUTHORITY\Authenticated Users       Mandatory, EnabledByDefault, Enabled                
# NT AUTHORITY\This Organization         Mandatory, EnabledByDefault, Enabled                
# NT SERVICE\TrustedInstaller            EnabledByDefault, Enabled, Owner                      <-- Should be "Enabled"                   
# NT AUTHORITY\LogonSessionId_0_64740669 Mandatory, EnabledByDefault, Enabled, Owner, LogonId
# LOCAL                                  Mandatory, EnabledByDefault, Enabled                
# BUILTIN\Administrators                 EnabledByDefault, Enabled, Owner