Page 1 of 1

TrustedInstaller

Posted: 12 Aug 2016, 16:55
by dmex
This plugin allows you to create processes with TrustedInstaller privileges.

32bit plugin download:
TrustedInstallerPlugin_x32.zip
(38.71 KiB) Downloaded 3621 times
64bit plugin download:
TrustedInstallerPlugin_x64.zip
(43.88 KiB) Downloaded 7891 times

Installation instructions:
#1: Copy the plugin from the zip into your "\Process Hacker 2\plugins\" directory.
#2: Restart Process Hacker.

How to run processes with TrustedInstaller privileges:
#1: Open the Hacker menu and select the "Run as trusted installer..." menu:

Image

You can also manually create processes with TrustedInstaller privileges without installing this plugin:
#1: Select the Services tab and start the TrustedInstaller service.
#2: Go back to the Processes tab and right-click TrustedInstaller.exe
#3: In the context menu, select the Miscellaneous > "Run as this user..." menu item.

Re: TrustedInstaller

Posted: 12 Aug 2016, 18:13
by qwerty12
Thank you!

Re: TrustedInstaller

Posted: 13 Aug 2016, 19:09
by MagicAndre1981
works fine, but the URL is missing in the plugins list of process hacker

Re: TrustedInstaller

Posted: 19 Aug 2016, 07:07
by dmex
MagicAndre1981 wrote:
works fine, but the URL is missing in the plugins list of process hacker
Fixed.

Re: TrustedInstaller

Posted: 02 Oct 2016, 14:07
by Zorkov Igor
Is there source code for TrustedInstallerPlugin?

Re: TrustedInstaller

Posted: 02 Oct 2016, 17:40
by dmex
Zorkov Igor wrote:
Is there source code for TrustedInstallerPlugin?
https://github.com/processhacker2/plugi ... llerPlugin

Re: TrustedInstaller

Posted: 02 Oct 2016, 18:31
by Zorkov Igor
Thanks

Re: TrustedInstaller

Posted: 07 Dec 2018, 15:22
by GuDule-StAr
Works fine.
Helped me to delete a "sethc.exe" which was used by a customer to bypass a Windows password he forgot.
Thanks to your plugin, I was able to delete the "sethc.exe" and replaced it by the orignal one with a remote session on the computer. It was detected as a virus by the antivirus software and a pop-up was displayed continuously.
My customer is at 1h of my office, so many thanks ;)

Nice job.

Re: TrustedInstaller

Posted: 21 Jan 2019, 20:25
by Joe123
Does not work. I'm trying to delete a system file which only TrustedInstaller has permissions for, SYSTEM has Read permissions, owner is TI as well. I started cmd.exe, ran del command to delete the file, and got access denied. Also confirmed by whoami returning nt authority\system instead of nt service\trustedinstaller. Windons 10 Pro v1803 17134.523

Re: TrustedInstaller

Posted: 21 Jan 2019, 20:39
by dmex
Joe123 wrote:
21 Jan 2019, 20:25
whoami returning nt authority\system instead of nt service\trustedinstaller
TrustedInstaller is a token group:

Image

Re: TrustedInstaller

Posted: 11 Mar 2019, 11:37
by TITry2
Not working. I tried to execute this command : cp "D:\Secure.txt" "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11231.20192.0_x64__8wekyb3d8bbwe\Bundle"

But I could not find the file "D:\Secure.txt" in the folder

Re: TrustedInstaller

Posted: 05 Aug 2019, 01:07
by mrlithium
Can confirm this plugin still works, only issue I have is not posessing the BackupPrivelege token.
https://i.imgur.com/iv1PV0H.png
I will have to manually assign that to myself somehow (possibly under system policy). That could perhaps be why the previous posts "cp" file operation failed.