Hacking Windows TrustedInstaller (GOD MODE)

John Hammond · Beginner ·🔐 Cybersecurity ·2y ago

Key Takeaways

The video demonstrates how to hack Windows TrustedInstaller, also known as GOD MODE, using various tools and techniques such as Powershell, SC utility, and NT object manager. It shows how to bypass Windows security features, impersonate the TrustedInstaller process, and gain elevated permissions.

Full Transcript

have you ever seen the windows trusted installer account maybe sometime in the past you've wanted to remove some programs or applications that you felt like you didn't need or didn't want on your Windows computer so you'd navigate to the root of the file system see colon back slash maybe dig into the program files where you can see all the programs installed and say if you wanted to just manually remove one of these hey rip it out and try to delete something like Windows Media Player as an example fire to try and rightclick and delete this I'll get an error it says you need permission to perform this action and you need permission from The Trusted installer you could try this over and over and over again but you still need permission and you might be thinking what the heck look I'm the administrator it is your computer after all and I'll show you if I were to take a look at who am I I'm just John and look I'm added in the local group administrators we can take a look I am in fact an administrator so what the heck why can't I remove whatever software I want on my computer even if you were to try and escalate your privileges like if you were to go beyond administrator and use some tools in like the CIS internal Suite like PS exec if we wanted to try and have an interactive session for the command prompt cmd.exe we can agree to the end user license agreement oh I'm not running from a high privilege Powershell session so let me run that one more time here I'll copy and paste this syntax just so we have it I'll open up another terminal I'll right click to run as administrator to make sure we have all the permissions that we can even running this firing it up as system I'll make this text a bit bigger so you can see it if I were to move to that program files directory and if I tried to delete everything we can even use the forward slf flag to force the deletion of files for Windows Media Player and I say yes I'm totally sure but access is denied for absolutely everything but if I were to take a look there aren't any other users on this computer there is no trusted installer so you might try to do some research you look around on the internet Google and see hey how can I become the trusted installer or get permissions to be able to delete those files and do what I want on my computer there is actually a really interesting thread over on Reddit it's actually hysterical if I may say this individual asks look I want to become the trusted installer I want to have actual access to all the files on my computer and honestly if you look through the comments here these are just hilarious this one says listen listen to me do not do it if you don't know what you're doing you'll destroy your Windows installation I've done it before and I regret it just use a take ownership command or whatever and you can take a look at the responses but this is hysterical they just go off and go crazy normal person doesn't like to reinstall Windows every F and day it's up to you you're just wasting your time for no effing reason a trusted installer is a deep system file well it's just the files and programs that windows installed along with the operating system and doesn't want you to tamper with them but you can and this just turns into usual Reddit Cesspool armpit of the internet and people just go crazy I won't spoil your fun here I'll put a link in the video description if you'd like to read through these comments but it's like hey if you tried becoming NTI Authority system that should bypass 99.5% of restrictions they're like how do I do that and they say he's lying to you there's no such thing yeah email the CEO of Microsoft but if you pull yourself out of Reddit and continue your Google search you will find this awesome blog post from James foresaw way back went in August of 2017 and this is an old trick it's been refined there's been a lot more research out and about on this James foresaw is a genius over at Google project zero and he wrote about this he says if you've spent any time administering a Windows system post Windows Vista you'll have encountered The Trusted installer Group which most system files and registry keys are ACL or access controlers to like if we were to look in Windows system 32 you'll notice that only The Trusted installer can delete or modify files not even the administrators group is allowed just like we saw and the whole owner is trusted installer so you can't do anything or change the security either if we were to go back to our Windows Media Player as an example or even like Windows Defender if you want to try and rip out the default antivirus if we were to go take a look at the properties we could see in the security tab just as it was alluding to take a look at the advance section the owner is the trusted installer now if we look back into the blog post and I'm not saying that you should do this like some of the sentiment from that Reddit thread but you can do this and it's interesting for a little bit of research if you wanted to know look what is or where is trusted installer it's not a user or a group but it is some of the access control list and we could actually interrogate that and check it out with Powershell and we can even try to follow along back inside of that n Authority system shell that we have open I'm just in command prompt right now but if I were to dig into Powershell I could try to get ACL on that Windows Media Player directory we can store that as a variable just as they did just ACL and if I wanted to take a look at the access just as they showcase there are a ton of these but look if I were to drill that down to where the identity reference will match trusted installer as what we are looking for we could see that trusted installer is all that's present that's what we filtered down on but that's the one with full control now James explains that this is referenced as an NT service which means it's a Windows service Sid if you'd like to get a little bit nerdy here they link the Microsoft documentation and that showcases a service security identifier digs into some of the structure syntax in CN C++ and all the stuff that that's made up of but that does mean that it has a unique identifier it's actually something that could be generated on the fly as like the shaw one hash of the uppercase version of the service name for example you could generate that you could calculate the actual Sid with all this Powershell syntax we could copy paste that if we wanted to see it in action but you really don't need to do that ntdll some of the dynamic link libraries some of the functions and functionality of the Windows operating system and the win32 API calls you could actually use RTL create service Sid and Elsas will just convert a service name to a Sid and vice versa here we'll just slap in that syntax I'll paste all that and there is a big long sit okay that does mean though that this is based off of a service so I could actually use the Powershell commandlet to get service and trust it in installer is really what we're looking for that is in fact a service right now it is stopped you can see that over here but if we wanted to use trusted installer or do anything with it we would start the service the blog post showcases this with the SC utility or the service control command that is sc.exe you'll need to note the exe file extension when you're inside of Powershell because otherwise Powershell will think it's like the actual Alias for set content that's another commandlet right granted that's an alias when you use just strictly SC if you wanted to get alias SC you can see that is referring to set content so be very careful if you're in Powershell make sure you include that. exe if you use the old command promp binary but let's get all the details that we can from that trusted installer service so let me pipe that to format list star or I like to use the aliases there FL asterisk and that will give us a little bit more of the details and actually super quick let's use that old school command prompt binary sc. XC remember to query the config with QC for our trusted installer service and that'll tell us that the binary that it actually fires off the application that runs is C windows in the path servicing and trusted installer.exe now if we were to start this service we could see it in action let me just use the start sub command here and that should get the thing moving start pending now we can use something like process Explorer from the CIS internal Suite once again and I'll run this as administrator so we can get all the Privileges and permissions that we should have and we can go take a look at that trusted installer.exe that's running with process Explorer open we can scroll down until we find our trusted installer executable or we can just hit t on our keyboard and try to jump to it and with that we can take a look at the properties now just as you saw we move over to the security Tab and the groups here we can see that trusted installer is the owner with the Sid that we were referencing earlier what that means means is that this process is running with the unique Windows token and that token is carrying the security properties and that is actually going to enable it but how can we become trusted installer how can we take that token and use it for ourselves this is the interesting tidbit and actually another video that I've showcased on trying to delete or remove Windows Defender and cut off the antivirus nuke it from orbit and kill it so you can do your security research with like maare analysis in a virtual machine yada yada yata it's not always something you can easily do in fact in that video we like boot into safe mode so that we can borrow trusted installers capability and then use it to a clear delete remove those files as we wanted to but turns out you could still do it from just a running instance of Windows James showcases it with this setup here he discusses how you might be able to maybe add your user to The Trusted installer group but o Elsas apis like the net local group AD members group doesn't actually take a sid it takes a group group name and you can't really use n service trusted installer cuz it's not a real group what you could do though is actually just try to swap out the binary rather than using that c Windows servicing trusted installer.exe what if you just had whatever command that you wanted to run he showcases that again with that sc.exe modifying the configuration for The Trusted installer service where you set the binary path to be whatever you want cmdc maybe deleting a file in this case so if I were to get back to our command line in the terminal here I know I'm still in Powershell but let's use that sc.exe old school command one and let's actually stop our trusted installer service in case that's still running good now we could modify it configure it and change it to whatever we want we'll change our trusted installer bin path and you got to be very careful here to include the equal sign and a space following it I know my face is in the way here but make sure you include that space and with that that we could use whatever command that we really want can we run a program in the foreground though they were using like CMD SLC to delete a file could we create a file with that oh and this uh command prompt that I'm in doesn't actually word wrap around on the next line so I'm going to break out of this one and then just move into another prompt where we should be able to word wrap just fine there we go so let's just try to Echo anything into like a test file and see when Windows temp and we'll just call it test. text I'll enter on that and that succeeded setting the configuration but now we'll need to actually start the service to see it run and do that in action well if it work here it errored but I'm curious if we have our file let's go take a look if I actually dirc Windows Temp and test. text it exists it wrote it it has 11 bytes too so let me try to cat that out there is word anything okay so we could write files and just have a oneshot capability to act as trusted installer let's try and validate that we are in fact The Trusted installer though as we're running this command in that one-hot sort of service syntax way can I use who am I SL groups and redirect that to our little testing file C Windows temp test. text let's see if we can then start our trusted installer instance fire it up that will error at least in the message that responds but it should still work let's try to cat out our C Windows temp test. text that has no output H okay uh but the file was modified so maybe we're getting some syntax stuck in the way I wonder if we can tweak that just a little bit and make a more flexible command for us it'd be nice to do stuff with Powershell right so let's use Tac C from Powershell following the cmdc of command prompt and I think we can actually use set content just like we were alluding to previously with the path being C Windows temp test. text and let's set the value to be the output of who am I slrps and then just to make this a little bit easier for us let's use the uh let's make this all one command sc.exe to then start our trusted installer and will that work config succeeded and let's see if it worked uh let's cat that out ooh look at that okay we have all this output and if I actually open this up in like notepad or a text editor here look we've got our n service trusted installer in our output we are in fact The Trusted installer let's keep playing with this though if I wanted to could I just fire up a graphical user interface program as trusted installer like can I open up notepad if I were to actually change this to run notepad.exe rather than cmd.exe I'll enter I'll have that succeed and run but the start command doesn't seem to be doing anything it's a config change succeeding but the starting isn't working what's going on and let's take a look at our process Explorer we can fire that up one more time and let's go see do we have notepad running notepad.exe is running oh it actually looks like it got a response back there and notepad just died can I run that again yep yep okay spawn notepad take a look at the Prof properties it is trusted installer as the owner but it's not displayed anywhere like you can see in the task bar I don't have notepad open or visible on the computer so what's it doing auto start location was hklm registry local machine system current control services trust installer and the parent is services.exe so everything would be as we expect so seemingly we cannot run any gooey or graph G interface like a program or application that would spawn a window like notepad or Cal or whatever but we can r whatever command that we want we saw that with our cmdc and we were even able to use the Powershell tidbit and that actually gives us a little bit more power because you can use Tac ENC or like an encoded command to pass in some base 64 encoded syntax that way you could get around I don't know running into quotes or double quotes or whatever other syntax Shenanigans you might run into I think that this is pretty neat though just a little bit of a trick and apparently another reason this works is because trusted installer is not a protect protected processed light or PPL one of those processes that Windows just won't let you tamper with which is odd cuz that TI group is given special permissions to begin with and even able to stop and delete PPL Services uh James had pointed this out to the Microsoft Research Center and so did Alex inesco back in 2013 I guess they didn't do anything at the time I'm not sure if that had changed since they would pretend PPL isn't a security boundary with whatever you know what they say UAC user count control not a security boundary blah blah blah problem is though you'd have to restore the trusted installer service to the original state otherwise things like Windows update will get unhappy really quickly and of course you wouldn't want to leave behind those breadcrumbs artifacts fingerprints that you made those changes if you ever did this on a red team pentest engagement whatever so could we not just use the token that we've seen that security privileges with the correct groups just trying to start a service and borrow or steal or take that token to create a whole new process and impersonate it that is what we will do next but first let me say big thanks to the sponsor of this video Black Hills information security anti- siphon training and all of the incredible Tria companies put together by John strand now you might be familiar I've showcased and chatted about them before in fact in a whole lot of other videos we've dug into some of their pay what you can training if you take a look at their website even their pay what you can training you could literally get whatever course you might like to dig into cyber security learn a ton of the stuff for whatever price tag is approachable affordable and accessible for you they've got a ton of incredible stuff here like Security operation Center core skills active defense and cyber deception little bit of packet decoding wire shark miter attack framework regular Expressions so much stuff and even more awesome stuff some of the intro labs for the introductory courses and classes have the material just out and about for free available for you on GitHub this is John strand's GitHub and his intro Labs repository you could see if you want to dig into the navigation we've showcased this in a couple of other videos and gone through a whole lot of that material but if we dug into the navigation look at all this awesome stuff here Linux command line memory analysis web log review wire shark Rita nessus deep blue CI Velociraptor elastic agent so so much cool stuff all available for you with the link in the video description and if I may squeeze in just another sweet tidbit they have a whole card game like back doors and breaches to role-play TBL toop exercises an incident response with physical cards to play a game like Dungeons and Dragons or can do it all online there's a URL play. backdoors andre. comom and they have a ton of incredible simulations hey exercises for you to talk through with your team what you might do in a doomsday scenario with incident response and tabletop exercises they also have these awesome incredible expansion packs in fact uh myself over at Huntress we've done some cool stuff there if you want to go play with it you could dig into all the sweet stuff and if in the back doors and breaches game you wanted to call a consultant like hey phone a friend get some assistance from someone else to bring in their perspective you can call a consultant for some industry folks and if you want to click that button in the huntress expansion deck there's me you can uh pull up me in your deck get that into your hand and John Hammond and my ugly mug and uh I think that's a little neat so thanks guys and big thanks to our sponsor check him out Link in the video description but let's get back to the blog post and see a better way that we could become trusted installer rather than this one-hot little service configuration tweak we are running as the administrator in this case right we're trying to make these changes and see this all in action so we've got the SE debug privilege capability so we could just open up a process and impersonate their token can we do that just as easily with the trusted installer process now James goes through this and showcases with one of the Powershell modules you could set up and actually use to play with tokens and other sweet process thread capabilities in Windows he actually references this up above at the beginning here he notes that look if you wanted to you could use this with power shell in the ENT object manager module so if you haven't heard of that before it's pretty cool let's go check it out trying to Google this you can find it on the Powershell gallery and the GitHub repository dig into the source code this is coming from Google project zero along with a lot of their other incredible tools so it's pretty sweet but super easy for us to download and work with all it takes is installing the module NT object manager and we could work with this syntax back in our Powershell command prompt let's just go ahead and paste this in and fire it up get it installed and ready to roll for us yep I'm totally cool with trusting it I think Google project zero will do okay to work with this here just enter the letter Y to say yes get this all staged and set up and with that we are ready to go now I can import module NT object manager and no errors we're good just to get us back to kind of a clean slate I will go ahead and use the service configuration executable to set the config on our trusted installer back to the traditional binary path for C Windows servicing trusted installer.exe and now we're back to as it should be so I won't drag you through this little intermediary step here that James showcases where he actually sets the N token privilege one of the commandlets coming from NT object manager that we just set up he actually starts the service as usual gets the process object opens a token and then tries to pull out and validate we are in fact getting a token with the trust and solar group having it be abled and set as the owner with that he says cool now we can do whatever we want but uh okay starting a win 32 process actually using the token that dollar sign T variable object we passed through if it tries to impersonate look it gets pretty bloody it errors the problem is we don't have the permissions there with that token can't seem to create a new process or impersonate the token because we only have the token query access we usually just need token _ duplicate to actually get the primary token that's needed to do impersonation if you want to dig into this in process hacker you really don't even have read control to see it within Powershell but you just don't have that access so how else could we get around this well this is explained just a little bit more because you'd think oh SE debug privilege usually that lets you do whatever you want because you're the admin after all but SE debug privilege only bypasses the security checks on process and thread op objects it doesn't do anything on tokens like we're working with right now so what else could we do other than break and destroy the service binary like we just saw there are a couple tricks you could try like using PS exec to actually stage a whole another service but again if you're just messing with the services you could just modify the trusted installer service to begin with you could end up creating a whole new process and actually setting the parent of the process be trusted installer.exe the NT object manager that Powershell module that we just downloaded and set up actually makes this pretty easy you could use other commandlets new win32 process and pass in the parent process parameter where it just lets you do that and you could grab the process with that simple commandlet and just stage it all super easy since we've reset our trusted installer service to use the regular trustedinstaller.exe program let's go ahead and start that trusted installer and now we can use our get nent process and actually try to grab the trustedinstaller.exe that returns for us and we could actually store that as a variable we'll use dollar sign p and that's staged and set up there now we could set a whole new process we could store this as a variable just as well we use the commandlet new win32 process and we'll spawn cmd.exe we'll set the creation Flags to actually be a new console and we can specify the parent process to be that dollar sign P variable for trust installer.exe I'll hit enter there and take a look we fired up the command prompt can I run Who Am i/g groups and there it is you might be able to see it just there we are in fact running with the N service trusted installer group in action that works now we spawned a whole new command prompt if I wanted to we could take a look Windows Media Player maybe that's a fine example if I put these side by side here I'll have our Windows Media Player directory here if I go back to the command prompt I'll try and delete my Windows Media Player and if I really want to delete it I'll hit yes fingers crossed it just goes away I think I could more cleanly spawn Powers shell and I'll still have all the same privileges because again it's a parent right so trusted installer is still here now I could RM recurse and force Windows Media Player uh or Windows Defender and fingers crossed that'll just blow the whole thing up and it's gone and that works that's fine that's becoming trusted installer with a whole new process and a command prompt window that we opened of course you could spawn notepad or Cal or whatever other graphical user interface program something with the window that we hadn't been able to do before now super easily with this setup but wouldn't it be neat if we could steal those privileges take that token and use it in our current shell and session like within the running Powershell window and the service that we've already got that is what the next portion of the blog post covers here and showcases look you could actually use the anti- impersonate thread API call that is an undocumented function by the way if we want to go Google that trying to do our own research again hey this is an NTA API undocumented functions resource and this is all the sweet stuff you could see hey someone else in the community has done a little bit of that reverse engineering analysis and been able to track that down so we can use the - impersonate thread API call to capture the impersonation context from an existing thread and then apply it to another the way impersonation contexts work is that the colel will try and capture the impersonation token for the thread first if there's no existing impersonation token it'll take a copy of the primary token of the process associated with that thread and impersonate that instead the beauty of the NTI impersonate thread API like setting the parent process is that it doesn't require permission to access the token it just requires thread direct impersonation access to a thread that we can get due to the SE debug privilege capability that we do in fact have so we have these steps we can open up the process with at least this access capability and then open up the threads with that access capability that we have and then call that anti impersonate thread to steal that impersonation token let's try and demo that super duper quick let me close out of this process this process that we started for cmd.exe that has the trusted installer group set and staged for me but if I go back to my original command prompt here this power shell session is the one that has the N object manager module imported so what we could do is let's restart the service for our trusted installer to get a clean slate here let's grab that process in the variable dollar sign P to get that ready for us and then let's set a thread object to be that get first thread function out of that process now we can see our T variable staged and ready and then we'll grab the current thread of the currently running process so we can call that variable dollar sign current we'll set that to get NT thread for our current process with a pseudo handle apparently let enter on that and then we can try to impersonate where our current thread will impersonate thread given our th include that and our impersonation token should be get NT token Tac impersonation fingers crossed now do we actually have an impersonation token ready ready and working for us we do so let's take a look at their groups we have them and then do we have our trusted installer group we do excellent now even in the running Powershell session that we're in if I were to put these side by side once again we'll move our program files over here and now I guess let's nuke like Windows Mail so I'll try to delete Tac force and we can use tack recurse on Windows Mail in this case or Windows Defender yeah blow up whatever you want I'll it enter and now that's gone obviously deleting stuff is just one use case of being trusted installer but that's like full access even higher than system apparently as long as something else doesn't set the main threads impersonation token you don't do anything else on a separate thread then your Powershell console will act as if it has that trusted installer group enabled pretty sweet so all in all big shout out big Kudos all of this is obviously James forshaw's incredible work and of course there are obviously more ways to get that trust and Sellar token than just what's covered here there's plenty of research on this again this article is from 2017 he goes on to explain that Vincent U over on Twitter said look you could just use get system with metlo to do that just as well if you get a system token with set TCB privilege you could also use these other API calls log on user xxw or LSA log on user or you can specify any other additional groups to apply to a service token plenty of other API calls you can Tinker with with and that's pretty sweet and if you were still Googling around you might very well have even seen a whole another article from James just as well says the art of becoming trusted installer the task scheduler Edition another way you could do this an article he wrote in 2019 and of course there are tools to be able to do this here's one on GitHub from fafl one uh with a utility run as trusted installer Runner program as trusted installer this is all tools that you might be able to do this even a graphic user interface to make that easy for you down below he includes some of the references and uh little thanks to see other tools that this was based off of and even the background context for the same article and more discussion here if you want to dig into any of the code even for what came from in our NT object manager again that's all on GitHub we could scroll through it but it's a ton of those sweet API calls obviously this is often times used in the conversation of disabling Windows Defender or killing other antier Solutions this was just one Showcase with UND Defender as the capability and of of course tons and tons of folks have already been chatting about this for years there is another blog from for cor uh no more access denied I am trusted installer this is relatively recent 2023 uh but they walk through the exact same process that we just saw over in James forshaw's blog post and everything in this case they're trying to delete everything for Windows Defender in C program files they walk through everything that we've already just discussed here showcase it all previously and big Kudos credit credit where credit is due for James foresaw and his blog post everything they've already covered I think there's this kind of neat though because they offer this as a goang library uh and showcase it look if you wanted to see this with some of their utilities libraries they've built out they actually have wind token a go package to try and steal window tokens or enable disable token Privileges and do some other sweet stuff so that's pretty neat if you want to do this in goang and play with some other that just as well look at that syntax it's goang so I mean it is what you'd expect it to be but I'm digging it and then got that built out as a proof of concept just as well if you wanted to see that on GitHub all in goang so pretty sweet that they've got that there you can do this in goang you can do this in C and with that n object manager library from Google project zero you can do this in Powershell just as well so super slick super cool I thought it would be a neat thing to show you I know it's a little bit old and dated but that might answer the question of what is the trusted installer account who is trusted installer and how could you steal those privileges for yourself to do some damage wreak havoc do whatever you might do thanks so much for watching hope you enjoyed this video like comment subscribe all those YouTube algorithm things and I'll see you in the next video

Original Description

https://jh.live/pwyc || Jump into Pay What You Can training at whatever cost makes sense for you! https://jh.live/pwyc James Forshaw's blog post: https://www.tiraniddo.dev/2017/08/the-art-of-becoming-trustedinstaller.html Reddit delirium: https://www.reddit.com/r/Windows10/comments/17m3cyr/how_does_one_become_trustedinstaller/ 🏆Attend ContinuumCon, the practical online cybersecurity conference that never ends! Livestream begins June 20th, 2025: https://jh.live/continuumcon Learn Coding: https://jh.live/codecrafters WATCH MORE: Dark Web & Cybercrime Investigations: https://www.youtube.com/watch?v=_GD5mPN_URM&list=PL1H1sBF1VAKVmjZZr162aUNCt2Uy5ozAG&index=4 Malware & Hacker Tradecraft: https://www.youtube.com/watch?v=LKR8cdfKeGw&list=PL1H1sBF1VAKWMn_3QPddayIypbbITTGZv&index=5 📧JOIN MY NEWSLETTER ➡ https://jh.live/email 🙏SUPPORT THE CHANNEL ➡ https://jh.live/patreon 🤝 SPONSOR THE CHANNEL ➡ https://jh.live/sponsor 🌎FOLLOW ME EVERYWHERE ➡ https://jh.live/twitter ↔ https://jh.live/linkedin ↔ https://jh.live/discord ↔ https://jh.live/instagram ↔ https://jh.live/tiktok 💥 SEND ME MALWARE ➡ https://jh.live/malware 🔥YOUTUBE ALGORITHM ➡ Like, Comment, & Subscribe!
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from John Hammond · John Hammond · 0 of 60

← Previous Next →
1 Code Commentaries? PHP to JavaScript in Bash and PHP!
Code Commentaries? PHP to JavaScript in Bash and PHP!
John Hammond
2 Tutorials? MySQL connection with PHP and Bash!
Tutorials? MySQL connection with PHP and Bash!
John Hammond
3 Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
Variable Naming in Python! Happy Birthday, Linux! Nokia N900!
John Hammond
4 JavaScript Splits The URL!
JavaScript Splits The URL!
John Hammond
5 HTML Tables in Python!
HTML Tables in Python!
John Hammond
6 HTML, Net Shares, GML!
HTML, Net Shares, GML!
John Hammond
7 Python 08 Programming Style and Comments
Python 08 Programming Style and Comments
John Hammond
8 Python 26 Object Oriented Programming
Python 26 Object Oriented Programming
John Hammond
9 75 Python Tutorials, Out Now!
75 Python Tutorials, Out Now!
John Hammond
10 Batch 14 Mathematical Expressions
Batch 14 Mathematical Expressions
John Hammond
11 Batch 85 Array Append
Batch 85 Array Append
John Hammond
12 Batch 86 Array Count
Batch 86 Array Count
John Hammond
13 Batch 87 Array Index
Batch 87 Array Index
John Hammond
14 Batch 88 Array Insert
Batch 88 Array Insert
John Hammond
15 Batch 89 Array Remove
Batch 89 Array Remove
John Hammond
16 Batch 90 Array Reverse
Batch 90 Array Reverse
John Hammond
17 Python [colorama] 00 Installing on Linux
Python [colorama] 00 Installing on Linux
John Hammond
18 Python [colorama] 09 Cursor Position
Python [colorama] 09 Cursor Position
John Hammond
19 Python [hashlib] 02 Algorithms
Python [hashlib] 02 Algorithms
John Hammond
20 Python 00 Installing IDLE on Linux
Python 00 Installing IDLE on Linux
John Hammond
21 Python [pygame] 11 Rectangular Collision Detection
Python [pygame] 11 Rectangular Collision Detection
John Hammond
22 Python [pygame] 12 Platforming Rectangular Collision Resolution
Python [pygame] 12 Platforming Rectangular Collision Resolution
John Hammond
23 Python [XML-RPC] 01 Research
Python [XML-RPC] 01 Research
John Hammond
24 Python [pyenchant] 03 Personal Word Lists
Python [pyenchant] 03 Personal Word Lists
John Hammond
25 FancyURLopener Authentication and User-Agent [urllib] 03
FancyURLopener Authentication and User-Agent [urllib] 03
John Hammond
26 Python 04: PEP8 Coding
Python 04: PEP8 Coding
John Hammond
27 Python Challenge! 17 COOKIES
Python Challenge! 17 COOKIES
John Hammond
28 Google CTF 2016: Ernst Echidna
Google CTF 2016: Ernst Echidna
John Hammond
29 Google CTF 2016: Spotted Quoll
Google CTF 2016: Spotted Quoll
John Hammond
30 Google CTF 2016: Can you Repo It?
Google CTF 2016: Can you Repo It?
John Hammond
31 Google CTF 2016: No Big Deal
Google CTF 2016: No Big Deal
John Hammond
32 Google CTF 2016: In Recorded Conversation
Google CTF 2016: In Recorded Conversation
John Hammond
33 Homemade CTF Challenge: 01 "Orchestra"
Homemade CTF Challenge: 01 "Orchestra"
John Hammond
34 Homemade CTF Challenge: 02 "Bae's Base"
Homemade CTF Challenge: 02 "Bae's Base"
John Hammond
35 Homemade CTF Challenge: 03 "Web Hunt"
Homemade CTF Challenge: 03 "Web Hunt"
John Hammond
36 Homemade CTF Challenge: 04 "UPX"
Homemade CTF Challenge: 04 "UPX"
John Hammond
37 Homemade CTF Challenge: 05 "The Assumption Song"
Homemade CTF Challenge: 05 "The Assumption Song"
John Hammond
38 Homemade CTF Challenge: 06 "A Brisk Stroll"
Homemade CTF Challenge: 06 "A Brisk Stroll"
John Hammond
39 Homemade CTF Challenge: 06 "I lost my password!"
Homemade CTF Challenge: 06 "I lost my password!"
John Hammond
40 web25 :: Mr. Robot : EKOPARTY CTF 2016
web25 :: Mr. Robot : EKOPARTY CTF 2016
John Hammond
41 web50 : RFC 7230 :: EKOPARTY CTF 2016
web50 : RFC 7230 :: EKOPARTY CTF 2016
John Hammond
42 misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
misc50 : Hidden inside EKO :: EKOPARTY CTF 2016
John Hammond
43 Hack The Vote 2016 CTF: Sander's Fan Club [web100]
Hack The Vote 2016 CTF: Sander's Fan Club [web100]
John Hammond
44 Hack The Vote 2016 CTF Warpspeed [forensics150]
Hack The Vote 2016 CTF Warpspeed [forensics150]
John Hammond
45 Juniors CTF 2016 :: Black Suprematic Square
Juniors CTF 2016 :: Black Suprematic Square
John Hammond
46 Juniors CTF 2016 :: Six Strange Tales
Juniors CTF 2016 :: Six Strange Tales
John Hammond
47 Juniors CTF 2016 :: Lost Code
Juniors CTF 2016 :: Lost Code
John Hammond
48 Juniors CTF 2016 :: Here Goes!
Juniors CTF 2016 :: Here Goes!
John Hammond
49 Juniors CTF 2016 :: Southern Cross
Juniors CTF 2016 :: Southern Cross
John Hammond
50 Juniors CTF 2016 :: Clone Attack
Juniors CTF 2016 :: Clone Attack
John Hammond
51 Juniors CTF 2016 :: Dirty Repo
Juniors CTF 2016 :: Dirty Repo
John Hammond
52 Juniors CTF 2016 :: Hackers Blog
Juniors CTF 2016 :: Hackers Blog
John Hammond
53 Juniors CTF 2016 :: Voting!!!
Juniors CTF 2016 :: Voting!!!
John Hammond
54 Juniors CTF 2016 :: The Good, The Bad and The Junkman
Juniors CTF 2016 :: The Good, The Bad and The Junkman
John Hammond
55 Juniors CTF 2016 :: Stop Thief!
Juniors CTF 2016 :: Stop Thief!
John Hammond
56 Juniors CTF 2016 :: ROFL
Juniors CTF 2016 :: ROFL
John Hammond
57 Juniors CTF 2016 :: Restriced Area
Juniors CTF 2016 :: Restriced Area
John Hammond
58 Juniors CTF 2016 :: Oh SSH!
Juniors CTF 2016 :: Oh SSH!
John Hammond
59 HackCon CTF 2017 TRIVIA and BONUS Challenges
HackCon CTF 2017 TRIVIA and BONUS Challenges
John Hammond
60 HackCon CTF 2017 "Bacche" Challenges
HackCon CTF 2017 "Bacche" Challenges
John Hammond

This video teaches how to hack Windows TrustedInstaller using various tools and techniques, allowing users to bypass Windows security features and gain elevated permissions. It provides a comprehensive understanding of Windows security and token manipulation.

Key Takeaways
  1. Use Powershell to get ACL on a directory
  2. Use SC utility to start the Trusted Installer service
  3. Impersonate a token using token duplication
  4. Use PS exec to stage a new service
  5. Modify the trusted installer service
  6. Create a new process using the new win32 process commandlet
💡 The TrustedInstaller process can be impersonated to gain elevated permissions, allowing users to bypass Windows security features and perform actions that would otherwise be restricted.

Related Reads

📰
Hardware Signals & Pocket Recon: How to Be a Ghost in the Machine
Learn how everyday devices like smartwatches and LED strips can compromise your anonymity and what you can do to minimize your digital footprint
Medium · Cybersecurity
📰
Engineering a Real-Time ML Network IDS Dashboard
Learn to engineer a real-time ML network IDS dashboard beyond just training a model
Medium · Cybersecurity
📰
TryHackMe: Hammer Walkthrough
Learn how to perform a full account takeover using rate limit bypass, OTP brute force, and JWT kid injection techniques on TryHackMe's Hammer challenge
Medium · Cybersecurity
📰
I Hardened a Linux Server, Lost It to My Own Mistake, and Rebuilt It From My Own Notes
Learn from a developer's mistake: how proper documentation can save a Linux server from disaster and why it matters for security and recovery
Medium · Cybersecurity
Up next
Best VPN For China 2026 — Which One Actually Works?
Tutorial Stack
Watch →