I would like to be able to inject code into a protected system process to help with analyzing the program. In particular the "Software Protection" service (sppsvc). Standard DLL injection methods like SetWindowsHookEx or CreateRemoteThread won't work because the injecting process doesn't have access to the protected process. If you could run the injecting process with higher rights it MAY work. The only method I found is a program called DevxExec to run a program as TrustedInstaller or NETWORK_SERVICE, but it seems to crash every time I try to use it on Win8. So I thought well this is simple. Rename some DLL on the file system that the protected process loads and replace it with a crafted DLL that provides redirection to the renamed DLL. It turns out there is a two stage protection called "windows resource protection" and "code integrity". Whenever a protected process loads a DLL it checks its hash against a hash that has been signed. There is also a manifest that contains an unsigned hash, but there is a signed hash of the manifest as well as an unsigned hash of the manifest hidden in the registry. These files have backups too in case of corruption. So I modified everything that is unsigned to be correct. It even passes sfc.exe /scannow, but the signed hashes prevent it from being loaded. So I thought there must be some way to turn off the code integrity check. I tried: bcdedit.exe -set loadoptions DISABLE_INTEGRITY_CHECKS bcdedit.exe -set TESTSIGNING ON Option 7 on advanced boot. (Disable code signing for drivers requirement) But none of these disable code integrity for sppsvc. So my next thought is to generate my own public/private keys and update the signed hashes. There is a public key stored in the manifest for each file and a public key stored in the registry for each manifest. I'm sure it won't be that simple though. But before I go through any more work I thought I might see if anyone here has any better ideas or experience with this. It seems like there should be an easier way. Or maybe I am just remembering the days when an admin could do whatever they wanted to their system.