CMDT - Ultra-lightweight Run-as-TrustedInstaller (Pure x64/x86 Assembly)

Discussion in 'MDL Projects and Applications' started by wesmar, Feb 6, 2026.

  1. adric

    adric MDL Expert

    Jul 30, 2009
    1,527
    1,720
    60
    #41 adric, May 16, 2026
    Last edited: May 16, 2026
  2. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
  3. adric

    adric MDL Expert

    Jul 30, 2009
    1,527
    1,720
    60
    #45 adric, May 17, 2026
    Last edited: May 17, 2026
    @wesmar, Almost there. Non-admin session seems to be working now, except that cmdt does not return the command prompt after running a -cli cmd. This may cause problems in a batch file.

    Also, the updates implemented when run in a non-admin session are now causing issues when run in an admin session. cmdt_x64.exe -cli net session flashes and no output is displayed. Redirection creates the correct output file, but the cmd window still flashes.
     
  4. KMPLAYER

    KMPLAYER MDL Member

    Jan 12, 2014
    106
    82
    10
    I am looking forward to this with great interest (I will test it with curiosity when you provide it) and thank you for taking the time to test and provide increasingly improved software that is useful. Your other software product - Registry editor is now also one of my favorites. :}
     
  5. GrofLuigi

    GrofLuigi MDL Senior Member

    Sep 17, 2016
    415
    1,122
    10
    @wesmar All versions work great, but if I may suggest including the version number in the file properties as well (if that's what you mean by versioning), in the past two days I've downloaded it four times and if I didn't pay attention, I wouldn't know which file is which - they all have version number 1.0.0.0 and file date 01/01/2030.
     
  6. sometogive

    sometogive MDL Novice

    Feb 5, 2026
    23
    23
    0
    Thx for offer

    Please so kind and give your exe an icon
     
  7. adric

    adric MDL Expert

    Jul 30, 2009
    1,527
    1,720
    60
    #50 adric, May 18, 2026
    Last edited: May 18, 2026
    When running net session in an admin command prompt, I still don't see any output and the result is 2 command prompts. The non-admin session also shows 2 prompts with the output on the 2nd prompt.
    Code:
    Admin Session
    U:\SwApps\Tools4Maint\CmdElevation\CmdT>cmdt_x64.exe -cli net session
    
    U:\SwApps\Tools4Maint\CmdElevation\CmdT>
    U:\SwApps\Tools4Maint\CmdElevation\CmdT>
    
    Non-Admin Session
    U:\SwApps\Tools4Maint\CmdElevation\CmdT>cmdt_x64.exe -cli net session
    
    U:\SwApps\Tools4Maint\CmdElevation\CmdT>
    U:\SwApps\Tools4Maint\CmdElevation\CmdT>There are no entries in the list. 
    I don't see how you missed that during testing.
     
  8. Xadiaris

    Xadiaris MDL Junior Member

    Apr 23, 2008
    64
    23
    0
    Same result...
     
  9. adric

    adric MDL Expert

    Jul 30, 2009
    1,527
    1,720
    60
    @wesmar
    You seem to have multiple projects going on. I know you're busy. Just wondering if the above mentioned issues are fixable or not.?
     
  10. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    That's right, and on top of that, there's demand in Warsaw for commercial software upgrades on Kove motorcycles equipped with THINKERRIDE navigation systems—I reprogram them to use Google Maps. I need to focus for a few hours to figure out the best way to handle these processes. I'll definitely get back to this topic in a few days.
     
  11. adric

    adric MDL Expert

    Jul 30, 2009
    1,527
    1,720
    60
    #55 adric, Jun 4, 2026
    Last edited: Jun 4, 2026
    Seems to be working now for command prompt usage. Appreciate the update. It may be less work just to split the 2. NSudo uses this approach. Others may have some different thoughts on this.

    I still need to test if cmdt will run from a shared network attached drive. Nsudo doesn't and has the following error: Failed to create a process. Working fine with cmdt_x64.:cool:
     
  12. wtfjajaja

    wtfjajaja MDL Novice

    Oct 4, 2008
    12
    12
    0
    Does anyone know how to make this work while Faronics Deep Freeze is in a frozen state?
    None of the other tools I tested work, including nsudo, powerrun, nanarun and more...
    The only method that successfully achieves TI privileges is freddie-o's powershell token creation script, Elevate_as_TI.ps1
     
  13. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    #57 wesmar, Jun 6, 2026
    Last edited: Jun 6, 2026
    (OP)
    You can test this approach using a method that moves away from token stealing and operates entirely in memory:

    1. Run CMD as an administrator and execute
      Code:
      StickyTrap.exe install
      .

    2. Press Ctrl+Alt+Del (do not log out or switch users).

    3. Press the Shift key 5 times.
    If successful, you will see a command prompt running under NT AUTHORITY\SYSTEM. (whoami)

    This method performs a dynamic inline hook on the WlAccessibilityOnWin32KMessage function directly inside the RAM of the running winlogon.exe process. When the 5x Shift trigger occurs, it intercepts the message and spawns a shell on the secure desktop.

    Cleanup:
    Once you are done testing, simply run
    Code:
    StickyTrap.exe uninstall
    to safely remove the hook from memory and restore the system to its original state.

    P.S: To give you some context, StickyTrap is merely a stripped-down, isolated subset of a broader local privilege escalation (LPE) framework I’ve been analyzing. The full research-grade codebase leverages advanced techniques—including precise TOCTOU (Time-of-Check to Time-of-Use) race conditions and complex token hijacking—to escalate privileges directly to SYSTEM from any unprivileged standard user account. This specific release, however, has been strictly scoped down for demonstration purposes; it requires an active Administrator session with SeDebugPrivilege and is designed to operate exclusively via the secure Ctrl+Alt+Del lock screen sequence.
     

    Attached Files:

  14. wtfjajaja

    wtfjajaja MDL Novice

    Oct 4, 2008
    12
    12
    0
    I tried using StickyTrap, but it doesn't work under the frozen state, as it fails at the injection phase with the error:
    Code:
    [*] Starting StickyTrap install...
    [+] winlogon.exe PID = 824
    [+] DLL extracted: C:\Users\VM\AppData\Local\Temp\StickyTrapDll_2988.dll
    [*] Injecting into winlogon.exe...
    [-] Injection failed. Run from elevated prompt.
    
    Deep Freeze basically blocks the low-level hooks from messing with winlogon.exe, so it couldn't elevate at all.
    For now, it looks like memory token stealing is the only thing that actually slips past.

    Thank you for your time.
     
  15. wesmar

    wesmar MDL Member

    Apr 1, 2012
    181
    636
    10
    Try this as an administrator:
    Code:
    cmdt -shift
    Log out and tap Shift five times. You shouldn't have that lock anymore. Seth will run through the cmd debugger.
    Code:
    Cmdt -unshift
    Restores the original state.
     
  16. wtfjajaja

    wtfjajaja MDL Novice

    Oct 4, 2008
    12
    12
    0
    That did the trick, thanks.