@wesmar, Almost there. Non-admin session seems to be working now, except that cmdt does not return the command prompt after running a -cli cmd. This may cause problems in a batch file. Also, the updates implemented when run in a non-admin session are now causing issues when run in an admin session. cmdt_x64.exe -cli net session flashes and no output is displayed. Redirection creates the correct output file, but the cmd window still flashes.
I am looking forward to this with great interest (I will test it with curiosity when you provide it) and thank you for taking the time to test and provide increasingly improved software that is useful. Your other software product - Registry editor is now also one of my favorites. :}
@wesmar All versions work great, but if I may suggest including the version number in the file properties as well (if that's what you mean by versioning), in the past two days I've downloaded it four times and if I didn't pay attention, I wouldn't know which file is which - they all have version number 1.0.0.0 and file date 01/01/2030.
When running net session in an admin command prompt, I still don't see any output and the result is 2 command prompts. The non-admin session also shows 2 prompts with the output on the 2nd prompt. Code: Admin Session U:\SwApps\Tools4Maint\CmdElevation\CmdT>cmdt_x64.exe -cli net session U:\SwApps\Tools4Maint\CmdElevation\CmdT> U:\SwApps\Tools4Maint\CmdElevation\CmdT> Non-Admin Session U:\SwApps\Tools4Maint\CmdElevation\CmdT>cmdt_x64.exe -cli net session U:\SwApps\Tools4Maint\CmdElevation\CmdT> U:\SwApps\Tools4Maint\CmdElevation\CmdT>There are no entries in the list. I don't see how you missed that during testing.
@wesmar You seem to have multiple projects going on. I know you're busy. Just wondering if the above mentioned issues are fixable or not.?
That's right, and on top of that, there's demand in Warsaw for commercial software upgrades on Kove motorcycles equipped with THINKERRIDE navigation systems—I reprogram them to use Google Maps. I need to focus for a few hours to figure out the best way to handle these processes. I'll definitely get back to this topic in a few days.
Seems to be working now for command prompt usage. Appreciate the update. It may be less work just to split the 2. NSudo uses this approach. Others may have some different thoughts on this. I still need to test if cmdt will run from a shared network attached drive. Nsudo doesn't and has the following error: Failed to create a process. Working fine with cmdt_x64.
Does anyone know how to make this work while Faronics Deep Freeze is in a frozen state? None of the other tools I tested work, including nsudo, powerrun, nanarun and more... The only method that successfully achieves TI privileges is freddie-o's powershell token creation script, Elevate_as_TI.ps1
You can test this approach using a method that moves away from token stealing and operates entirely in memory: Run CMD as an administrator and execute Code: StickyTrap.exe install . Press Ctrl+Alt+Del (do not log out or switch users). Press the Shift key 5 times. If successful, you will see a command prompt running under NT AUTHORITY\SYSTEM. (whoami) This method performs a dynamic inline hook on the WlAccessibilityOnWin32KMessage function directly inside the RAM of the running winlogon.exe process. When the 5x Shift trigger occurs, it intercepts the message and spawns a shell on the secure desktop. Cleanup: Once you are done testing, simply run Code: StickyTrap.exe uninstall to safely remove the hook from memory and restore the system to its original state. P.S: To give you some context, StickyTrap is merely a stripped-down, isolated subset of a broader local privilege escalation (LPE) framework I’ve been analyzing. The full research-grade codebase leverages advanced techniques—including precise TOCTOU (Time-of-Check to Time-of-Use) race conditions and complex token hijacking—to escalate privileges directly to SYSTEM from any unprivileged standard user account. This specific release, however, has been strictly scoped down for demonstration purposes; it requires an active Administrator session with SeDebugPrivilege and is designed to operate exclusively via the secure Ctrl+Alt+Del lock screen sequence.
I tried using StickyTrap, but it doesn't work under the frozen state, as it fails at the injection phase with the error: Code: [*] Starting StickyTrap install... [+] winlogon.exe PID = 824 [+] DLL extracted: C:\Users\VM\AppData\Local\Temp\StickyTrapDll_2988.dll [*] Injecting into winlogon.exe... [-] Injection failed. Run from elevated prompt. Deep Freeze basically blocks the low-level hooks from messing with winlogon.exe, so it couldn't elevate at all. For now, it looks like memory token stealing is the only thing that actually slips past. Thank you for your time.
Try this as an administrator: Code: cmdt -shift Log out and tap Shift five times. You shouldn't have that lock anymore. Seth will run through the cmd debugger. Code: Cmdt -unshift Restores the original state.