Run Explorer as TI

Discussion in 'Scripting' started by Thomas Dubreuil, Nov 9, 2018.

  1. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    260
    396
    10
    #1 Thomas Dubreuil, Nov 9, 2018
    Last edited: Feb 28, 2019
    I made a (small) script to run Explorer as Trusted Installer.

    What the script does:
    It will delete 'CreateExplorerShellUnelevatedTask' if present (this task is created when you try to "elevate" Explorer).
    It will rename "RunAs" value to "_RunAs_" under HKEY_CLASSES_ROOT\AppID{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2} registry key (with Nsudo help). This value also prevents Explorer elevation.
    It will launch an Explorer window as Trusted Installer (with Nsudo), and finally sets the registry key back to its default value ("RunAs").

    Credits to: @Mouri_Naruto for Nsudo and @abbodi1406 for the Nsudo script part/idea.
    Warning: USE CAREFULLY, as you will be able to delete protected files and folder.

    -App: I made a small .exe application out of it, with Nsudo embedded: It will extract Nsudo to the script folder, then delete it after the command is executed.

    Code:
    File : RunExplorerShellAsTrustedInstaller.zip
    updated : https://forums.mydigitallife.net/threads/run-explorer-as-ti.78329/#post-1494455
    
    -Script (Note you have to have Nsudo next to the script) :
    Code:
    @echo off
    
    %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && (
    goto :OK
    ) || (
    "%~dp0NSudo.exe" -U:T -P:E -ShowWindowMode:Hide "%~dpnx0"& exit /b >NUL 2>&1
    )
    
    :OK
    schtasks /delete /TN "CreateExplorerShellUnelevatedTask" /f >NUL 2>&1
    
    reg delete "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "RunAs" /f >NUL 2>&1
    reg add "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "_RunAs_" /t REG_SZ /d "Interactive User" /f >NUL 2>&1
    
    explorer.exe /root,
    
    TIMEOUT /T 3 /nobreak >NUL 2>&1
    reg delete "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "_RunAs_" /f >NUL 2>&1
    reg add "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "RunAs" /t REG_SZ /d "Interactive User" /f >NUL 2>&1
    exit
    
    -And another one asking for confirmation before running, followed by a warning:

    Code:
    @echo off
    
    %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && (
    goto :OK
    ) || (
    "%~dp0NSudo.exe" -U:T -P:E "%~dpnx0"&exit /b >NUL 2>&1
    )
    
    :OK
    schtasks /Delete /TN "CreateExplorerShellUnelevatedTask" /f >NUL 2>&1
    
    echo Are you sure you want to run Explorer as Trusted Installer ?
    @pause
    echo Please use carefully!!
    
    Reg.exe delete "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "RunAs" /f >NUL 2>&1
    Reg.exe add "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "_RunAs_" /t REG_SZ /d "Interactive User" /f >NUL 2>&1
    
    explorer.exe /root,
    
    TIMEOUT /T 3 /nobreak >NUL 2>&1
    Reg.exe delete "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "_RunAs_" /f >NUL 2>&1
    Reg.exe add "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "RunAs" /t REG_SZ /d "Interactive User" /f >NUL 2>&1
    exit
    

    -10/12/2018 v1.7 : Added line to delete "CreateExplorerShellUnelevatedTask" if present.

    -13/12/2018 v2.0 : New "multi-size" icon, now displays well at all sizes.

    Added transparent .png icons, together with CheckUpdates.visualelementsmanifest.xml,
    which add the ability to display a custom transparent tile on your start menu panel, as well as custom background colour for this tile.

    You can edit the .xml file to change tile background color (only accepts hex colour value, no colour name), or change text "color" displayed on big tile (only accepts "dark" or "light" values).
    You can also edit the .png folder, or change with custom ones if you like...

    To reset tile (and see the changes made on your start screen), enter this code in Powershell:
    Code:
    (ls "$env:programdata\Microsoft\Windows\Start Menu\Programs\YOURLINKPATH\YOURLINKNAME.lnk").lastwritetime = get-date
    or if your link is in the "other" start menu :
    Code:
    (ls "$env:appdata\Microsoft\Windows\Start Menu\Programs\YOURLINKPATH\YOURLINKNAME.lnk").lastwritetime = get-date
    * Replace 'YOURLINKPATH' and 'YOURLINKNAME' with your own, of course...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. abbodi1406

    abbodi1406 MDL KB0000001

    Feb 19, 2011
    9,240
    34,200
    300
    BTW, this is better
    Code:
    "%~dp0NSudo.exe" -U:T -P:E "%~dpnx0"&exit /b
    instead
    Code:
    "%~dp0NSudo.exe" -U:T -P:E "%~dpnx0"
    goto :eof
     
  3. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    260
    396
    10
    Thanks! post edited :cool:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. MonarchX

    MonarchX MDL Expert

    May 5, 2007
    1,582
    265
    60
    Awesome! It would be nice if we could just get our freedom and run all of Windows 10 with TI permissions.

    BTW, if, aside from the actual explorer, it allows to launch apps with even greater freedom than NSudo, then can it be integrated into right-click context menu?

    NSudo, through context menu after (NSudo.exe -install), is NOT as permission-allowing as right-clicking on NSudo.exe, selecting Run as Administrator, and then using NSudo.exe. I can't figure out why and NSudo developer linked me to this thread. I'm, again, trying to figure out why..? I simply wanted NSudo.exe to be as powerful permission-wise through right-click context menu as it is through "right-click & Run as Admin" method.

    Its also kind of weird because on my system UAC is disabled, so "As Admin" is kind of worthless, yet again. NSudo is weaker through context menu...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. l33tissw00t

    l33tissw00t MDL Addicted

    Dec 6, 2012
    790
    481
    30
    Thank you, this worked perfectly.
     
  6. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    260
    396
    10
    #6 Thomas Dubreuil, Dec 27, 2018
    Last edited: Dec 27, 2018
    (OP)
    lol...that would be way too dangerous for regular (and even more experiended) user...

    It actually uses NSudo to launch explorer as TI...so any application you will launch through this "explorer shell" will have TI privileges...quite simple, not different in any way to Nsudo...

    it is because NSudo -install DOESN'T parse the right command to registry...I reported that in Nsudo thread. That's also why I made a simple NSudo installer, wich adds the right commands to commandstore + the ability to install anywhere you like : it will add "install path" to environment variables path (windir is already in environment variable path so no need)

    you're pretty confuse and confusing :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Krager

    Krager MDL Senior Member

    Jan 9, 2017
    395
    225
    10
    P
    Pretty much the same as running around a Unix system as root, something you try to avoid. Though there are times where you need that kind of access. Difference is you can simply sudo to root on Unix then exit back, not something readily built into Windows which can be annoying.
     
  8. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    260
    396
    10
    With the difference that average linux users usually have more "computer skills" than average windows users...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. sebus

    sebus MDL Guru

    Jul 23, 2008
    6,028
    1,840
    210
    That was XP & god, that was awful way of doing things!
     
  10. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    260
    396
    10
    Code:
    File : RunExplorerShellAsTrustedInstaller.exe
    Last Update: v.3 - 01/01/2019
    SHA1: BD1C521590019DC28A929290F091F2EAE4D12828
    https://s.put.re/iajFk6Ty.exe
    V.3 note: Now uses NSudoC (launches faster)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. WindowsStar

    WindowsStar MDL Novice

    Feb 10, 2019
    3
    1
    0
    Downloaded: RunExplorerShellAsTrustedInstaller.exe but Windows Defender thinks it is a trojan and deletes it. Ideas?
     
  12. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    16,158
    24,423
    340
    Considering what the tool is able to do, the false-positives are consecutive (when checking virustotal results).

    Still messing with permissions is a two-edged thing to do.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    260
    396
    10
    That's strange because I just downloaded and also scanned and it didn't detect anything (V.3 above with hash BD1C521590019DC28A929290F091F2EAE4D12828)...
    Definitions are up to dat and file is not in my exclusion list either...
    Verify the hash before adding to exclusion list, or you can always use the script instead, it's just a bat converted to exe (with NSudo embedded)

    might be the kill CreateExplorerShellUnelevatedTask part they didn't like.

    My very first achievment :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. s1ave77

    s1ave77 MDL Guide Dog/Dev

    Aug 15, 2012
    16,158
    24,423
    340
    Like AHK those wrappers are suspicious by design for most AVs :D.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. WindowsStar

    WindowsStar MDL Novice

    Feb 10, 2019
    3
    1
    0
    Grabbed the Windows Updates and downloaded again. Works, did not delete the file. The AV updates seem to have allowed it. Thanks -WS