Run Explorer as TI

Discussion in 'Scripting' started by Thomas Dubreuil, Nov 9, 2018.

  1. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    310
    517
    10
    #1 Thomas Dubreuil, Nov 9, 2018
    Last edited: Dec 1, 2019 at 11:01
    I made a (small) script to run Explorer as Trusted Installer.

    What the script does:
    It will delete 'CreateExplorerShellUnelevatedTask' if present (this task is created when you try to "elevate" Explorer).
    It will rename "RunAs" value to "_RunAs_" under HKEY_CLASSES_ROOT\AppID{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2} registry key (with Nsudo help). This value also prevents Explorer elevation.
    It will launch an Explorer window as Trusted Installer (with Nsudo), and finally sets the registry key back to its default value ("RunAs").

    Credits to: @Mouri_Naruto for Nsudo and @abbodi1406 for the Nsudo script part/idea.
    Warning: USE CAREFULLY, as you will be able to delete protected files and folder.

    -App: I made a small .exe application out of it, with Nsudo embedded: It will extract Nsudo to the script folder, then delete it after the command is executed.

    Code:
    File : RunExplorerShellAsTrustedInstaller.zip
    updated : https://forums.mydigitallife.net/threads/run-explorer-as-ti.78329/#post-1494455
    
    -Script (Note you have to have Nsudo next to the script) :
    Code:
    @echo off
    
    %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && (
    goto :OK
    ) || (
    "%~dp0NSudo.exe" -U:T -P:E -ShowWindowMode:Hide "%~dpnx0"& exit /b >NUL 2>&1
    )
    
    :OK
    schtasks /delete /TN "CreateExplorerShellUnelevatedTask" /f >NUL 2>&1
    
    reg delete "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "RunAs" /f >NUL 2>&1
    reg add "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "_RunAs_" /t REG_SZ /d "Interactive User" /f >NUL 2>&1
    
    explorer.exe /root,
    
    TIMEOUT /T 3 /nobreak >NUL 2>&1
    reg delete "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "_RunAs_" /f >NUL 2>&1
    reg add "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "RunAs" /t REG_SZ /d "Interactive User" /f >NUL 2>&1
    exit
    
    -And another one asking for confirmation before running, followed by a warning:

    Code:
    @echo off
    
    %windir%\system32\whoami.exe /USER | find /i "S-1-5-18" 1>nul && (
    goto :OK
    ) || (
    "%~dp0NSudo.exe" -U:T -P:E "%~dpnx0"&exit /b >NUL 2>&1
    )
    
    :OK
    schtasks /Delete /TN "CreateExplorerShellUnelevatedTask" /f >NUL 2>&1
    
    echo Are you sure you want to run Explorer as Trusted Installer ?
    @pause
    echo Please use carefully!!
    
    Reg.exe delete "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "RunAs" /f >NUL 2>&1
    Reg.exe add "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "_RunAs_" /t REG_SZ /d "Interactive User" /f >NUL 2>&1
    
    explorer.exe /root,
    
    TIMEOUT /T 3 /nobreak >NUL 2>&1
    Reg.exe delete "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "_RunAs_" /f >NUL 2>&1
    Reg.exe add "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "RunAs" /t REG_SZ /d "Interactive User" /f >NUL 2>&1
    exit
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. abbodi1406

    abbodi1406 MDL KB0000001

    Feb 19, 2011
    10,012
    38,453
    340
    BTW, this is better
    Code:
    "%~dp0NSudo.exe" -U:T -P:E "%~dpnx0"&exit /b
    instead
    Code:
    "%~dp0NSudo.exe" -U:T -P:E "%~dpnx0"
    goto :eof
     
  3. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    310
    517
    10
    Thanks! post edited :cool:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. MonarchX

    MonarchX MDL Expert

    May 5, 2007
    1,650
    287
    60
    Awesome! It would be nice if we could just get our freedom and run all of Windows 10 with TI permissions.

    BTW, if, aside from the actual explorer, it allows to launch apps with even greater freedom than NSudo, then can it be integrated into right-click context menu?

    NSudo, through context menu after (NSudo.exe -install), is NOT as permission-allowing as right-clicking on NSudo.exe, selecting Run as Administrator, and then using NSudo.exe. I can't figure out why and NSudo developer linked me to this thread. I'm, again, trying to figure out why..? I simply wanted NSudo.exe to be as powerful permission-wise through right-click context menu as it is through "right-click & Run as Admin" method.

    Its also kind of weird because on my system UAC is disabled, so "As Admin" is kind of worthless, yet again. NSudo is weaker through context menu...
     
  5. l33tissw00t

    l33tissw00t MDL Addicted

    Dec 6, 2012
    805
    499
    30
    Thank you, this worked perfectly.
     
  6. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    310
    517
    10
    #6 Thomas Dubreuil, Dec 27, 2018
    Last edited: Dec 27, 2018
    (OP)
    lol...that would be way too dangerous for regular (and even more experiended) user...

    It actually uses NSudo to launch explorer as TI...so any application you will launch through this "explorer shell" will have TI privileges...quite simple, not different in any way to Nsudo...

    it is because NSudo -install DOESN'T parse the right command to registry...I reported that in Nsudo thread. That's also why I made a simple NSudo installer, wich adds the right commands to commandstore + the ability to install anywhere you like : it will add "install path" to environment variables path (windir is already in environment variable path so no need)

    you're pretty confuse and confusing :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Krager

    Krager MDL Senior Member

    Jan 9, 2017
    395
    228
    10
    P
    Pretty much the same as running around a Unix system as root, something you try to avoid. Though there are times where you need that kind of access. Difference is you can simply sudo to root on Unix then exit back, not something readily built into Windows which can be annoying.
     
  8. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    310
    517
    10
    With the difference that average linux users usually have more "computer skills" than average windows users...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. sebus

    sebus MDL Guru

    Jul 23, 2008
    6,056
    1,864
    210
    That was XP & god, that was awful way of doing things!
     
  10. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    310
    517
    10
    Code:
    File : RunExplorerShellAsTrustedInstaller.exe
    Last Update: v.3 - 01/01/2019
    SHA1: BD1C521590019DC28A929290F091F2EAE4D12828
    https://s.put.re/iajFk6Ty.exe
    V.3 note: Now uses NSudoC (launches faster)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. WindowsStar

    WindowsStar MDL Novice

    Feb 10, 2019
    3
    1
    0
    Downloaded: RunExplorerShellAsTrustedInstaller.exe but Windows Defender thinks it is a trojan and deletes it. Ideas?
     
  12. s1ave77

    s1ave77 Has left at his own request

    Aug 15, 2012
    16,130
    24,064
    340
    Considering what the tool is able to do, the false-positives are consecutive (when checking virustotal results).

    Still messing with permissions is a two-edged thing to do.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    310
    517
    10
    That's strange because I just downloaded and also scanned and it didn't detect anything (V.3 above with hash BD1C521590019DC28A929290F091F2EAE4D12828)...
    Definitions are up to dat and file is not in my exclusion list either...
    Verify the hash before adding to exclusion list, or you can always use the script instead, it's just a bat converted to exe (with NSudo embedded)

    might be the kill CreateExplorerShellUnelevatedTask part they didn't like.

    My very first achievment :D
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. s1ave77

    s1ave77 Has left at his own request

    Aug 15, 2012
    16,130
    24,064
    340
    Like AHK those wrappers are suspicious by design for most AVs :D.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. WindowsStar

    WindowsStar MDL Novice

    Feb 10, 2019
    3
    1
    0
    Grabbed the Windows Updates and downloaded again. Works, did not delete the file. The AV updates seem to have allowed it. Thanks -WS
     
  16. ceo54

    ceo54 MDL Member

    Aug 13, 2015
    231
    39
    10
    #16 ceo54, Nov 15, 2019
    Last edited: Nov 15, 2019
    The script didn't work for me. Whenever I clicked any links, explorer launched a new window in a separate process under my username. Any ideas how to resolve his ?

    Edit: I should mention that I don't have the folder option "open new explorer window in separate process" enabled"
     
  17. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    310
    517
    10
    Did you try script or latest .exe ?
    Might be dumb answer but for the script it needs NSudo.exe next to it.
    Otherwise .exe has NSudo embedded (and latest v3 above uses NSudoC which launches faster)
    That script is no rocket science, it does what is described in OP...
    If it doesn't work maybe you need bigger timeout, not sure...
    Anyway you can always use another file explorer (I like XYplorer, but there are plenty of options)

    Not sure I understand what you're trying to do, that script/exe just opens a new explorer shell as system, then you just browse from there...
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. ceo54

    ceo54 MDL Member

    Aug 13, 2015
    231
    39
    10
    My Security program stopped the exe from running so I used the script. And yes I had it next to the NSudo.exe. Permissions wasn't the issue. The script launched the explorer as it meant to do but then I couldn't browse from there. Whenever I clicked any links, from navigation pane or from main explorer window, a new explorer window would come up not as trusted installer but running under my user so so there wasn't much I could with it :(

    The Window that script opened remained static.
     
  19. enigmaelectronica

    enigmaelectronica MDL Novice

    Jul 11, 2011
    23
    4
    0
    And... will work for x86? x64 too?
     
  20. Thomas Dubreuil

    Thomas Dubreuil MDL Senior Member

    Aug 29, 2017
    310
    517
    10
    #20 Thomas Dubreuil, Dec 1, 2019 at 11:19
    Last edited: Dec 1, 2019 at 11:58
    (OP)
    I think .exe is x64 (don't remember) but you can use the script.
    Or embed .bat script with NSudo in a 32bit exe: with Winrar or 7zip it is easy enough to make a 32bit SFX exe, or one can use bat to exe converter.

    The "key" in this simple script is to temporary rename "HKCR\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}" /v "RunAs" before launching explorer
    This value normally forces explorer to run as standard user.

    edit: try this, 32 bit version (Win32 SFX module/exe + Win32 NSudo)
    https://www.upload.ee/files/10791656/Run.Explorer.as.Trusted.Installer.x86.zip.html
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...