How to obtain trustedinstaller permission "Recommended steps to obtain TrustedInstaller permission"

php editor Strawberry will introduce you how to obtain TrustedInstaller permissions. TrustedInstaller is an important permission in the Windows operating system. With this permission, you can modify and delete system files. Obtaining this permission can solve some problems of being unable to delete or modify system files. In this article, we will provide recommended steps to help you obtain TrustedInstaller permissions to better manage and maintain your system. By following the steps below, you will be able to easily obtain TrustedInstaller permissions and solve related problems.

This article will take you to understand the essence of TI and further explore how to obtain TI permissions with the help of powershell and NtObjectManager modules to complete any operation you want in the operating system.

If you have ever managed a Windows system, then you should be familiar with the concept of the trustedInstaller (TI) group. The TI group has important permissions in the operation of system files and registry. For example, you can view the properties of files under the System32 folder. In the security options, the TI group and the file owner have permission to delete and modify files. Even administrators cannot directly modify the security options. Therefore, for operations on system files and registry, you need to obtain the permissions of the TI group.

However, if you look at the local users and groups options, you cannot find the TI user or group. This article will take you to understand the nature of the TI group and introduce how to use Powershell and NtObjectManager modules to obtain TI group permissions to complete any operation you want in the operating system.

What is TrustedInstaller

---

If TI is neither a user nor a group, what is it? Querying the ACL will give us some inspiration. You can use the Get-Acl command to read the security description of a file, and we can list the TI information.

As you can see from the above figure, we see the TI group in the IdentityReference item, and it has a prefix of NT SERVICE. So, it's a Windows Service SID, which is a feature added in Vista that allows every service running on the operating system to have a group for permission checking. Through this mechanism, the operating system does not have to bear the additional overhead of adding independent real groups.

The SID itself is the SHA1 value expressed in uppercase letters of the service name. The following code can calculate the real SID value:

1

2

3

4

5

6

7

8

9

$name = "TrustedInstaller"

# Calculate service SID

$bytes = [Text.Encoding]::Unicode.GetBytes( $name.ToUpper())

$sha1 = [System.Security.Cryptography.SHA1]::Create()

##$hash = $sha1.ComputeHash($bytes)

$rids = New-Object UInt32[] 5

[Buffer]::BlockCopy( $hash, 0, $rids, 0, $hash.Length)

[string]::Format("S-1-5-80-{0}-{1} -{2}-{3}-{4}", `

$rids[0], $rids[1], $rids[2], $rids[3] , $rids[4])

Of course, you don’t have to implement this method yourself. There is a RtlCreateServiceSid method in NTDLL that can do this. At the same time, LSASS can also convert the service name into SID. In other words, when system resources are changed, a system service named TrustedInstall will definitely be run. We can also find this using the SC module.

If you enable the TI service and view the Access Token, we can see that the TI group is enabled.

The above is the detailed content of How to obtain trustedinstaller permission "Recommended steps to obtain TrustedInstaller permission". For more information, please follow other related articles on the PHP Chinese website!