This script will create a command prompt as the System Account.
It's inspired by supershell.
-------------------- RunAsSystem.PowerPro ---------------------------
local ReSD,AbSD,SDSize,Dacl,DaclSize,Sacl,SaclSize,
local Owner,OwnerSize,Group,GroupSize,SDSizeNeeded
local DaclNew,DaclOld,DaclPre,DaclDef,ExplAcc,LuidDbg,TokenPrv,RetSize
local hSys,hToken,hProc,hThrd,pid,tid,pi,si
dll.call("advapi32|LookupPrivilegeValueA|ui s h* b",;;+
0,"SeDebugPrivilege","LuidDbg")
TokenPrv=dll.create_struct("ui h ui",1,LuidDbg,2)
dll.call("advapi32|OpenProcessToken|ui ui ui* b",;;+
dll.call("GetCurrentProcess|ui"),0x28,"hToken")
dll.call("advapi32|AdjustTokenPrivileges|ui i t* ui t* ui* b",;;+
hToken,0,TokenPrv,TokenPrv.get_size,TokenPrv,"RetSize")
hSys=dll.call("OpenProcess|ui i ui",0x1F0FFF,0,ifelse ;;+
(word(windowsversion,1)<=4,2,ifelse(word(windowsversion,2)>0,4,8)))
if(TokenPrv[1])
dll.call("advapi32|AdjustTokenPrivileges|ui i t* ui t* ui* b",;;+
hToken,0,TokenPrv,TokenPrv.get_size,TokenPrv,"RetSize")
dll.call("CloseHandle|ui",hToken)
dll.call("advapi32|OpenProcessToken|ui ui ui* b",;;+
hSys,0x60000,"hToken")
dll.call("advapi32|GetKernelObjectSecurity|ui ui s ui ui* b",;;+
hToken,4,"ReSD",255,"SDSizeNeeded")
dll.call("advapi32|GetSecurityDescriptorDacl|s i* ui* i* b",;;+
"ReSD","DaclPre","DaclOld","DaclDef")
dll.call("advapi32|BuildExplicitAccessWithNameA|s s ui ui ui",;;+
"ExplAcc","administrators",11,1,0)
dll.call("advapi32|SetEntriesInAclA|ui s ui ui* ui",;;+
1,"ExplAcc",DaclOld,"DaclNew")
if(not dll.call("advapi32|MakeAbsoluteSD|;;+
s s ui* s ui* s ui* s ui* s ui* b",;;+
"ReSD","AbSD","SDSize","Dacl","DaclSize","Sacl","SaclSize",;;+
"Owner","OwnerSize","Group","GroupSize"))
dll.call("advapi32|MakeAbsoluteSD|;;+
s s ui* s ui* s ui* s ui* s ui* b",;;+
"ReSD","AbSD","SDSize","Dacl","DaclSize","Sacl","SaclSize",;;+
"Owner","OwnerSize","Group","GroupSize")
dll.call("advapi32|SetSecurityDescriptorDacl|s i ui i",;;+
"AbSD",DaclPre,DaclNew,DaclDef)
dll.call("advapi32|SetKernelObjectSecurity|ui ui s b",hToken,4,"AbSD")
dll.call("CloseHandle|ui",hToken)
dll.call("advapi32|OpenProcessToken|ui ui ui* b",hSys,0xB,"hToken")
dll.call("advapi32|ImpersonateLoggedOnUser|ui",hToken)
pi=dll.create_struct("ui ui ui ui","hProc","hThrd","pid","tid")
si=dll.create_struct("ui s s s ui ui ui ui ui ui ui ui uo uo uc ;;+
ui ui ui",68,"",?"winsta0\"++ifelse(arg(1),"winlogon","default"),;;+
"","","","","","","","","","","","","","","")
dll.call("advapi32|CreateProcessAsUserA|;;+
ui s s ui ui i ui ui s t* t* b",hToken,;;+
?"%comspec%",?"/c start comspec%","","",0,0x08000000,"",".",si,pi)
dll.call("advapi32|RevertToSelf|b")
dll.call("CloseHandle|ui",hToken)
dll.call("CloseHandle|ui",hThrd)
dll.call("CloseHandle|ui",hProc)
dll.call("advapi32|OpenProcessToken|ui ui ui* b",;;+
hSys,0x60000,"hToken")
dll.call("advapi32|SetSecurityDescriptorDacl|s i ui i",;;+
"AbSD",DaclPre,DaclOld,DaclDef)
dll.call("advapi32|SetKernelObjectSecurity|ui ui s b",hToken,4,"AbSD")
dll.call("CloseHandle|ui",hToken)
dll.call("CloseHandle|ui",hSys)
quit
---------------------------------------------------------------------
Sean
Attention: PowerPro's Web site has moved: http://www.ppro.org
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/power-pro/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
