By default a child process is restricted to the integrity level of its parent,
unless +root is used. Note that a parent process cannot access a child running
at a higher integrity level. Window messages like drag and drop are silently
discarded.
arunexp is a Swiss-army knife for privilege escallation. It has a flag which
tells Windows to run it with Administtrative privileges. A prompt is usually
displayed to approve this action, unless explicitely disabled from UAC options.
This is suitable for restoring the Administrators group to a process in order
to allow it to access protected files, while keeping the parent integrity level,
so that drag and drop from other programs also works. A suitable target to run
in this mode is explorer.exe. Note that this requires removing the following
registry key: HKEY_CLASSES_ROOT\AppID\{CDCBCFCA-3CDC-436f-A4E2-0E02075250C2}\RunAs.
Otherwise explorer.exe will remove the Administrators groop as soon as it is
started.
Priority, window visibility and integrity level can also be specified.
Available privileges can only be enabled or disabled. Once a privilege is
removed, it can not be restored. However if a process token has ownership of the
Administrators group, it can install a service to start a child process
restoring any privileges that had been removed: -e -s -S. Since services
run with System privileges, they can take the role of any existing process,
by duplicating its token: -t PID. It is also possible to execute a process in
another session: -n . Use -D to specify a
window station and Desktop.
Console applications are usually run in the parent console. To detach the child,
and run in a new window, use -d.
There is a hack to elevate selected programs automatically, by assigning a
debugger under Image File Execution Options. In that case, specify the -G flag.
Otherwise the system will attempt to execute the process indefinitely.
Users who have disabled Animate controls and elements inside windows, might
experience poor performance in Office 2013-2016 applications. The workaround is to
enable animations, then start an Office application, and disable animations shortly
after that: -A.
| Argument | arunexp [arguments] |
|---|---|
+root -r | Allow a child process to run at higher integrity level than its parent |
+restrict -R | Remove some privileges |
-p | Priority |
number 4 6 8 10 13 24 or | |
name idle = low below_normal normal above_normal high realtime | |
-w | Show window |
number 0-11 or name hide normal max min | |
-i | Integrity level |
untrusted low med = medium mediumui mediumplus | |
high system protected | |
-e | Elevate the user token, this attempts to install a temporary service |
-s | Run as a service |
-S | Run as an interactive service (deprecated since Windows Vista) |
-t | Specify a process ID or name to use its token |
-n | Override session ID |
-D | Specify window station\Desktop e.g. winsta0\default winlogon screensaver |
-d | Do not attach to parent console |
-P | Specify startup directory |
-G | Start with debugging: required when injected as a debugger under |
Image File Execution Options | |
-A | Temporary enable Animate controls and elements inside windows, |
| to improve scrolling performance and reduce lag in Office 2013-2016 |
arunexp- e- D winlogon notepad
Administrators group enabled
arunexp explorer/ e,
explorer.exe to run with the Administrators group enabled
Windows Registry Editor Version5 . 00 [ HKEY_CLASSES_ROOT\ Folder\ shell\ openadmin] @= "Open [admin]" "HasLUAShield" = "" [ HKEY_CLASSES_ROOT\ Folder\ shell\ openadmin\ command] @= "C:\\Windows\\gvalkov\\arunexp.exe explorer.exe /e,%l" "DelegateExecute.ori" = "{11dbb47c-a525-400b-9e80-a54615a090c0}" [ HKEY_CLASSES_ROOT\ AppID\{ CDCBCFCA- 3 CDC- 436 f- A4E2- 0 E02075250C2}] "RunAs" =- "RunAs.bak" = "Interactive User"
☂︎ Windows