Skip to content

RagingRedRiot/become-ti

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.cargo
.cargo
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.toml
Cargo.toml
 
 
README.md
README.md
 
 

Repository files navigation

become-ti

A security research tool written in Rust that spawns a process running under the TrustedInstaller security principal on Windows.

Warning: TrustedInstaller permissions will make your machine a brick if you use them incorrectly. This tool is intended for security researchers who understand what they are doing. You have been warned.

Background

TrustedInstaller is a Windows service account (NT SERVICE\TrustedInstaller) that sits above SYSTEM and Administrator in the privilege hierarchy. It owns core Windows system files and components that even SYSTEM cannot modify by default. Understanding what TrustedInstaller can and cannot do — compared to SYSTEM or a local Administrator — is useful context for security researchers evaluating Windows privilege boundaries.

This tool provides a straightforward way to spawn a shell or process under TrustedInstaller in order to interactively explore those boundaries.

How it works

Everything this tool does is by design in Windows — no exploits, no privilege escalation vulnerabilities, no policy bypasses.

  1. Requires Administrator. The tool does not attempt to self-elevate. You must run it from an elevated context. This is an intentional prerequisite, not a shortcut.

  2. Starts the TrustedInstaller service via the Service Control Manager using standard OpenSCManager / OpenService / StartService Win32 APIs.

  3. Locates the TrustedInstaller process by walking the system process snapshot via CreateToolhelp32Snapshot.

  4. Spawns a child process using CreateProcess with PROC_THREAD_ATTRIBUTE_PARENT_PROCESS set to the TrustedInstaller process handle. This is a documented Windows feature that designates a specific process as the parent, causing the child to inherit its token. The result is a new process running as TrustedInstaller.

The TrustedInstaller service shuts itself down automatically after a short idle period — no cleanup is required.

Usage

Requires Windows and Administrator privileges.

# Spawn PowerShell as TrustedInstaller (default)
become-ti.exe

# Spawn a specific process
become-ti.exe cmd.exe

Building

Requires the Rust toolchain with the x86_64-pc-windows-gnu target and a MinGW-w64 compatible toolchain.

rustup target add x86_64-pc-windows-gnu
cargo build --release --target x86_64-pc-windows-gnu

Intended audience

Security researchers and Windows internals practitioners who want a hands-on way to observe TrustedInstaller's privilege boundary compared to SYSTEM and Administrator. This is not a general-purpose tool and is not intended for use in production environments.

About

Security research tool for exploring TrustedInstaller privilege boundaries on Windows

Topics

windows rust security-research windows-internals

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages