Use PowerShell to Duplicate Process Tokens via P/InvokeI added this to my dot sourced function directory so I can use it on an as needed basis to get an elevated shell. So, again, not my code, just a great function found here:
Enable-TSDuplicateTokenWorks perfectly on Windows 7,
function Enable-TSDuplicateToken {<#.SYNOPSISDuplicates the Access token of lsass and sets it in the current process thread..DESCRIPTIONThe Enable-TSDuplicateToken CmdLet duplicates the Access token of lsass and sets it in the current process thread.The CmdLet must be run with elevated permissions..EXAMPLEEnable-TSDuplicateToken.LINKhttp://www.truesec.com.NOTESGoude 2012, TreuSec#>[CmdletBinding()]param()$signature = @"[StructLayout(LayoutKind.Sequential, Pack = 1)]public struct TokPriv1Luid{public int Count;public long Luid;public int Attr;}public const int SE_PRIVILEGE_ENABLED = 0x00000002;public const int TOKEN_QUERY = 0x00000008;public const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000;public const UInt32 STANDARD_RIGHTS_READ = 0x00020000;public const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001;public const UInt32 TOKEN_DUPLICATE = 0x0002;public const UInt32 TOKEN_IMPERSONATE = 0x0004;public const UInt32 TOKEN_QUERY_SOURCE = 0x0010;public const UInt32 TOKEN_ADJUST_GROUPS = 0x0040;public const UInt32 TOKEN_ADJUST_DEFAULT = 0x0080;public const UInt32 TOKEN_ADJUST_SESSIONID = 0x0100;public const UInt32 TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);public const UInt32 TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY |TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE |TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT |TOKEN_ADJUST_SESSIONID);public const string SE_TIME_ZONE_NAMETEXT = "SeTimeZonePrivilege";public const int ANYSIZE_ARRAY = 1;[StructLayout(LayoutKind.Sequential)]public struct LUID{public UInt32 LowPart;public UInt32 HighPart;}[StructLayout(LayoutKind.Sequential)]public struct LUID_AND_ATTRIBUTES {public LUID Luid;public UInt32 Attributes;}public struct TOKEN_PRIVILEGES {public UInt32 PrivilegeCount;[MarshalAs(UnmanagedType.ByValArray, SizeConst=ANYSIZE_ARRAY)]public LUID_AND_ATTRIBUTES [] Privileges;}[DllImport("advapi32.dll", SetLastError=true)]public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, intSECURITY_IMPERSONATION_LEVEL, out IntPtr DuplicateTokenHandle);[DllImport("advapi32.dll", SetLastError=true)][return: MarshalAs(UnmanagedType.Bool)]public static extern bool SetThreadToken(IntPtr PHThread,IntPtr Token);[DllImport("advapi32.dll", SetLastError=true)][return: MarshalAs(UnmanagedType.Bool)]public static extern bool OpenProcessToken(IntPtr ProcessHandle,UInt32 DesiredAccess, out IntPtr TokenHandle);[DllImport("advapi32.dll", SetLastError = true)]public static extern bool LookupPrivilegeValue(string
host, string name, ref long pluid);
[DllImport("kernel32.dll", ExactSpelling = true)]
public static extern IntPtr GetCurrentProcess();
[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
public static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
"@
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -ne $true) {
Write-Warning "Run the Command as an Administrator"
Break
}
Add-Type -MemberDefinition $signature -Name AdjPriv -Namespace AdjPriv
$adjPriv = [AdjPriv.AdjPriv]
[long]$luid = 0
$tokPriv1Luid = New-Object AdjPriv.AdjPriv+TokPriv1Luid
$tokPriv1Luid.Count = 1
$tokPriv1Luid.Luid = $luid
$tokPriv1Luid.Attr =[AdjPriv.AdjPriv]::SE_PRIVILEGE_ENABLED
$retVal = $adjPriv::LookupPrivilegeValue($null, "SeDebugPrivilege", [ref]$tokPriv1Luid.Luid)
[IntPtr]$htoken = [IntPtr]::Zero
$retVal = $adjPriv::OpenProcessToken($adjPriv::GetCurrentProcess(), [AdjPriv.AdjPriv]::TOKEN_ALL_ACCESS, [ref]$htoken)
$tokenPrivileges = New-Object AdjPriv.AdjPriv+TOKEN_PRIVILEGES
$retVal = $adjPriv::AdjustTokenPrivileges($htoken, $false, [ref]$tokPriv1Luid, 12, [IntPtr]::Zero, [IntPtr]::Zero)
