Welcome to today’s 10,000 (totally not trying to be offensive, learning is great).

TrustedInstaller is actually a service that was introduced with Windows Vista with the intention of preventing modification of system files. It typically is the “owner” of damn near everything in default Windows directories.

A fun way I typically show off the limitations of the system account is by telling people to try to delete a protected resource, like Windows Defender’s directories. Then try it again when running with TrustedInstaller’s rights and you’ll possibly find yourself just staring at your screen thinking about how useful that could be.

That looks like it would only grant a system level cmd prompt. TrustedInstaller has a bit more access.

Edit: I was scrolling back up and realized I responded to the wrong person about the psexec thing. I apologize for any misunderstanding (I’m gonna leave it because its still kind of good info in there and I suck at typing on mobile).

I’m not a fan of psexec anymore, in a lot of environments is blocked or gets picked up by overzealous AV. Might I suggest using using something like NTObjectManager to just spawn a child process of TrustedInstaller?

It works really well, I’ve never seen it flagged by AV, and it’s nice being able to remove shit that system can’t. One thing I had a hard time getting away from PSExec for was remote sessions when remote management was turned off. Thankfully you can just invoke-command to call cmd and enable WinRM remotely… Goddamn I hate Windows but love the simplicity to utilized it’s “under documented” features.