Windows 10 breaks the current version of Invoke-TokenManipulation.ps1 because wininit is now a protected processes. Rather than hardcoding to a specific process to obtain a SYSTEM token, it's better to enumerate all processes running as SYSTEM and find one that works. I have updated the script to version 1.12 and added logic on lines 1689-1696 to make sure it can successfully grab a SYSTEM token necessary to function.
Thanks to Run Mariboe for the contribution to Invoke-TokenManipulation
adding the -PassThru flag for newly created processes. Version increased
to 1.11.
Processes could not be started when the script was being run from
Session 0. The fix is to use the CreateProcessAsUserW function when
running in Session 0. This API requires SeAssignPrimaryTokenPrivilege
priviege, so for non-session0 calls I still use CreateProcessWithTokenW
which does not require special privileges.
Matt Graeber
mmashwani
Matt Graeber
FixTheExchange
clymb3r