利用PsExec提升命令行的安全级别, 绕过组策略执行命令

有一次, 我需要在客户的环境上抓取Time Travel Tracing, 简称TTT(dump的一种). 但是就是不能成功抓取. 报错如下:

具体错误信息如下:

c:\Debuggers\ttt>tttracer -dumpfull -out e:\tttoutput -attach 3384

Microsoft (R) TTTracer 2.010.40929 (Sep 29 2009 21:13:03)

Copyright (C) Microsoft Corporation. All rights reserved.

Warning: Please upgrade to a newer version of TT Tracing.

Error: Trace of "w3wp.exe" PID:3384 did not complete successfully: status:20

Error: Communication between the guest process and this client

could not be established, which may be an indication of

permissions or privileges problem (see e:\tttoutput\w3wp01.out

for more details).

Error: Corrupted trace dumped to e:\tttoutput\w3wp01.run.err.

SEE ERROR OUTPUT FILE e:\tttoutput\w3wp01.out FOR MORE DETAILS.

w3wp01.run.err 的内容

------------

Microsoft (R) TTTClient 2.010.40929 (Sep 29 2009 21:12:58)

Microsoft (R) Time Travel Tracing 2.010.40929 (Sep 29 2009 21:12:58)

Copyright (C) Microsoft Corporation. All rights reserved.

Microsoft Confidential - Strictly For Internal Use Only

Initializing Time Travel Tracing for Attach to 3384

Time: 03/02/2012 15:40:36

OS:6.1.7601 EDITION:x64

Group tracing GUID: d2c17755-0428-4e74-8709-b2f3bdfe0fa1

Running "w3wp.exe"

Running "c:\Debuggers\ttt\nirvexec.exe" /duration 1 /ClientName "c:\Debuggers\ttt\TTTraceWriter.dll" /ClientParams "23 e:\tttoutput\w3wp01.run 0 0 0 100000 0 1 0 0 6001" /attach 3384