function RunAsTI ($c,$a){
$i='RunAsTI'; $k="Registry::HKU\$(((whoami /user)-split' ')[-1])\Volatile Environment"; $d=@'
$I=[int32];$M=[Runtime.InteropServices.Marshal];$P=[intptr];$S=[string];$D=@();$T=@();$Z=[uintptr]::size
$DM=[AppDomain]::CurrentDomain.DefineDynamicAssembly(1,1).DefineDynamicModule(1)
0..5|%{$D+=$DM.DefineType("ZTD_$_",1179913,[ValueType])}
$D+=[uintptr]
4..6|%{$D+=$D[$_].MakeByRefType()}
$F='kernel','advapi','advapi',($S,$S,$I,$I,$I,$I,$I,$S,$D[7],$D[8]),([uintptr],$S,$I,$I,$D[9]),([uintptr],$S,$I,$I,[byte[]],$I)
0..2|%{$9=$D[0]."DefinePInvokeMethod"(('CreateProcess','RegOpenKeyEx','RegSetValueEx')[$_],$F[$_]+'32',8214,1,$S,$F[$_+3],1,4)}
$DF=($P,$I,$P),($I,$I,$I,$I,$P,$D[1]),($I,$S,$S,$S,$I,$I,$I,$I,$I,$I,$I,$I,[int16],[int16],$P,$P,$P,$P),($D[3],$P),($P,$P,$I,$I)
1..5|%{$k=$_;$n=1;$DF[$_-1]|%{$9=$D[$k]."DefineField"('f'+$n++,$_,6)}}
0..5|%{$T+=$D[$_]."CreateType"()};
0..5|%{nv "A$_" ([Activator]::CreateInstance($T[$_])) -force}
function F ($1,$2){$T[0]."GetMethod"($1).invoke(0,$2)}
if (!((whoami /groups)-like'*1-16-16384*')){'TrustedInstaller','lsass','winlogon'|%{if (!$As){$9=sc.exe start $_;$As=@(gps $_ -ea 0|%{$_})[0]}};function M ($1,$2,$3){$M."GetMethod"($1,[type[]]$2).invoke(0,$3)};$H=@($Z,(4*$Z+16)|%{M "AllocHGlobal" $I $_});M "WriteIntPtr" ($P,$P) ($H[0],$As.Handle);$A1.f1=131072;$A1.f2=$Z;$A1.f3=$H[0];$A2.f1=1;$A2.f2=1;$A2.f3=1;$A2.f4=1;$A2.f6=$A1;$A3.f1=10*$Z+32;$A4.f1=$A3;$A4.f2=$H[1];M "StructureToPtr" ($D[2],$P,[boolean]) (($A2 -as $D[2]),$A4.f2,$false);$Run=@($null,"$env:SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -win h -ep bypass -nop -c iex `$env:R",0,0,0,0x0E080600,0,$null,($A4 -as $T[4]),($A5 -as $T[5]));F 'CreateProcess' $Run;return}; rp $k $i -force
(whoami /priv |% {($_ -split '\s+')[0]})[6..30] |% {([diagnostics.process].GetMember('SetPrivilege',42)[0]).Invoke($null,("$_",2))}
$HKU=[uintptr][uint32]2147483651;$NT='S-1-5-18';$r=($HKU,$NT,8,2,($HKU -as $D[9]))
F 'RegOpenKeyEx' $r;$LNK=$r[4]
function L ($1,$2,$3){$b=[Text.Encoding]::Unicode.GetBytes("\Registry\User\$1"); F 'RegSetValueEx' @($2,'SymbolicLinkValue',0,6,[byte[]]$b,$b.Length)}
L ($k-split'\\')[1] $LNK '';$R=[diagnostics.process]::start($c,$a)
if ($R){$R.PriorityClass='High';$R.WaitForExit()}
do {sleep 7} while (Q); L '.Default' $LNK 'Interactive User'
'@;
$v=('c','a','i','k'|%{if ($v=gv $_ -ea 0){"`$$_='$($v.value -replace "'","''")';"}})
ni $k -force >$null; sp $k $i $($v,$d) -type 7 -force -ea 0
start -v runas "$env:SystemRoot\System32\conhost.exe" "--headless $env:SystemRoot\System32\WindowsPowerShell\v1.0\powershell.exe -win h -ep bypass -nop -c $v `$env:R=(gi `$k -ea 0).getvalue(`$i); iex `$env:R"
}