How to put script in Startup without Administrators account

[marian99us]

hello,

I was wondering if it was possible to place items in Windows 7 Startup folder without administrator rights. I have a user account to log in, but no admin rights.

I have ordered a Ducky and was wondering if it would help me achieve that.

I am open to all options, with or without the Ducky.

Booting form USB or CD is not an option. Admin password is required to change the boot sequence.

The Utilman.exe attack has been patched in this 64-Bit Windows 7 Enterprise.

[cooper]

While I'm not well-versed in the black art of Windows administration, I thought "the startup folder" was in fact a union of the system-wide, admin-controlled startup folder and a local, user-controlled folder with whatever crap programs the local user wants to run at login time. I'm sure an admin could (or should be able to) clamp down on that aswell, but that at its core that's how things go.

If you want a local priv escalation attack, try using the Metasploit module 'Windows TrackPopupMenuEx Win32k NULL Page'. It takes advantage of this security issue and it's the most recent priv escalation in Windows that I could find mention of in the exploit-db. A patch for the issue exists, so if the admin of this box is on the ball/it's auto-updated it will not work anymore, but it might be worth a shot.

[newbi3]

add it to the regestry: HKCU/Software/Microsoft/Windows/CurrentVersion/Run

You can do that from the command prompt without admin privs for the current user on the system

[potato]

If you just want to do this for the user you are logged in as, place a shortcut in %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

[cooper]

Wouldn't that show up in the "Start up" menu under the start menu though?

[marian99us]

But the problem is, I would like to put the script, so that it is executed at Login for every user in the Network.

So, I guess the problem can only solved with an escalation of priviledges !

[cooper]

The registry thing that Newbi3 suggested can still work, assuming the domain admin didn't prevent it using policies and such. Try it on your own box with an innocent script (run calc.exe or whatever) and see if that works.

[newbi3]

It will show up as a startup application but name it something innocuous and you should be good to the glancing eye. If someone is looking for it they will find it

[cooper]

Network Driver Support.exe

:-)

[marian99us]

Is there way to run a script at startup? I mean even before a use has log on to the system.

BTW, when I logon, user data is loaded from a central storage. I mean, if I put some thing on my desktop on one computer, it is going to appear on my desktop on all computer that i log in using my profile. So the profile data is stored centrally!

[cooper]

For that you need admin privs. The main way that springs to mind for me is to register something as a service, though there must be more ways than just that one.

And services tend to be fairly visible aswel, so...