Gain admin access on windows system using your guest account

Written on July 11, 2008 – 1:00 am | by admin

Hello All,

Ever thought of how to get into your friend’s system and see the access denied files and folders? Or ever wanted to hack into someone’s admin account? Well here is a method which exploits yet another windows bug.

Have you ever noticed that if you press your system’s SHIFT key >= 5 times continuously a pop up windows occurs with the name “Sticky Keys”? If it doesn’t pop up on your comp, then may be your shortcut is turned off. For enabling it, goto Control
Panel -> Accessibility Options. In the accessibility options under the
keyboard tab, in sticky keys , click on settings and enable the
shortcut for sticky keys. And u can do this even with a guest account.
Finally if the following 2 requirements are setup on your system, then you are all set to enter into your admin’s account.

On Pressing SHIFT >= 5 times, a pop up should appear.
The windows System32 directory should be writable.

Concept:
When u press, the SHIFT key >= 5 times, a file with the name “sethc.exe” is
executed. You can verify this in TASK manager (don’t close the pop up
window). This file is located in C:\WINDOWS\system32 folder, or
where ever your windows is installed.

The Vulnerability

When SHIFT key is pressed >=5 times, windows executes a file named
“sethc.exe” located in system32 folder. It doesn’t even check if its the
same file. Also it runs with the privilege of the CURRENT USER
which is executing the file i.e if u have logged on as a guest then in
the TASK manager under processes, it shows your user name as guest.
The file executes even if u log off, and have the windows login screen is
showed up, BUT THIS TIME SINCE NO USER HAS LOGGED IN IT RUNS WITH
SYSTEM PRIVILEGE.

Exploitation
If u understand this much, then the exploitation is very simple for you. What we will do is that,
we pick cmd.exe , copy it at a folder other than system32, (because windows
won’t allow u to copy) rename it to sethc.exe, go to system32 folder,
and paste it. Windows will ask, “that another file exists, do u want to
replace?” and after pressing OK, you have replaced the sethc.exe with ur own
cmd.exe. Now if u press SHIFT key >=5 times, a command prompt will
pop-up.

Finally

Now log-off or restart. When you reach the windows
login screen, press the shift key >=5 times. A command prompt will
pop up with SYSTEM privilege.
Enter the normal commands as follows:
net user username /add
net user localgroup administrators username /add
And a new user called username with admin privilege will be added.

And thats it, you have admin privilege of the system and you can do what ever you want to with it.

Hiding your fake admin profile
Now you surely don’t want the real admin to track you. Here is what you will have to do to hide yourself from login screens as well as from control panel

Goto registry editor and open this place.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
Here create a new DWORD value, write its name as the “user name” that u created for your admin account.

Thats it now you are invisible but still admin of the system. Live as admin forever and keep screwing the real admin forever.

Last but not the least (IMPORTANT)
Windows has two type of login screens:

Where the accounts are listed with some pictures.
Where u have to write username and password.

After making the hidden account u will have to login through the 2nd step only. If ur login screen is of Type 1, press ALT-CTRL-DEL twice to get the 2nd type screen.

Thats it!!!

NOTE:
This is a sureshot way to gain admin, if u r a lamer or a newbie
then please do some googling.
I have written almost every detail.

Thanks for reading this far Make a comment if you liked this one.

Thanks for digging and shouting it out to your friends.

Blogged with the Flock Browser

Tags: Windowspriviledge hack, windows vulnerability, gain administrative access, Windows XP

--------------------------------------

How to configure Ubuntu and LAMP on Windows

How to create a social networking website in 5 minutes

The Scariest Path in the world

Getting started with Symfony - A PHP Framework - Part 1

Windows Text to Speech Convertor: Try at Home

Tags: Hack, Security, Windows

41 Responses to “Gain admin access on windows system using your guest account”
By Yasser on Jul 10, 2008 | Reply

Great Stuff!
By admin on Jul 10, 2008 | Reply

Thanks Yasser miyan, it surely works. Try this out when ever you get a change to try out
By truly on Jul 10, 2008 | Reply

nice one,,,,but i already knew this stuff ,,,,wud b nice and more inetresting if you get into .bat files….they are nice and u can help people making thr own virus….i tried a few and tried thm on my system and ended up at a position whr FORMAT was the only solution …..
By admin on Jul 10, 2008 | Reply

Hi Truly,

First of all thanks for your comment.

Well .bat files are not the best ways to do it. What I have described here is a clean and neat process. Tried it several times on my system with no problem what so ever. Do give a try in your free time and i m sure this won’t force you for a re-format.
By truly on Jul 10, 2008 | Reply

oye,,,i meant write a blog abt .bat files,,,so people can get to know how dangerous these small files can be which cud b easily made in notepad….
By admin on Jul 10, 2008 | Reply

aah…cool will surely try to find a hack using them, though there exists a lot using them.

Why don’t you chip in with a few posts if you have any idea of how to use these .bat files to gain such admin access, I will acknowledge you for the same
By truly on Jul 10, 2008 | Reply

i hav made a couple of bat files but i think no one wanna try thm coz the result u know,,,,,and they were not for hacking into acct rather they were meant to be used to fuck the data…. which i tried and yes i got fucked ,,,, so if u want i can write a post and tell people how to go ahead for this
By admin on Jul 10, 2008 | Reply

hehe, I am not sure anyone is going to try for that one. And also I guess in my views only 3-4 lines of .bat file will screw up your whole data
By truly on Jul 10, 2008 | Reply

yeah very true
….CHALO I WRITE SOME BAT FILE CODES HERE,,,,PEOPLE MAY TRY THEM AND THEY ARE NOT DEADLY…..

FOR EVRY BAT FILES OPEN NOTEPAD AND THN WRITE THE CODES WHICH I HAV GIVEN AND SAVE THM AS “.BAT” AND NOT AS .BAT.TXT….
THEN U CAN DOUBLE-CLICK ON THESE FILES AND THEY ARE ON THEIR WAY

HERE U GO ONE BY ONE…..

1. THIS IS A TEST OF HOW BAT WORKS

@ECHO OFF
ECHO.
ECHO This is a batch file
PAUSE
EXIT

2. THIS ONE DELETES COOKIES

@ECHO OFF
DELTREE /Y C:\WINDOWS\COOKIES\*.*
EXIT

3. THIS ONE DELETES ALL ITEMS IN ANY SPECIFIC FOLDER

@ECHO OFF
DEL PATH\*.*
EXIT

4. FORMATTING ANY PARTITION OF HARDDISK

@ECHO OFF
FORMAT E: /U
EXIT

WHERE “E” IS DRIVE LETTER

IF YOU ALL NEED SOME REALLY GOOD-ONES TO TROUBLE YOUR FRIEND I AM HERE FOR YOU,,,,
By Sowmya on Jul 11, 2008 | Reply

……………
By manish on Jul 11, 2008 | Reply

nice…
By vaishnavi on Jul 11, 2008 | Reply

nice stuff..
By Indrajeet on Jul 12, 2008 | Reply

Its quite surprising that a guest will have write permissions to the System32 folder and that too to overwrite an already existent command because the paste function is invoked with guest privileges. I don’t have a windows machine here but would have loved to try this out and have a nice laugh at windows security.
By admin on Jul 12, 2008 | Reply

Yes as I said the two requirements for this to succeed are that:

1. System32 is writable
2. Sticky keys enabled

I have the snapshots above which I have copied from the trackback link to this blog post. Enjoy !
By tushar .. on Jul 13, 2008 | Reply

mast hai yaar jhantu and truley …
didn’t knew this stuff ……
or even thought about it ,,
all i knew was 1 thing while playing if
sticky key was kept on the further game was
surely screwed !!!!!!!
By admin on Jul 13, 2008 | Reply

hehe, yaa kindda funny and wierd bug it is, which shows that no one is safe with windows on their systems

Though I still use them
By matthews on Jul 14, 2008 | Reply

truly you should make a .bat that installs sp3 firefox and avg removes malware etc then we would have a quick technician script you can run as admin without hassling the user and we can have it delete the account when its done. Hack your way to security
By admin on Jul 15, 2008 | Reply

hehe…..cool
By matthews on Jul 15, 2008 | Reply

@ admin I’ve been a linux user for a while Mint is good if your hardware is supported. I dual booted for a year but I don’t want Vista on my new machine and the price of xp was outrageous. At any rate I find Linux usable but the think I miss most is the software aisle.
By admin on Jul 15, 2008 | Reply

Well I use Windows XP one of my lappy and Vista on the other. I must confess both sucks, but still makes day to day life easy. Regarding linux, I use Ubuntu using VMWare on windows itself. Plus all my web servers are linux, hence I do enjoy linux too…..

But i understand the software aisle you are talking abt.
By zeebo on Jul 19, 2008 | Reply

I’m confused about finding a cmd.exe and copying it without finding it in the system32 folder. I can’t find it anywhere else. Can anyone tell me how to do it. Sorry for the newb question
By admin on Jul 20, 2008 | Reply

Didn’t you find that in your system32 folder? Thats in the system32 folder for all the windows version as far as I know.

C:\WINDOWS\system32\cmd.exe

Put the above in your browser and it will prompt you for saving the same. Save it on your desktop, make the necessary changes and hurray
By apin on Jul 24, 2008 | Reply

hey it won’t work when i tried to copy sethc.exe access denied ,the system32 isn’t writeable but the sticks keys is enabled
By admin on Jul 24, 2008 | Reply

Yes as I wrote before 2 pre requisites for this is that you should have stikey’s enabled and then system32 writtable.

Change permissions so that you can write to that folder and try again.
By apin on Jul 25, 2008 | Reply

i’m a newbie, if you don’t mind, would you tell me how to change permissions from guest acc,is that possible to change permissions from guest acc?
By promosyon on Aug 7, 2008 | Reply

I always read your blog in high spirits. Thanks
By Robbie Mosaic Fan on Aug 21, 2008 | Reply

Ah… Yes, I use this exploitation to play with my computer (and once a computer in the university lab). Also the way to prevent this exploitation is to use NTFS and doesn’t allow normal users modify executable files, especially those used by Administrators.
By Robbie Mosaic Fan on Aug 21, 2008 | Reply

Or to be more precise, use NTFS to prevent users to modify ANY files that are used by the system and Administrators.
By Robbie Mosaic Fan on Aug 21, 2008 | Reply

And in addition, never give power user or administrator privileges to whom you don’t trust.
By name on Aug 22, 2008 | Reply

W8b8mS Hello!,
By jon on Aug 22, 2008 | Reply

System32 isn’t writeable from a guest account. If you have priviledges to change System32 to being writeable, you already have admin access so wtf is the point of this?

LAME.
By name on Sep 1, 2008 | Reply

Hello!,
By name on Sep 1, 2008 | Reply

Hi!,
By name on Sep 1, 2008 | Reply

Good day!,
By sree on Sep 4, 2008 | Reply

Cool man…really cool…
it worked when at home…
But in office system32 is not writable…
u got anythin to overcome that????
By admin on Sep 4, 2008 | Reply

First of all thanks a lot sree for the comments, that will satisfy a few of the above commentors.

@jon , well I guess Sree’s comment will satisfy your question ( wtf )

However I do agree that in office its unlikely that you will get the system32 writable but then use this trick to hack you friends computer if not the office one. You will be able to do all this on personal computers where they really don’t care to make system32 un-writtable.
By noone on Sep 9, 2008 | Reply

Problem. guest accounts disabled in winxp. users and pwrusers group only have read and exec priveledges, as with EVERY tut about gainingi system or admin access, this one is no different, if there are no priveledges to modify then you cannot apply any work around. This is a neat trick, but of course, you have to have the modify attribute set in the group that your login is assigned to.
By Alex on Oct 5, 2008 | Reply

They said it, by default the system32 folder is write-protected from guest accounts.

you should make a blog on how to make them write-able from the guest accounts.
By rizwanHaider on Nov 3, 2008 | Reply

Is there any way to make system32 files writeable from windows XP guest account ?
plz answer .
By admin on Nov 3, 2008 | Reply

Well I don’t think it is possible unless your guest account has the required privilege. I used this technique generally on my friends computer where I am logged in already as admin. I set the whole thing up and then simply try out later when he is not thr

If you are trying to hack through your Computer Center or something of the sort, I am afraid that you can’t make system32 writable from guest account.