Windows XP Privilege Escalation (For those who don't know how..)
Windows XP Privilege Escalation (For those who don't know how..)
- -=[ Contents ]=-
- -=[ Part 1 || What is SYSTEM? ]=-
- -=[ Part 2 || Why do I want to do that? ]=-
- -=[ Part 3 || How do I do that? ]=-
- -=[ Part 4 || I want to understand why that works ]=-
- -=[ Part 5 || I don't want my shit to get h4x0red! ]=-
- -=[ Conclusion ]=-
–=[ How to gain SYSTEM ]=– -=[ Written by Skunkfoot ]=-
Note: So far, this doesn't work on Windows Vista.
-=[ Contents ]=-
[x] What is SYSTEM? (For those who don't already know) [x] Why would I want to become SYSTEM? [x] How do I become SYSTEM? [x] The Exploit explained [x] How to stop this from happening on your computer [x] Conclusion
-=[ Part 1 || What is SYSTEM? ]=-
Okay, so what is SYSTEM exactly? Well, open up task manager and go look at your processes. You should notice that some of the processes are being run by and some are being run by SYSTEM. The ones being run by SYSTEM are exactly that: the system is running those processes by itself.
-=[ Part 2 || Why do I want to do that? ]=-
Well, with SYSTEM, you'll have more access locally on the computer. Different types of users have different privileges. Guests tend to have very limited privileges and access. Limited Users have a little bit more, but it's still not enough for normal people. Administrators, which is what most people use, have more privileges than Guests and Limited Users, but sometimes even Administrators don't have the privileges to do some things. This is why you might want to become SYSTEM. SYSTEM has more privileges than any other group, and you can do basically anything you want on the computer when you have obtained it.
-=[ Part 3 || How do I do that? ]=-
Open up Task Manager and a CMD prompt. Write down the current time (in military/24-hour time). EX: 15:24 = 3:24 PM. Then, go to your Task Manager and end the "explorer.exe" process. Now, in the CMD window, type "at /interactive explorer.exe" and hit enter. That should get you SYSTEM.
-=[ Part 4 || I want to understand why that works ]=-
Explorer.exe is the Windows shell, or more commonly, your Desktop and Start menu, and is different for each user. When you login to Windows, explorer.exe loads, and that's why you see your icons and Start Menu and everything. When you go to logout, it ends explorer.exe for that user. So, when we kill explorer.exe and then tell the system to restart it interactively, the SYSTEM is running the process instead of your user.
-=[ Part 5 || I don't want my shit to get h4x0red! ]=-
Relax, all you have to do is disable the "at" command, which shouldn't cause a problem with your everyday computer usage because nobody really uses that command for anything. (Or at least nobody I know :P)
-=[ Conclusion ]=-
All that being said, I hope you actually learned something from my article. ^_^
–Skunkfoot
P.S. If anything is a little incorrect, just tell me cause I'll want to know. (But I think it's all pretty much accurate).
mido 16 years ago
Good article, I didn't know about that. But you may had better to extend part 5 more.
ghost 16 years ago
lol, you can look up how to prevent it if you want a more extensive method :)
and for the record, moshbat tested a program I wrote that does this same thing :)
Mouzi 16 years ago
But isn't there other ways too? I remember something about replacing screensaver with cmd or something like that.
ghost 16 years ago
Nice article. I use this at work quite frequently. It's nice to see it laid out so neatly. Well done. :)
ghost 16 years ago
I used to use /interactive cmd.exe too and then just restarted explorer.exe from the new cmd window, but I was like, "Hey, I'm just restarting explorer.exe, why not just do that interactively?" and it worked ^^
and yeah, I've heard of other ways to do this too, but I'm not familiar enough with any other method to write a decent article about it. Maybe one of you can write an article on a different way to do this. :) (but if you do, please make it thorough…I hate bad articles…)
korg 16 years ago
Very old hack for XP, What rock did you find this under. Don't tell me you just found this because it's everwhere. Problem being you need to be log into an admin account, You can't access anyones personal documents or settings, And last you can't do anymore than the admin of the computer so basically this is useless. People who have tried this
try it under a guest account. Not gonna happen.
korg 16 years ago
Fuck! not done yet the at cmd is used for a lot of things. Learn how to use it and don't disable it.
ghost 16 years ago
I think that the article would have been better if it explained SYSTEM (and the other users / groups) a bit more thoroughly and possibly addressed either more with the AT command or more basic privilege escalation "exploits" in XP. Also, you're not going to get "h4x0red" with this, unless the perpetrator has physical access (in which case all bets are off). korg, I agree that there are better methods of circumventing account restrictions; in fact, most of them do not even involve admin access. However, I have to ask: If SYSTEM can do everything an admin can do, then why can't you access personal documents by taking ownership? As for the settings part, I guess that depends on which settings you're trying to access.
korg 16 years ago
System or Admin accounts cannot access your personal files and folders if you tweak them to be stored only in your user account profile. That way only you can access them. Sorry I should have been more clear I thought most people knew how to protect personal items. Maybe I'll do an article on it. Be quite lengthy though. @Zephyr I knew you would respond to this article.
ghost 16 years ago
Well, it does have some uses. logged in as an admin, there was a process that would produce "Access denied" when i tried to end it. But using the at command, i managed to kill it. also you can boot regedit in the same way, yatta yatta. just kind of interesting. Korg if you have better privalege escalation techniques please write an article :happy:
ghost 16 years ago
and yeah, you do have to be admin. so i guess its not that useful after all. still interesting tho.
korg 16 years ago
Yes I do have a lot better privalege escalations and securing your profile technics. I will write an article when I get some time, But I have a whole binder filled with XP shit.
ghost 16 years ago
@korg: no, I didn't just find this, but I was bored and decided to write an article. And the ratings are for the article itself and how helpful it was, regardless of what it's about. I didn't say this was something amazing that everyone needs to know, but I think it could be helpful to some people, and that's why I wrote the article. If you don't like it, then that's your choice, and I'm not about to criticize you for doing what you think is right. If you have a "better" method, please write an article on it, I'd love to learn it.
@zephyr: as always, thanks for the constructive criticism, maybe I'll edit it to include more of that stuff. And yes, I realize that it's not much more useful than being able to create your own admin user, but that's still a pretty handy piece of knowledge to have, don't you think?
ghost 16 years ago
It is a handy piece of knowledge, skunk. Of course, korg, you know that you and I shall respond to every article about XP… ever. We have the most vested interest in it. lol As for your last comment about "storing only in account profile", I haven't seen a folder yet that could not be taken ownership of… including personal profiles. I have had to use that technique to recover sensitive data from terminated employees before, and it has included Administrator-level accounts. Of course, if System can't do it, then System could at least create an Administrator-level account that could then take ownership, right? I enjoy these speculations… there should be a forum dedicated to XP.
Durty1425 16 years ago
:happy: Awesome. Thanks. I learned something new. You should of included how to disable the "at" command too though.
korg 16 years ago
@Zephyr_Pure. Look into lock folder XP. It will password protect and hide folders from anyone till you unlock it. Great program I hide my important sensitive data (porn links) in a folder and name it something like a windows system, IE: krgwin. Then bury it in the windows folder deep. Then apply lock folder to it. Don't use some of the cheap programs like hidefolder or folderguard etc. Because they create a reg. value and store your password and folder location. Usually in a 1 letter jump. These programs are easy to break and copy folder contents. Just some insite.