Make myself XP admin?
August 2, 2006 12:18 PM   Subscribe

So *is* there a way to give oneself admin-type privileges on a Windows XP system with one line of code?

Given that this idea doesn't work, of course, and neither does the other one, since I am denied access to both "at" and "sc".

Still, since XP is as secure as Courtney Love's virginity, or so one is told, *is* there some other way to do this with "one line of code"? Or even two?

I ask seriously.
posted by splitpeasoup to Computers & Internet (16 answers total)
I don't believe there is any one line of code that could, not without making that "exploit" have a number of flawed assumptions (i.e., that ordinary users can schedule tasks, etc). If your system is set up correctly, with half-decent security, there is no legit cmd line way to elevate your privileges.

The only options are pretty much the classic buffer-overflow exploit, where you overload a poorly coded process, and the overflow ends up running in the system context. But that's not something that can be done in one line of code...
posted by hincandenza at 12:24 PM on August 2, 2006

To clarify a little, what do you mean by "code"?
posted by ed\26h at 12:30 PM on August 2, 2006

I'm pretty sure "code" means commands. Aside from downloading a pre-compiled executable that exploits one of the buffer overflows that hincandenza mentioned, getting access to admin privileges in Windows is far more complex then one or two commands (despite popular belief).

The user who "discovered" the "flaw" in the Mefi FPP was already in with admin privileges. That's why it doesn't work.
posted by purephase at 12:35 PM on August 2, 2006

I guess if you boot from some kind of Linux/whatever CD, there'd be something relatively simple you could type in to reset the admin password. No?
posted by reklaw at 12:42 PM on August 2, 2006

This, for example. Of course, this approach assumes physical access to the disk/disc drive.
posted by reklaw at 12:44 PM on August 2, 2006

If you have physical access to the system, you can always put in a boot disk that will quickly and easily set the admin password blank. Don't do anything that will get you arrested.
posted by leapfrog at 12:44 PM on August 2, 2006

posted by leapfrog at 12:45 PM on August 2, 2006

There are a lot of pay utilities you can download to change the local administrator account password using a boot disk, but that's the only thing I've ever found. Funny actually that the reason I looked for it was because my school had locked down all of the teacher computers, even our AP Comp Sci teacher's, so I used a linux livecd and changed the local admin pword. I payed for one of the pay ones recently as it worked very well, and I run an outsourced IT admin company so I run into clients all the time who either have lost, don't know, or their old IT guy ran off with their admin password
posted by thegmann at 12:47 PM on August 2, 2006

Not through code, but if you use the Winternals ERD Commander, you can use the Locksmith tool to reset the admin password. ERD commander isn't cheap, so it helps if you can find a friendly IT guy who'll loan it to you.
posted by fvox13 at 12:49 PM on August 2, 2006

Google for escalation of privileges exploits. The ghost of Alan Turing here in hell says there are no unpatched EoP exploits in the wild for windows right now.
posted by the ghost of Ken Lay at 12:57 PM on August 2, 2006

If you can boot the computer from a CD the most of these tools will change or reset the admin password. Beware, your IT department will probably know you did this.
posted by the ghost of Ken Lay at 1:00 PM on August 2, 2006

Response by poster: Thanks for the tips.

Unfortunately, changing the admin password is not an option - that will be immediately discovered and ugliness will ensue.

I *did* kind of think this would be too good to be true.

Ah well, c'est la vie.
posted by splitpeasoup at 1:06 PM on August 2, 2006

boot into something that will allow you access to ntsf files
make a copy of the password file
reset the admin password and do as you please
put the old password file back

some answers here
posted by caddis at 2:31 PM on August 2, 2006

If you're admins were smart enough to reduce regular user privilege, then the likelihood of you being able to boot to another type of media is highly unlikely.
posted by purephase at 2:52 PM on August 2, 2006

You should be able to change the boot preference through the BIOS. To do this without being "caught" would involve saving a copy of the CMOS (utilities exist) (I don't know if windows allows this, I assume it would). Then you can erase the CMOS password, either by erasing it with the erase jumper on the motherboard or a utility (some utilities even come with compatible password hash generators!). Do as you like to the CMOS now you have access to it on the next reboot. Do your dirty work. Now restore the original CMOS.

If you give the user the ability to insert media into the computer or save files to it, you are probably compromising security.
posted by shepd at 11:25 PM on August 2, 2006

Our net nazis are fairly reasonable. They want to deter people from installing all kinds of crap which can cause trouble, but don't want to unduly impair functionality. I can boot from a CD, and I can get to the bios. I can not, without the high jinks described above, edit the registry. If you were hard core enough, you would remove the drive, copy out the password file, and then crack it. My box is a laptop that I take home every night so how difficult would that be? Security is just a game of odds. They have made it hard for me, and I don't really care, so I will not take them on. I have a battery of computers at home with which to take risks. At work I am content to use the box for its intended use, plus metafilter. The only application that really mattered to me for installation can still be installed without admin rights, Firefox. It does not hook into windows like most crap.
posted by caddis at 12:23 AM on August 3, 2006

« Older Help my wrangle all my address books into one!   |   When it's time to cheat on your mechanic Newer »
This thread is closed to new comments.