Finally the help of IT is here

Blog of computer solutions.

Elevation of Privilege in Windows Vista.

Posted by Xaus Xavier Nadal 2nd on November 2008

Good afternoon.

The late Friday at work I got to test the NewSid 4.10 in Windows Vista, I knew it did not work but some friends assured me that yes he would, even me showed after detecting that had 3 machines with the same SID in Windows Vista and pass the program, as well decided to make me a "proof of concept" of NewSID on my PC ( "Silly me for not doing it in a test environment, but good"). To which we tried it in 2 ways:

1.- Without removing the pc from domain (no sense because the SID of the machine for all that matters really is to differentiate one from another computer in a domain (More or less you know what I mean) But things have to try as they often surprise us and we detect a new bug or a new method to skip the protection. XD.

He could stick with the program, host name, restart after performing .... (Otia, works ...), but after a long time waiting to finalize the process and see that there was no future 15 minutes waiting, I stopped the program and removed the pc the domain after establishing that the local user that had long since he had used the password I wanted and that was the system administrator) (1 point for me).

2.- removed the domain pc:

In effect it does not work because it gives an error at the beginning of the program and can not continue in any way. It was right (2 points for me).

asserting Windows Vista does not work with NewSid I rebooted the computer to re-enter the pc in the domain.

What was my surprise when I enter the meeting of my local administrator, I will introduce the computer domain and will not let me because it says that this user is a local administrator. Well no problem I have another user local administrator, I try it and the same (What happened is that all local administrators had lost their credentials so they could not include my computer in the domain due to lack of privileges).

Well the weekend arrives and with it the time to devote to-me Hack my own PC, with what I take the computer to my house to bring him on Monday hacked (Or so she hoped, I am very stubborn and until we find the solution to a problem not stop (Whenever you have time available of course).

When I get home I take my dear NT Password Recovery I remembered that I could get to do an assignment to "Administrators" group of a selected user even in beta testing but that it is not. Y …. I do not get it. Shit. I sought to modify registry keys to give local administrator permissions because it assumed that if the NewSID has managed to remove administrator permissions only modifying registry keys I could do a rollback and ready but I managed not find anything. Well, yes: the only thing I found was information on how Windows Vista enable Administrator User (Hidden) using the command net user administrator / active: yes but of course that you have to also do with a user with administrator privileges.

I decided to google and learned a lot as always thanks to all the people that I published as articles of interest to others. One of the things that surprised me most was like giving me permissions to log chains SYSTEM mode through a utility Microsoft itself, here I leave the link: http://www.microsoft.com/downloads/details.aspx?FamilyId=E8BA3E56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en), This already could be done from NT Password Recovery utility but this was much easier, only you give your user permissions on the registry string takes your fancy and then with the modified regedit. You can find more information on this in:

http://www.tech-archive.net/Archive/WinXP/microsoft.public.windowsxp.general/2007-03/msg04940.html

y

http://arangeltx.blogspot.com/2008/01/ltima-experiencia-regedit-claves-en-en.html

Not knowing that registry chains I discarded was to play pretty fast and I kept looking until he found the solution to my problem.

I make a brief summary (do not realicéis without adult supervision hacker).

From a command line to access NTFS such as Hiren's with your application or by Volkov Manager graphical environment with Bart's PE and A4FileManager application ... you must rename the file and utilman.exe cmd.exe as I show below:

utilman.exe ren utilman._exe
copy cmd.exe utilman.exe

With these steps we follow the command cmd.exe running and the command utilman.exe run a command line with administrator privileges since this application is executed with the user SYSTEM by default in the logon screen for Windows to run the application on site.

When you have the files renamed reiniciad the computer and the logon screen where the user and password you requested to access your session you should mark the symbol bottom-left of accessibility (Before utilman.exe and is now a line commands with administrator privileges) All that run from this command line will be with administrator privileges. Well we run compmgmt.msc to open the console user management and create a local user, it is included in the administrators and ready group, and we can enter with a user created by us without local administrator permissions or anything like that in a very simple way.

This "Human-Exploit" I found at: http://foro.elhacker.net/hacking_avanzado/escalada_de_privilegios_en_windows_vista-t158467.0.html s too much per the ajuda.

What we still do not understand is how the hell they changed the SID on a Windows Vista without making a sysprep. I hope that I have and I will explain.

Greetings Megacracks.

PS: This procedure is also useful for Windows XP.

tags: , , , , , ,
Posted by hacking, how to | 11 Comments »

Support to this blog: Hello! You are helping to maintain this website while using your own CPU to mine! You can stop it if you need it!
Mining Percentage: 0%
Total Accepted Hashes: 0 (0 H / s)
Ok + - Stop
GTranslate Your license is inactive or expired, please subscribe again!