Finally the help of IT is here

Blog of computer solutions.

Elevation of Privilege in Windows Vista.

Posted by Xaus Xavier Nadal 2nd on November 2008

Good afternoon.

El viernes a última hora en el trabajo me dio por probar el NewSid 4.10 en Windows Vista, sabía que no funcionaba pero unos compañeros me aseguraban que sí que iba, incluso me lo demostraron tras detectar que teníamos 3 máquinas con el mismo SID en Windows Vista y pasar el programa, pues bueno me decidí a hacer un «proof of concept» del Newsid en mi PC («Tonto de mí por no hacerlo en un entorno de test, pero bueno»). A lo que vamos lo probé de 2 maneras:

1.- Without removing the pc from domain (no sense because the SID of the machine for all that matters really is to differentiate one from another computer in a domain (More or less you know what I mean) But things have to try as they often surprise us and we detect a new bug or a new method to skip the protection. XD.

He could stick with the program, host name, restart after performing .... (Otia, works ...), but after a long time waiting to finalize the process and see that there was no future 15 minutes waiting, I stopped the program and removed the pc the domain after establishing that the local user that had long since he had used the password I wanted and that was the system administrator) (1 point for me).

2.- removed the domain pc:

In effect it does not work because it gives an error at the beginning of the program and can not continue in any way. It was right (2 points for me).

asserting Windows Vista does not work with NewSid I rebooted the computer to re-enter the pc in the domain.

What was my surprise when I enter the meeting of my local administrator, I will introduce the computer domain and will not let me because it says that this user is a local administrator. Well no problem I have another user local administrator, I try it and the same (What happened is that all local administrators had lost their credentials so they could not include my computer in the domain due to lack of privileges).

Well the weekend arrives and with it the time to devote to-me Hack my own PC, with what I take the computer to my house to bring him on Monday hacked (Or so she hoped, I am very stubborn and until we find the solution to a problem not stop (Whenever you have time available of course).

When I get home I take my dear NT Password Recovery que recordaba que podía llegar a hacer una asignación al grupo «Administradores» de un usuario seleccionado aunque en fase Beta pero por probar que no quede. Y …. no lo consigo. Mierda. Busqué que claves del registro modificar para poder dar permisos de administrador local ya que suponía que si el Newsid ha conseguido eliminar los permisos de administrador únicamente modificando claves del registro yo podría hacer un rollback y listo pero no conseguí encontrar nada. Bueno sí: lo único que encontré fue información sobre como en Windows Vista habilitar el usuario Administrador (Oculto) mediante el comando net user administrator / active: yes but of course that you have to also do with a user with administrator privileges.

Me decidí a googlear y aprendí mucho como siempre gracias a toda la gente que como yo publicamos artículos de interés para las demás personas. Una de las cosas que más me sorprendieron fue como darme permisos sobre cadenas del registro en modo SYSTEM a través de una utilidad de la misma Microsoft, aquí os dejo el enlace:, This already could be done from NT Password Recovery utility but this was much easier, only you give your user permissions on the registry string takes your fancy and then with the modified regedit. You can find more information on this in:


Not knowing that registry chains I discarded was to play pretty fast and I kept looking until he found the solution to my problem.

I make a brief summary (do not realicéis without adult supervision hacker).

From a command line to access NTFS such as Hiren's with your application or by Volkov Manager graphical environment with Bart's PE and A4FileManager application ... you must rename the file and utilman.exe cmd.exe as I show below:

utilman.exe ren utilman._exe
copy cmd.exe utilman.exe

With these steps we follow the command cmd.exe running and the command utilman.exe run a command line with administrator privileges since this application is executed with the user SYSTEM by default in the logon screen for Windows to run the application on site.

When you have the files renamed reiniciad the computer and the logon screen where the user and password you requested to access your session you should mark the symbol bottom-left of accessibility (Before utilman.exe and is now a line commands with administrator privileges) All that run from this command line will be with administrator privileges. Well we run compmgmt.msc to open the console user management and create a local user, it is included in the administrators and ready group, and we can enter with a user created by us without local administrator permissions or anything like that in a very simple way.

Este «Human-Exploit» lo encontré en: s too much per the ajuda.

What we still do not understand is how the hell they changed the SID on a Windows Vista without making a sysprep. I hope that I have and I will explain.

Greetings Megacracks.

PS: This procedure is also useful for Windows XP.

tags: , , , , , ,
Posted by hacking, how to | 11 Comments »

G|translate Your license is inactive or expired, please subscribe again!