Jump to content
xisto Community
Danmidas

System Account Hack

By Danmidas, in Security issues & Exploits

Recommended Posts

Danmidas    0

Danmidas
Posted (edited)

i found this when i accidently put CMD in my task manager:

________________________________________________________________

To start, lets open up a command prompt (Start > Run > cmd > PRESS ENTER).

 

At the prompt, enter the following command but replace 15:25 with 2 mins after current system time

 

at 15:25 /interactive "cmd.exe"
(dont forget to replace 15:25 with 2 minutes after current system time)

 

at the time set a new CMD box will magicaly appear

 

You'll notice that the title bar has changed from cmd.exe to svchost.exe (which is short for Service Host)

close the first CMD box but leave svchost open

 

now press CTRL+ALT+DEL, In task manager, go to the processes tab, and kill explorer.exe; your desktop and all open folders should disappear, but the system command prompt should still be there.

 

in the command prompt that remains type explorer.exe

 

A desktop will come back up, but what this? It isn't your desktop. Go to the start menu and look at the user name, it should say "SYSTEM". Also open up task manager again, and you'll notice that explorer.exe is now running as SYSTEM. The easiest way to get back into your own desktop

 

You are now the God of the windows machine

 

Abnormalities & experimentation

 

I've noticed different results depending on the service pack and hot fixes installed; for example, sometimes when I try to open the user control panel applet, I get a error saying user not recognized, and the location where the Local System account profile is stored also varies. I haven't had much time to explore this, so if you find anything else, please use the email address found in the contact section of this article, and send a note my way.

 

A quick fix

 

A way to prevent this from happening at all, would be to make the task scheduler service run under a unprivileged account. You can do this by opening the services control panel (Start > Run > services.msc), and right clicking "Task Scheduler" and going to the Log On tab. Change it to "This Account" and enter the account information you want it to use (has to be an existing account) then restart the service. This may break some programs that use the Task Scheduler and depend on it for SYSTEM access; you have been warned. Otherwise, simple disable the Task Scheduler service.

Edited by XPkiller (see edit history)

Share this post

Link to post
Share on other sites

nightfox1405241487    0

nightfox1405241487
Posted

Wow... I printed this one out for future reference! Gotta love Windows! :ph34r: But this really shows you how dumb Microsoft really is. There might even be other tricks too... such as executing malicious code or what not at a time. In other words, your system could be a ticking time bomb and the malicious code could really do some damage (especially being "god windows user").[N]F

Share this post

Link to post
Share on other sites

jimmy89    0

jimmy89
Posted

Its amazing that there is such a huge hole in their Operating System. Though, most come to expect things like this from microsoft, not something as massive as this!Do you know which versions of Windows does this effect? Only XP, or does it go back a few versions?-jimmy

Share this post

Link to post
Share on other sites

Saint_Michael    3

Saint_Michael
Posted

Wow I wonder if Microsoft knows about it little trick, would it possible to do this on another computer through the net if you had a good trojan put in place?

Share this post

Link to post
Share on other sites

Danmidas    0

Danmidas
Posted

Unfortunatly i only have XP, so cant try it on older versions but im sure it would workand im also fairly sure the Trojan thing would work too

Share this post

Link to post
Share on other sites

FirefoxRocks    0

FirefoxRocks
Posted

This was discussed before in: http://forums.xisto.com/topic/91666-topic/?findpost=1064358877

Anyways, I submitted this security threat to Secunia a few months ago, but they didn't look at it. But this could make a limited account even higher than Administrator on the computer (it doesn't work on the Guest account though, my friend tried it out).

But, yeah, someone could probably remotely trigger this command. It's not that hard to start and kill a task you know?

Share this post

Link to post
Share on other sites

develCuy    0

develCuy
Posted

I suggest Linux for that reason. Now I have another prove to feel me insecure using windows and safer with Linux. "A patched system will ever have new holes, including the patches".Blessings!

Share this post

Link to post
Share on other sites

mvs.en    0

mvs.en
Posted

Yeah, I checked this out and tested the whole exploit thing a week or two ago...Didn't seem to do any real damage (I probably should have thought about it a bit before I tested it)But it DID kind of hurt my STart menu in that after I was done with it all those lovely little programs that get listed on the XP start menu (The most commonly openned programs)... They all vanished off the list and I am unable to get them back.I'm fine with it though, they weren't really that important to me and I've already found ways to compensate for them.For a couple days using the exploit also killed the configurations for my mouse... But I was able to fix that.I think there were a couple other little blips I noticed after testing the exploit, but none of them were very noticeable at all.The only one that I'd be careful for is the programs under the Start Menu issue... But I'm not even 100% sure they dissapeared because of the SYSTEM account.I'd just keep it in mind if any of you choose to test it at all.

Share this post

Link to post
Share on other sites

Nintendo    0

Nintendo
Posted

i just tryed to remotly connect to my test PC using this methodit succeeded, then, depending on the XP service pack, it would either let me do it with guestor not let me do it with guest, if you can then the PC is just wide open from guest----> systemwhen i was in i experimented with differant thingsi changed the administrator and all the other passwords remotly, locking the user outyou can kill the AV's and FWL's on a PCyou can also revert windows back to its previus state (being win 98 here)you can play messages or music to the user of the PC, you can lock the PC

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing
×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept