Breaking Into A Windows XP Installation Exploiting the FAT32 Partition

Usually a Windows XP installation is done on a NTFS partition but at times you will find fools who install it on FAT32 partition and have no idea that they could create a Limited user account for normal using and then go about complaining that Windows is insecure to the brim.Anyway here we only need the Windows XP/Server 2003 to be installed on a FAT32 partition.There are three simple steps involved: • Rename the logon.scr file situated in system32 folder to something else. Then make a copy of the cmd.exe and name it logon.scr .• Restart the computer, wait on the logon screen for the renamed cmd.exe to fire up as logon.scr . Usually the time taken will be the time the admin set as the screen saver time. Usually 10 mins, and then you get a console window in front of you with all the admin powers.• Make a useful command. Best thing to do is run the explorer.exe command and wait for the GUI shell to load. Now you can perform normal computer operations. Another good thing that can be done is to change the Administrator password with the NET command on the command line itself.Now we will see how to do the first step in more detail. This can be achieved if u have a simple account or else use a boot disk and from command line you can perform the operation. Or else use a Linux installation to do it. Its always helpful to have a Linux live CD in hand. Else you can use the parallel Win 98 installation to do it (if available).I will elaborate the boot disk method. Most people will be having a Win 98 boot disk or a CD. Boot from it and reach the command line. Suppose Win XP is installed on C:\ then do the following:• A:\> C:\ • C:\> CD Windows\SYSTEM32 • C:\Windows\System32> REN logon.scr logon1.scr • C:\Windows\System32> COPY cmd.exe logon.scr • CTRL+ALT+DELETE (Restart the comp, remove the bootable media)Let see what happens in the second step. You need to do nothing in this step. You just need to sit and wait without pressing any key or moving the mouse for the screen saver to fire up. In this case logon.scr fires up. Logon.scr is nothing but a renamed cmd.exe .A command line shall appear after the set time expires.Now for the hacking step, we have a full powered command line in hand. Now we can do whatever we wish. Lets do one thing first; make sure that we have a long term access to the computer. We will change the administrator password. Type the commad:NET USER Administrator <pass of ur choice> ¿Very seldom does even a admin log in with the administrator account. So now you have the administrator account in your hand and not many can do anything about it.Supposing the computer is usually used frequently with the admin account, you can simply type the ‘explorer’ command at the shell to call the GUI shell. You get a full power shell in your hand. This is very safe since one will realize that anyone ever hacked their comp. But this will require you to wait for the command line to fire up as a screensaver every time.Anyhow, now you can hack comps of many FAT32 fools.

All I did was use Norton (i know don't slag me) BootMagic and PartitionMagic to create my partitions, then I added XP and 98SE. XP installed on a FAT32, without changing it to NTFS. Strange, I know. But I didn't like XP, so I back-tracked to Win2K.Great tutorial though, for those that don't have the delights of Norton. LMFAO.

Nice info ... especially the part about renaming cmd.exe to logon.scr. I think this will come in handy some time . Great tutorial.

yes a very useful tutorial. Although I myself like to use ERD Commander if I have access to a cd-rom drive as a bootalbe source. Its a very handy tool if you have access to it.

It's really very useful tutorial, i hope we can get a lot of tutorials like this one, not the same category "Hacking" but i mean the same quality as this one.

I have some questions:

Why can't we do these steps to a computer uses NTFS file system?, is there something prevents that?, can these steps done remotly?, will it has the same effect?, if so could it be done from linux remotly to change another windows pc adminstartor password?

It's really very useful tutorial, i hope we can get a lot of tutorials like this one, not the same category "Hacking" but i mean the same quality as this one.

I have some questions:

Why can't we do these steps to a computer uses NTFS file system?, is there something prevents that?, can these steps done remotly?, will it has the same effect?, if so could it be done from linux remotly to change another windows pc adminstartor password?

 

This method requires the ability to use windows 98 as a "shell" from what I've read. The problem is that Win '98 can't "address" a NTFS drive or install onto it. If you have the need to get into a winxp pro/home install that uses a NTFS drive then you will have to use a different method if you don't have direct access to a valid account due to a forgott'n password or whatever. For that I would definetly suggest a copy of Winternal ERD Commander....hehe....if you can get a copy of it that is, and you can get the machine your trying to work on to boot from the CD-ROM drive.

This method requires the ability to use windows 98 as a "shell" from what I've read. The problem is that Win '98 can't "address" a NTFS drive or install onto it. If you have the need to get into a winxp pro/home install that uses a NTFS drive then you will have to use a different method if you don't have direct access to a valid account due to a forgott'n password or whatever. For that I would definetly suggest a copy of Winternal ERD Commander....hehe....if you can get a copy of it that is, and you can get the machine your trying to work on to boot from the CD-ROM drive.

 

as i got it, if you have a limited account on a winxp then you don't have even to boot from a cd rom or a floppy or anything else, so the question if you have a limited account could you make it on NTFS file system or it can't be done on NTFS?, also the other questions waiting for reply

Why can't we do these steps to a computer uses NTFS file system? Windows '98 can not read a NTFS partion.is there something prevents that? see answer abovecan these steps done remotly? I don't beleive sowill it has the same effect? if you can figure out how to do it remotely possiblyif so could it be done from linux remotly to change another windows pc adminstartor password? there are otherways to remotely access a winXP system and change admin passwords.....hehehe