[How to] Gaining SYSTEM account access in Windows XP

Post by **RichardG867** » Wed Feb 20, 2008 12:09 am

Method 1
1. Switch to classic logon
2. Remove any Windows CD from the drive
3. Delete EVERYTHING in i386 (root or WINDOWS), repair (WINDOWS), dllcache (system32) and ServicePackFiles (WINDOWS)
4. Backup sethc.exe (located in system32)
5. Make a copy of cmd.exe and rename it to sethc.exe
6. Logoff
7. In logon screen, hold SHIFT for 8 seconds until a command prompt window appears.
8. Type "explorer.exe" and press ENTER.
9. Ready to go!

Method 2
1. Open command prompt
2. Kill explorer using taskmanager
3. Run:
3. AT XX:YY /INTERACTIVE cmd.exe
3. where XX:YY is your Windows time plus one minute
4. Wait no more than one minute.
5. Now you have SYSTEM command prompt
6. Run explorer.
7. Ready to go!

Method 3
1. Download PowerPrompt here
2. Run PowerPrompt.exe
3. Command prompt with SYSTEM privileges!

What you CAN do:
Use "control userpasswords2" (can be called by the command prompt instead of explorer.exe) to create a new user account
Change classic logon theme and wallpaper

What you CAN'T do:
Use taskmgr (it will appear completely bogus)

Known problems:
After a couple of minutes, explorer simply closes.

Post by **Daniel** » Wed Feb 20, 2008 6:27 am

Another method:

- Quit the explorer with taskmanager.
- Run cmd.exe
- Type: AT HH:MM /INTERACTIVE cmd.exe (use your time + one minute for HH:MM)
Now you have a command line running with system users privileges
- Type explorer.exe

Post by **RichardG867** » Wed Feb 20, 2008 6:46 pm

@D.Konieczny:
Screenies of your method.

Firefox, WLM, Task Manager and underneath cmd are running on my user. The rest is running on SYSTEM.
I can even kill SYSTEM's explorer.exe using task manager from my admin account.

Problems:
When killing SYSTEM's explorer.exe, some parts of the environment (eg. Windows effects, desktop background) will still run on SYSTEM. To take the things back on normal, logoff then login with your previous account.
When starting explorer.exe, Windows will ask for Windows Tour, AND, will display an error saying that some network drives could not be reconnected, even if you don't have one.

Post by **Daniel** » Wed Feb 20, 2008 7:05 pm

RichardGatinho wrote: When starting explorer.exe, Windows will ask for Windows Tour, AND, will display an error saying that some network drives could not be reconnected, even if you don't have one.

Thats because windows is creating a new user profile for SYSTEM.

Post by **stitch** » Wed Feb 20, 2008 7:30 pm

I have to make a pun on this then

Don't IRC as SYSTEM!!!

Post by **RichardG867** » Thu Mar 20, 2008 7:10 pm

Sorry if rulesbreaking, exactly 20 minutes worth to reach 1 month.

The second method works on Windows 2000, but the window comes from mstask.exe, not svchost.exe.

Post by **jaclaz** » Thu Mar 20, 2008 7:55 pm

Just for the record, third method (app to get system credentials):
http://grubletrang.com/Software.aspx?app=PowerPrompt

jaclaz