Follow us on Twitter!
You cannot teach a man anything; you can only help him find it within himself. - Galileo
Wednesday, April 23, 2014
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Members Online
Total Online: 25
Guests Online: 23
Members Online: 2

Registered Members: 82877
Newest Member: MWiki
Latest Articles

Windows XP Privilege Escalation (For those who don't know how..)

Arrow Image This article explains how to gain SYSTEM privileges on a Windows XP Operating System.

--=[ How to gain SYSTEM ]=--
-=[ Written by Skunkfoot ]=-

Note: So far, this doesn\'t work on Windows Vista.

-=[ Contents ]=-
[x] What is SYSTEM? (For those who don\'t already know)
[x] Why would I want to become SYSTEM?
[x] How do I become SYSTEM?
[x] The Exploit explained
[x] How to stop this from happening on your computer
[x] Conclusion

-=[ Part 1 || What is SYSTEM? ]=-
Okay, so what is SYSTEM exactly? Well, open up task manager and go look at your processes. You should notice that some of the processes are being run by <your username> and some are being run by SYSTEM. The ones being run by SYSTEM are exactly that: the system is running those processes by itself.

-=[ Part 2 || Why do I want to do that? ]=-
Well, with SYSTEM, you\'ll have more access locally on the computer. Different types of users have different privileges. Guests tend to have very limited privileges and access. Limited Users have a little bit more, but it\'s still not enough for normal people. Administrators, which is what most people use, have more privileges than Guests and Limited Users, but sometimes even Administrators don\'t have the privileges to do some things. This is why you might want to become SYSTEM. SYSTEM has more privileges than any other group, and you can do basically anything you want on the computer when you have obtained it.

-=[ Part 3 || How do I do that? ]=-
Open up Task Manager and a CMD prompt. Write down the current time (in military/24-hour time). EX: 15:24 = 3:24 PM. Then, go to your Task Manager and end the \"explorer.exe\" process. Now, in the CMD window, type \"at <current time> /interactive explorer.exe\" and hit enter. That should get you SYSTEM.

-=[ Part 4 || I want to understand why that works ]=-
Explorer.exe is the Windows shell, or more commonly, your Desktop and Start menu, and is different for each user. When you login to Windows, explorer.exe loads, and that\'s why you see your icons and Start Menu and everything. When you go to logout, it ends explorer.exe for that user. So, when we kill explorer.exe and then tell the system to restart it interactively, the SYSTEM is running the process instead of your user.

-=[ Part 5 || I don\'t want my shit to get h4x0red! ]=-
Relax, all you have to do is disable the \"at\" command, which shouldn\'t cause a problem with your everyday computer usage because nobody really uses that command for anything. (Or at least nobody I know :P)

-=[ Conclusion ]=-
All that being said, I hope you actually learned something from my article. ^_^


P.S. If anything is a little incorrect, just tell me cause I\'ll want to know. (But I think it\'s all pretty much accurate).


midoon December 26 2007 - 16:17:45
Good article, I didn't know about that. But you may had better to extend part 5 more.
Skunkfooton December 27 2007 - 05:08:46
lol, you can look up how to prevent it if you want a more extensive method Smile and for the record, moshbat tested a program I wrote that does this same thing Smile
Gr33dyon December 28 2007 - 09:07:40
Lol tried it but Access Denied lol , using XP Pro as a Limited User :/
Mouzion December 28 2007 - 11:42:11
But isn't there other ways too? I remember something about replacing screensaver with cmd or something like that.
DigitalFireon December 29 2007 - 06:07:30
now thats an article. write more man! :happy:
Phantomchaseron December 30 2007 - 14:30:59
Nice article. I use this at work quite frequently. It's nice to see it laid out so neatly. Well done. Smile
Skunkfooton December 31 2007 - 03:58:19
I used to use /interactive cmd.exe too and then just restarted explorer.exe from the new cmd window, but I was like, "Hey, I'm just restarting explorer.exe, why not just do that interactively?" and it worked ^^ and yeah, I've heard of other ways to do this too, but I'm not familiar enough with any other method to write a decent article about it. Maybe one of you can write an article on a different way to do this. Smile (but if you do, please make it thorough...I hate bad articles...)
korgon January 01 2008 - 03:24:26
Very old hack for XP, What rock did you find this under. Don't tell me you just found this because it's everwhere. Problem being you need to be log into an admin account, You can't access anyones personal documents or settings, And last you can't do anymore than the admin of the computer so basically this is useless. People who have tried this try it under a guest account. Not gonna happen.
korgon January 01 2008 - 03:26:20
Any one that rated this as awesome is a Noob in XP.
korgon January 01 2008 - 03:30:06
Fuck! not done yet the at cmd is used for a lot of things. Learn how to use it and don't disable it.
ThorsDecreeon January 01 2008 - 07:48:32
wonder who rated it poor? Pfft
Zephyr_Pureon January 01 2008 - 16:14:20
I think that the article would have been better if it explained SYSTEM (and the other users / groups) a bit more thoroughly and possibly addressed either more with the AT command or more basic privilege escalation "exploits" in XP. Also, you're not going to get "h4x0red" with this, unless the perpetrator has physical access (in which case all bets are off). korg, I agree that there are better methods of circumventing account restrictions; in fact, most of them do not even involve admin access. However, I have to ask: If SYSTEM can do everything an admin can do, then why can't you access personal documents by taking ownership? As for the settings part, I guess that depends on which settings you're trying to access.
korgon January 01 2008 - 19:21:08
System or Admin accounts cannot access your personal files and folders if you tweak them to be stored only in your user account profile. That way only you can access them. Sorry I should have been more clear I thought most people knew how to protect personal items. Maybe I'll do an article on it. Be quite lengthy though. @Zephyr I knew you would respond to this article.
DigitalFireon January 01 2008 - 21:59:40
Well, it does have some uses. logged in as an admin, there was a process that would produce "Access denied" when i tried to end it. But using the at command, i managed to kill it. also you can boot regedit in the same way, yatta yatta. just kind of interesting. Korg if you have better privalege escalation techniques please write an article :happy:
DigitalFireon January 01 2008 - 22:09:21
and yeah, you do have to be admin. so i guess its not that useful after all. still interesting tho.
korgon January 05 2008 - 03:22:24
Yes I do have a lot better privalege escalations and securing your profile technics. I will write an article when I get some time, But I have a whole binder filled with XP shit.
Skunkfooton January 06 2008 - 08:14:59
@korg: no, I didn't just find this, but I was bored and decided to write an article. And the ratings are for the article itself and how helpful it was, regardless of what it's about. I didn't say this was something amazing that everyone needs to know, but I think it could be helpful to some people, and that's why I wrote the article. If you don't like it, then that's your choice, and I'm not about to criticize you for doing what you think is right. If you have a "better" method, please write an article on it, I'd love to learn it. @zephyr: as always, thanks for the constructive criticism, maybe I'll edit it to include more of that stuff. And yes, I realize that it's not much more useful than being able to create your own admin user, but that's still a pretty handy piece of knowledge to have, don't you think?
Zephyr_Pureon January 13 2008 - 06:04:51
It is a handy piece of knowledge, skunk. Of course, korg, you know that you and I shall respond to every article about XP... ever. We have the most vested interest in it. lol As for your last comment about "storing only in account profile", I haven't seen a folder yet that could not be taken ownership of... including personal profiles. I have had to use that technique to recover sensitive data from terminated employees before, and it has included Administrator-level accounts. Of course, if System can't do it, then System could at least create an Administrator-level account that could then take ownership, right? I enjoy these speculations... there should be a forum dedicated to XP.
Durty1425on January 13 2008 - 18:04:39
:happy: Awesome. Thanks. I learned something new. You should of included how to disable the "at" command too though.
korgon January 15 2008 - 09:35:05
@Zephyr_Pure. Look into lock folder XP. It will password protect and hide folders from anyone till you unlock it. Great program I hide my important sensitive data (porn links) in a folder and name it something like a windows system, IE: krgwin. Then bury it in the windows folder deep. Then apply lock folder to it. Don't use some of the cheap programs like hidefolder or folderguard etc. Because they create a reg. value and store your password and folder location. Usually in a 1 letter jump. These programs are easy to break and copy folder contents. Just some insite.
DigitalFireon February 01 2008 - 05:08:53
porn? theres porn on the internet? :happy: korg you should write articles Grin
ThorsDecreeon February 20 2008 - 20:53:31
They locked 'at' on my school's computers, so I can't get privs and fix a virus on a friend's flash drive :\ Format is blocked Grin and I have no third party software on my own drive.
onejerloon January 04 2009 - 09:33:34
Doesn't work on my comp....... I dont know why....but when I try to use it on my comp....It merely says....access denied (I'm an admin...but have guest like rights until I specially demand admin the tests good) thats probably the result of UAC settings.....But I dont know for sure....Know any way I can get by this glitch???
ellipsison November 18 2012 - 05:28:22
TotcoS was here.
Post Comment


You must have completed the challenge Basic 1 and have 100 points or more, to be able to post.