Access Locked Resources - Be The Machine
I was doing some research the other day on getting your self out of a difficult situation when you don’t have access to some vital system resources because you are running as a normal user and you lost your local admin password.
I discovered that there is a way to reset your user interface and run interactively as the LOCAL SYSTEM account. This is important because the LOCAL SYSTEM account has a lot of privileges available to it. According to Microsoft:
The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions. The system account is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account.
A little while back, some enterprising individuals discovered a way to run the LOCAL SYSTEM account interactively. Here are the instructions according to one website:
- Start > Run > cmd.exe > type: at 12:03 /interactive “cmd.exe” (replace 12:03 with a time 2 mins from now). > close command prompt
- New command prompt will open, when it does > Hit CTRL+ALT+DEL > find explorer.exe and End Process.
- At command prompt type: cd.. > type: explorer.exe
This all words fine except that it is a bit confusing for someone who does not understand how all this works. So, I thought I would make it easier for those who do not have my background. I created a little program in AutoIt that completely automated the process. Simply run the program, wait for a couple of minutes, and you’re running as the LOCAL SYSTEM account.
You can download this program and play with it all you want.
WARNING: I have tested this program to the best of my abilities but this does not mean it is perfect. I did not have any problems with it but that does not mean you will not. If something goes wrong, don’t blame me! You’ve been warned.
For those of you who are interested, here is the source code for this little program I wrote. Feel free to hack around and make it do different things:
#include <Date.au3>
If $CmdLine[0] = 0 Then
;No command line options
;First run
$RunTime = _DateTimeFormat(_DateAdd(’n', 1, _NowCalc()),5)
$Command = @ComSpec & ” /c AT ” & $RunTime & ” /interactive “”" & @ScriptFullPath & “”" 2″
Run($Command)
Else
;Second run
$Command = @ComSpec & ” /c taskkill /IM explorer.exe /F & ” & @WindowsDir & “/explorer.exe”
Run($Command)
EndIf
Update: Someone asked in the comments how you get back to your normal account. Simply log out and then log back in as yourself. You should be back to normal.
If you found this post useful, why don't you buy me a cup of coffee to show your gratitude?
15 Responses to “Access Locked Resources - Be The Machine”
-
David Says:
May 23rd, 2008 at 5:30 amOk, that cool, but how to you get things back to normal when you are done doing what you needed to do?
-
Jason Says:
May 23rd, 2008 at 7:19 amInteresting. This is kind of scary if you have a user who is computer savvy enough to use this info for evil. Now your user can go in and change the admin password and wreak havoc on your systems.
This is pretty cool though. Thanks for the info.
-
Tim Fehlman Says:
May 23rd, 2008 at 8:51 am@David,
All you need to do is log out of the LOCAL SYSTEM account and log back in as yourself. I’ll add an update to the post.
Tim
-
joe Says:
May 23rd, 2008 at 10:01 amIt looks like Vista has plugged this gaping security hole:
C:\Users\joe>at 10:57 /interactive “cmd.exe”
Warning: Due to security enhancements, this task will run at the time
expected but not interactively.
Use schtasks.exe utility if interactive task is required (’schtasks /?’
for details).
Access is denied. -
Tim Fehlman Says:
May 23rd, 2008 at 11:08 am@joe,
Wow! An actual reason to go to Vista! Who knew?
Tim
-
kris Says:
May 23rd, 2008 at 9:42 pmJoe, which version of Vista where you using? I’m currently booted into Vista Business SP1:
Warning: Due to security enhancements, this task will run at the time
expected but not interactively.
Use schtasks.exe utility if interactive task is required ('schtasks /?'
for details).
Added a new job with job ID = 1Note that last line, it still works! However on both my XP Pro SP2 and Vista Business SP1 builds I get this as the output of the at command:
Status ID Day Time Command Line
--------------------------------------------------------------
1 Tomorrow 9:28 AM cmd.exeSo basically, this isn’t working on all builds of Windows. Or maybe I’m entering the command wrong?
-
Michael Perlman Says:
May 26th, 2008 at 4:09 pmI’m running Windows XP Pro, and recieved an access denied error. Perhaps you need to be an actual admin to run “at” with the “/interactive” switch.
-
Jason Says:
May 27th, 2008 at 7:29 amA friend of my wife had an issue where her daughter set the admin password and no one knew what it was. They could only login with the guest account. I gave her this info and while logged in with the guest account they were able to reset the admin password with no problems.
I have yet to try this on Vista, I have Ultimate running at home and need to check it out.
-
Adam Says:
May 28th, 2008 at 8:28 amAwww.. I get “Access is denied.”
-
Ian Says:
June 4th, 2008 at 10:34 pmThis doesn’t work on XP professional SP2.
I get no errors, and the jobd is added, but the cmd never opens up.
So, this is not really useful, would be great if it worked.
-
Aanvals Says:
June 28th, 2008 at 12:52 amWorks good on my win xp sp 2. Make sure you set the time in military time. It was 11:30 pm when I ran this command, so i put 23:32 as the time.
-
AKEEM Says:
August 6th, 2008 at 6:24 amit is cool
-
sam Says:
September 26th, 2008 at 10:59 pmim kind of a newbie to compiling.i need to change the command from taskkill to tskill.so i was gonna change it.so how can i compile it into an exe like the downloaded program?
-
not-english Says:
February 5th, 2009 at 5:45 pmdamn
C:\Users\System32>at 00:44 /interactive cmd.exe
Warning: Due to security enhancements, this task will run at the time
expected but not interactively.
Use schtasks.exe utility if interactive task is required (’schtasks /?’
for details).
Access is denied.Can anyone help me? please mail me : Bellika2@hotmail.com
-
Sebastian Says:
April 2nd, 2009 at 3:13 pmI tried it on a Win2k computer, all I got was “Access Denied.”
