How to elevate your administrator rights to the rights of the system.



**Note: i did not list this info to illegally break into a computer, this is lame and in no way can that be called
hacking. I am absolutely not responsible for the (mis)use of this knowledge / listed tools and i do not encourage
illegal actions with this text.**


Why would we want this?:

It might happen sometime that you would like to access a folder that is created by Windows and when you double click
you get "Access Denied". This can be very frustrating, especially when you have accidentally moved some
important files from to it (This happened to someone not so long ago).

Or you might want to learn more about how the Windows registry works and you will find out that with this technique
you are able to view more keys then with your normal administrator account. This is done to protect the important
files from Windows, but hey, we would like to know more wouldn't we ;-)?
one of those keys is located at HKEY_LOCAL_MACHINE\security\, here you can see for yourself what the difference
would be. (ALWAYS create a backup from the registry before messing with it!).

One other reason might that you would like to access the files from another account on your computer which might have
access rights set or might be encrypted using the NTFS encryption called EFS (Encrypted files system).
This of course should only be done with permission from the owner of those files.

There might be other reasons you could think of, but these are the ones i use them for.


How does it work?:

Well, it's pretty simple, in Windows there are several services running in the background which run under the system account.
We could use one of those services to elevate our rights by normal means. This will be the "schedular" service.

The schedular is a service which allows you to run any program at a particular time for a given number of times.
It allows you to schedule a task and that task will be a child process of the schedular service.
This means it will inherit the same rights as the parent process (schedular).

So if the schedular is running as a system account, anything we will start from it will also be run from the system
account.
You could start the schedular by typing the following command at the command prompt "at XX:XX < option > < application >",
where XX:XX stands for the time you wish the program to start (run the command without the " quotes).


Let's use this knowledge:

Now we would like to elevate our rights so we decide to start the schedular 1 minute from now with the following command:
"at XX:XX /interactive taskmgr" (run the command without the " quotes), where XX:XX is the current time + 1 minute,
e.g. 14:34. This command will let the taskmanager popup in 1 minute.

When the taskmanager is popped up, you could use this to start any other command from it which also will inherit the
system rights.
This is what i usually do:
kill explorer.exe, and then click on the button "new task" in the taskmanager and type "explorer.exe" (without quotes)
and hit < enter >. Now the taskbar and desktop will be loaded again, but now with the system rights.
This means you have a complete GUI running under the system account!!

Now you can access whatever you like from there and you will eventually see you can access a lot more then you can with
your administrator account!

This however is not forever, when you log off (or shut down) the computer, you will have your normal rights back again,
so you would have to perform this action anytime you need it.


Be careful what you do with it, cause when you do something wrong, you could end up destroying your Windows and you would
have to reinstall again!!



regards,


White Scorpion