Page 1 of 2 12 LastLast
Results 1 to 10 of 11
  1. #1

    Windows Power Users


    By default, the rights and permissions that are granted to the Power Users group include those rights and permissions that are required to allow members of the Power Users group to modify computer-wide settings, to install drivers, and to run (or install) non-certified programs. For example, a member of the Power Users group could install a malicious program or a DLL, and then cause the administrator or a system service to run the malicious program or the DLL. By using this technique or other techniques, the member of the Power Users group may be able to gain additional rights and permissions on your computer, including complete administrative credentials.
    How would one go about accomplishing this?

  2. #2
    Senior Member
    Join Date
    Dec 2003
    Pacific Northwest
    Hey Soda,

    Been digging around and of course haven't found anything real specific provided by MS as to "how". So in part this is probably a regurgitation of your post.

    But the default Power User does have permission to run/install legacy programs/applications. The legacy program could become a host for a malicious program or .dll. And:

    Running legacy programs on Windows 2000 or Windows XP Professional often requires you to modify access to certain system settings. The same default permissions that allow Power Users to run legacy programs also make it possible for a Power User to gain additional privileges on the system, even complete administrative control.

    It's interesting that they say he can gain "complete administrative control", but by default a Power User does not have permission to become a member of the Admin Group. Seems he can elevate his privileges then.

    You have my interest up, so I'll be following this thread looking forward to the learning opportunity as well. Thanks for the thread.

    Connection refused, try again later.

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Hey Hey,

    Without looking into it... it seems to make sense to me..

    There are two scenerios that I can think of...

    A) Power User installs legacy software that requires a start-up service... because a Power User has permission to install, the start-up service is added... This start-up service could run in the context of local system... local system would be able to escalate the power users permissions..

    B) Power user installs legacy software... Administrator starts that software... the software has a background command to increase the Power Users permission..

    I suppose technically there's a third scenerio... Since the poewr user can adjust DLLs, they could replace a DLL with one with malicious system call... the next that DLL is accessed, the user could exploit the malious call that they've added to it... and increase their own level...

    When you give a user that much power (to install and add/remove) you give them total access in the end... they just have to work a little to gain it.... The KB is basically Microsoft saying, this user account is too powerful...

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    Right, I can understand a power user having code somewhere... Even a user can download some malicious code. Then an admin can come around and run it, game over.

    But that's weak. Do power users have enough privledges to auto start software? I thought power users don't have that privledge...


  5. #5
    Senior Member
    Join Date
    Jan 2003
    Hey Hey,

    According to that link, they don't... Interesting... I'd like to test it and see what happens....

    Anyways... this is just an informational post... it's saying that Power Users aren't regular users... It is rather weak.. Think of it as a CYA entry.... the Microsoft site has plenty of them...

    Check out www.threatcode.com... Apparently it has to do with improper coding and not following Microsoft security concepts (writing to public sections of the registry, storing data in %program files% instead of %appdata%) and other things... It was on a german forum that came up when I searched and included the link to threatcode..

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  6. #6
    Senior Member
    Join Date
    May 2004
    check, Mark from sysinternals has to say something about the power users group,
    Excuse me, is there an airport nearby large enough for a private jet to land?

  7. #7
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    If I remeber as a power user you have access to the default user and local machine registry hives. You can pretty much install what you want using the run keys in the registry. It wouldn't even be too hard to write a script that verifies if the person who is connected after you is a member of the administrators group. If they are then do X if they are not then do nothing so you dont give any error messages.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

  8. #8
    I did see a number of .exeís and .dllís in the list, though, so I examined them for possible exploits. Most of the executables for which Power Users has write access are interactive utilities or run with reduced privileges. Unless you can trick an administrator into logging into the system interactively, these canít be used to elevate. But thereís one glaring exception: ntoskrnl.exe:

    Thatís right, Power Users can replace or modify Windowsí core operating system file. Five seconds after the file is modified, however, Windows File Protection (WFP) will replace it with a backup copy it retrieves, in most cases, from \Windows\System32\Dllcache. Power Users doesnít have write access to files in Dllcache so it canít subvert the backup copy. But members of the Power Users group can circumvent WFP by writing a simple program that replaces the file, flushes the modified data to disk, then reboots the system before WFP takes action.
    Replacing Ntoksrnl.exe isnít the only way to punch through to administrative privilege via the \Windows directory, however. At least one of the DLLs for which default permissions allow modification by Power User, Schedsvc.dll, runs as a Windows service in the Local System account. Schedsvc.dll is the DLL that implements the Windows Task Scheduler service. Windows can operate successfully without the service so Power Users can replace the DLL with an arbitrary DLL, such as one that simply adds their account to the Local Administrators group. Of course, WFP protects this file as well so replacing it requires the use of the WFP-bypass technique Iíve described.
    That doesnít mean that \Program Files doesnít have potential holes. When I examined the most recent output I saw that Power Users can modify any file or directory created in \Program Files subsequent to those created during the base Windows install. On my test system \Program Files\Vmware\Vmware Tools\Vmwareservice.exe, the image file for the Vmware Windows service that runs in the Local System account, was such a file. Another somewhat ironic example is Microsoft Windows Defender Beta 2, which installs its service executable in \Program Files\Windows Defender with default security settings. Replacing these service image files is a quick path to administrator privilege and is even easier than replacing files in the \Windows directory because WFP doesnít meddle with replacements.
    The remaining area of exploration was Windows services. The only service permissions AccessChk considers to be write accesses are SERVICE_CHANGE_CONFIG and WRITE_DAC. A user with SERVICE_CHANGE_CONFIG can configure an arbitrary executable to launch when a service starts and given WRITE_DAC they can modify the permissions on a service to grant themselves SERVICE_CHANGE_CONFIG access. AccessChk revealed the following on my stock Windows XP SP2 system:

    I next ran PsService to see the account in which the DcomLaunch service executes:

    Thus, members of the Power Users group can simply change the image path of DComLauncher to point at their own image, reboot the system, and enjoy administrative privileges.

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    I think we can all agree here that, for the most part, the Power Users is a "cheat" on MS' part to circumvent thier own security model. OTOH, the threat is confined to either people who have physical access to the box or people who have already elevated thier privileges to that of a Power User. In either case you really do have bigger problems than the simple fact that someone is operating under this context.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Hey Tiger -

    There can potentially be other services that introduce exploits in their security. The default permissions Windows sets on services created by third-party applications do not allow Power Users write access, but some third party applications might configure custom permissions to allow them to do so. In fact, on my production 64-bit Windows XP installation AccessChk reveals a hole that not only Power Users can use to elevate themselves, but that limited users can as well:

    Also, where do you get the idea that physical access to the box is required?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.