Cheat Engine

[Twilly]

So... I was able to become Administrator from Guest using this method...

echo off
title Please wait...
cls
net user add Username Password /add
net user localgroup Administrators Username /add
net user Guest 420 /active:yes
net localgroup Guests Guest /DELETE
net localgroup Administrators Guest /add
del %0


Copy this to notepad and save the file as "Guest2admin.bat"
then u can double click the file to execute or run in the cmd.

Is it possible to change to code and become Administrator on a Limited User? If so, how do I edit the code?

[Saifallofjmr]

net localgroup Administrators username /add

[Haswell]

You will get Error Code 5, access denied.

[Saifallofjmr]

net localgroup Administrators Administrator /add
but run that inside your "admin" account you made for yourself.


Error code 5 is just the error for you dont have that authorization for it

[Haswell]

Error code 5 applies to every non-administrator account if they don't have the rights to edit the account' access levels.

Just boot in safe mode with command prompt and you're set to do whatever you want in the admin account.

[Polynomial]

Actually Freelancer, that's not true in new installs. Any XP installation bundled with SP2 or above and any Vista installation requires you to add a password to the administrator account.

You can use the at command in XP SP1 and below to elevate processes to the SYSTEM account from a limited user account. You can still do it in SP2+ but you have to have an admin account anyway.

This means you get full access to all processes running on the system, even under other users (in the case of multi-logon servers such as mainframes). You are giving the processes the highest authority possible, above all other administrator accounts, so be careful.

One benefit is that you can change the process priority of SYSTEM processes. Task manager itself won't allow you to mess with processes like lsass or winlogon, but procexp from sysinternals will. I will warn you however - do not close lsass/winlogon, as you'll get a bluescreen. Also, do not execute explorer.exe under SYSTEM, as it'll reset all of your Windows settings back to default.

Syntax of at is:
at [time] /interactive [task]

For example, to run a command prompt at 5:37pm I'd type:
at 17:37 /interactive cmd.exe

You can also add parameters:
at 17:37 /interactive cmd.exe /k dir C:\

In my opinion the best way to mess with Windows without an admin account is a live bootable OS on a CD. You can get many distros of linux on live CDs, including Ubuntu (install CD is also a Live CD) and Knoppix (separate Live CD). As linux doesn't adhere to the Windows access policy (NTFS ACLs are ignored) you can just browse away at the files and do what you want without ever even booting into Windows. If you're not a big fan of linux, there's a Windows Live CD project called BartPE. This requires you to have a Windows installation CD to hand, and puts you into the pre-install environment which Windows Setup uses to go through the installation wizard - the difference being that you actually get to run applications. The downside to this is that you're running in a restricted safe mode, which has limited applications support. The OS will also still adhere to certain access policies.

[Twilly]

[Haswell]

To my knowledge, at merely schedules a task to run at a specific time.

I've heard rumors of task-killing explorer.exe and starting it again from the WINDOWS folder, but I doubt that will work, since it's the security policy of an account that governs its access rights, and only an administrator can edit the policies.

What you are asking is whether gaining administrative access from a limited account is possible. From my experience, no. But theoretically, it is possible.

The simplest way is to boot using a LiveCD and change the admin account's password using NTPWEdit (also on the CD), or extract the local SAM and use Ophcrack to crack the password. Note that the SAM is locked out when an account is logged in, which means no copying, reading, or editing. The method using a Ophcrack LiveCD is also possible, but I haven't tried it, so I don't know how it will work.

Another method I thought up (but not tried): alter boot.ini, add a few command lines in to extract the SAM to your account's desktop, run Ophcrack to crack the password.

[NINTENDO]

I haven't read all posts but a limited user should not be able to alter this kind of information. Becuase if they could then there wouldn't be something such as a "limited" user.

[Saifallofjmr]

Okay dude pretty much your gonna have to do a SHITLOAD of technical shit in order to fix it.

It would be much easier if you just downloaded windows 7 and call it at that done.

[Polynomial]

Freelancer - The at command adds a task to the Task Scheduler service. Run services.msc and look for it, and view its properties. In the Log On tab, you'll see that it runs under the Local System account. The service makes the mistake of launching the process using ShellExecuteEx without passing user parameters. The OS assumes that the task should be ran under the same account as the calling process.

KaninKnull - The at command privelidge escalation is a flaw in the windows service model. You can't execute the at command in a limited account in XP SP2+. However, you can still gain access to SYSTEM using at in all versions of XP if you have an Administrator account. In Vista, the task is executed in the account that called requested the task.

Twilly - Running explorer.exe in the SYSTEM account will cause all settings related to Explorer back to defaults. This includes any custom folder views, explorer bookmarks, file view settings, etc. When logging into an account for the first time, Windows does this to initialise the account to default. This won't help you get into the system though.

You can overwrite the SAM file using NTPWEdit in a LiveCD as Freelancer suggested, though this is not guaranteed to work and can cause serious system corruption. Make a backup of all files in C:\Windows\system32\config before using it. The idea is that you recreate the SAM file to allow you to log in, then restore the original SAM file afterwards. This is like replacing the lock in a door instead of trying to recreate the key. You could try Ophtcrack, but it's sloooow and processor intensive. It could take hours or days to break the account. However, you still need to be able to boot from a CD.

If you can't get at the BIOS due to a password, you could try downloading the BIOS flash utility from the manufacturer's website and then flash it using a floppy disk. Newer BIOSes (Asus in particular) might stop you from flashing without the BIOS password. Some allow you to flash the BIOS, but the password remains intact. If you have a DualBIOS board, you might be able to access the DualBIOS utility and copy from the backup (which will have no password).
And before you try and fail - performing a CMOS reset via the jumper or by removing the battery will not work, as the BIOS password is stored in a solid state chip.

[Luigi]

1. Easier method: Get cain & abel. Crack the admin password. Takes no more than half a second.
Tell it to dump LSA secrets or whatever. Look for A.d.m.i.n.i.s.t.r.a.t.o.r. On the right, you should see the password.

And the reason why the cmd method does not work: The guest account is pretty much a limited account. There is no super awesome secret bypass when using command prompt.

[Polynomial]

The installation of Cain & Abel won't work on his limited account. I've tried it before, it does not work.

[iTz SWAT]

[Polynomial]

This is the problem, he can't boot from CD because the BIOS is passworded.