XP – Get System User
In Windows XP, the system run level is higher than administrator, and has full control of the operating system and it’s kernel. When you hit Ctrl+Alt+Tab and get to the task manager process list, you will see that the System User controls several processes
Most System processes are required by the operating system, and cannot be closed, even by an Administrator account. Attempting to close them will result in a error message.Under normal circumstances, a user cannot run code as System, only the operating system itself has this ability, but by using the command line, we will trick Windows into running our desktop as System, along with all applications that are started from within.
Changing your administrator password on Windows XP, may be necessary at times depending on the scenario. One such technique, with a full desktop available to you is also possible.
Lets get rolling:
1. open up command prompt and type:
at
If it responds with an “access denied” error, then we are out of luck, and you’ll have to try another method of privilege escalation; if it responds with “There are no entries in the list” (or sometimes with multiple entries already in the list) then we are good. Access to the at command varies, on some installations of Windows, even the Guest account can access it, on others it’s limited to Administrator accounts.
2. if you can use the at command, which is basically a task scheduler, then enter a command similar to something like mine
at 23:27 /interactive "cmd.exe"
the time is usually a minute (or two) ahead of your present time in the 24 hours format
3. When the system clock reaches the time you set, then a new command prompt will magically run. The difference is that this one is running with system privileges (because it was started by the task scheduler service, which runs under the Local System account). It should look like this:
You’ll notice that the title bar has changed from cmd.exe to svchost.exe (which is short for Service Host).
4. End the current Explorer.exe. [hit ctrl+alt+del->task manager->processes]
5. At the system command prompt, enter in the following:
explorer.exe
6. Voila! …user System logged in!
7. Stuff you can do!
8. Log out to get back to your normal user
FIX: Open the services control panel (Start > Run > services.msc) and disable the Task Scheduler service.
whoooooooaaaaaaaaa!
divyad
March 5, 2007
you might want to use some of these
->
http://www.microsoft.com/technet/sysinternals/Processesandthreadsutilities.mspx
Sharath
March 5, 2007
Btw, nice theme bob!
Sharath
March 5, 2007
In a updated system it doesn’t work.
This isn’t such a new hack!
wisher
April 5, 2007
@wisher- the screenshots are from a PC running a licensed copy of XP with SP2 and all the security patches thereon. is your task scheduler service enabled?
Nirmal
April 5, 2007
My account is under administrative and I can’t even look into my account under the control panel. I don’t have an administrative password for this computer. The person I bought the computer from was moving out of town and I have no way of contacting him. How can I go about getting into my administrator account to find the password? Please help.
Taydren
June 28, 2007
hallo its me riaz and i am unable to get the rights.its not working in my lab,dont know why….plz give me some alternative
Riaz
September 12, 2007
system pwns!
mekial
September 17, 2007
@Riaz- could you tell me specifically where you get stuck?
nirmalthacker
September 17, 2007
How can you do this if you are not an administrator?
Thanks
Jake
October 3, 2007
Jake, yes it should work if the task scheduler is enabled
nirmalthacker
October 3, 2007
[...] Check it out! While looking through the blogosphere we stumbled on an interesting post today.Here’s a quick excerpt [...]
Ghillie Suits » XP - Get System user account privileges
October 23, 2007
I have a problem. I deleted the system as a user ! I lost boot on my computer. Can anyone Help ? I tried all the usual recovery methods. I need to reinstate the system user somehow ?
James
November 13, 2007
whoops- i dont think its possible for you to create system user. how did you delete it btw
nirmalthacker
November 14, 2007
How can you add System User to the Welcome Screen?
Mark
December 15, 2007
you cant
nirmalthacker
December 15, 2007
hi in the i do the first step in CMD i get this error saying
“the service has not being started”
can you please help me
Riley
December 24, 2007
did everything right up to and including explorer.exe but still didnt get system rights still comes up user1 i have administor rights in system promt still say svchost.exe but cant download another anti virus or use systems tools any ideas cheers
james
January 24, 2008
“In a updated system it doesn’t work.
This isn’t such a new hack!”
if its updated, how can we acess to it
Frederic
February 8, 2008
Access denied. The more I look around, after logon trojan, the less can do. services.msc task scheduler is enabled. I don’t want to use 3rd party stuff. Like learning security/OS this way like you. Rtvscan.exe process running. Please email. Thanx.
charlie
March 15, 2008
charlie I have still not understood the problem – could you tell me where you get stuck
nirmalthacker
March 15, 2008
Could you e-mail instead? I cannot do admin stuff even though “generically” logged on. at doesn’t work and cannot get into user accounts. I can do services.msc. I guess spybot and Symtc antivirus rtvscan saveroam running from taskmgr. I have physical access and am working on clone so don’t mess up original. I can try anything you want. charlie.
charlie
March 22, 2008
Shweet
Zell Faze
April 7, 2008
It doesn’t work for me.
I type in the command and it schedules it and when i look on the task manager i see cmd.exe under System but i never get the command prompt to come up.
I have Windows Xp Media Center Edition SP2
Vader347
April 20, 2008
I am not sure what the problems are- I wrote this post a while back (almost a year)- and Im not in sync if any patches have covered this issue or it is still vulnerable. I assume the readers will experiment various configurations and try them out – i’ll be glad to help if i can.
@vader- i wouldnt know if this would work on the media centre- i think it should. you say that the cmd.exe is scheduled – then you should get another command prompt. Have you tried steps 4 and 5- what happens there?
nirmalthacker
April 20, 2008
Great.Thank you
Regina
June 13, 2008
when i tried to add the job to schedlu it shows access denied in cmd prompt!!
any other way!!
anonomu
November 16, 2008
this was a really long time back people- Im afraid I dont run XP anymore so I will not be able to try and solve any issues here. Besides Im sure MS would have patched this up.
You could go ahead and use the thread to keep discussions on if any of you are still trying this out
nirmalthacker
December 6, 2008
it says that the service has not been started
Ojowachant
January 20, 2009
afaik, people are requested to use schtasks instead of at.
If my memory serves me right, schtasks /ru “SYSTEM” /sc minute /mo once /tn systemcmd /tr cmd.exe
someguy
March 13, 2009
When I type the at (insert time here)/interactive “cmd.exe” it just says “The service has not been started”. What does that mean? By the way, I am doing this on the “computer” Administrator acount, not my regular limited acount. Will it work on a limited acount???? limited acount.
Janie
May 15, 2009
very very good hack
aasasas
June 10, 2009
million thanks, I’m using Hudson and it’s using System User to log into the slave. This article helped me out.
Thanks once again
Ju Huynh
July 28, 2009
I’m able to schedule cmd.exe and see the process appear in the Task Manager (owned by SYSTEM, alongside the existing one run from my account), however no window shows up – it appears to be running but I can’t see or touch it. Any ideas?
gws
August 7, 2009