By: anoynemous

anoynemous — Fri, 07 Aug 2009 09:59:32 +0000

NOn sence and disgusting commands

By: scriptsrule

scriptsrule — Thu, 02 Oct 2008 11:11:03 +0000

doesn’t work

By: morphine

morphine — Tue, 11 Dec 2007 02:41:53 +0000

exploit is patched. no longer working

By: nx

nx — Wed, 08 Aug 2007 17:56:42 +0000

1. press “start”
2. run cmd
3. run at HH:MM /interactive “cmd.exe” (time HH:MM+1M)
4. press CTRL+ALT+DEL and disable explorer.exe (end process)
5.in new black window run explorer

After these commands starts SYSTEM account and make your new admin acount

enjoy!!!!!!

By: Rick Valstar

Rick Valstar — Mon, 23 Oct 2006 12:44:52 +0000

The LOGON.SCR trick does not work w/ current (all?) WXP installations on several fronts.

1) If you can replace logon.scr with cmd.exe, “Windows File Protection” (WFP) will undo it. So you’d have to be able to disable that first OR change the registry value for SCRNSAVE.EXE in [HKEY_USERS\S-1-5-18\Control Panel\Desktop] from logon.scr to cmd.exe

2) Assuming you get cmd.exe in as the screen saver for SYSTEM and wait the 10 +/- minutes, a CMD box will pop up as noted under the user SYSTEM.

3) You try to do a NET USER Administrator and you get “System error 5 has occurred. Access is denied” — how can this be? Isn’t SYSTEM all powerful?

4) SYSTEM is all powerful but Microsoft fixed this back door by removing almost all of SYSTEM’s privs. Running a “whoami /user /groups /priv” for a normal SYSTEM session (AT hh:mm /INTERACTIVE cmd) gives:

[User] = “NT AUTHORITY\SYSTEM”

[Group 1] = “BUILTIN\Administrators”
[Group 2] = “Everyone”
[Group 3] = “NT AUTHORITY\Authenticated Users”

(X) SeTcbPrivilege = Act as part of the operating system
(O) SeCreateTokenPrivilege = Create a token object
(O) SeTakeOwnershipPrivilege = Take ownership of files or other objects
(X) SeCreatePagefilePrivilege = Create a pagefile
(X) SeLockMemoryPrivilege = Lock pages in memory
(O) SeAssignPrimaryTokenPrivilege = Replace a process level token
(O) SeIncreaseQuotaPrivilege = Adjust memory quotas for a process
(X) SeIncreaseBasePriorityPrivilege = Increase scheduling priority
(X) SeCreatePermanentPrivilege = Create permanent shared objects
(X) SeDebugPrivilege = Debug programs
(X) SeAuditPrivilege = Generate security audits
(O) SeSecurityPrivilege = Manage auditing and security log
(O) SeSystemEnvironmentPrivilege = Modify firmware environment values
(X) SeChangeNotifyPrivilege = Bypass traverse checking
(O) SeBackupPrivilege = Back up files and directories
(O) SeRestorePrivilege = Restore files and directories
(O) SeShutdownPrivilege = Shut down the system
(X) SeLoadDriverPrivilege = Load and unload device drivers
(X) SeProfileSingleProcessPrivilege = Profile single process
(X) SeSystemtimePrivilege = Change the system time
(X) SeUndockPrivilege = Remove computer from docking station
(O) SeManageVolumePrivilege = Perform volume maintenance tasks
(X) SeImpersonatePrivilege = Impersonate a client after authentication
(X) SeCreateGlobalPrivilege = Create global objects

But running the same command from the LOGON.SCR replacement instance of CMD.EXE gives:

[User] = “NT AUTHORITY\SYSTEM”

[Group 1] = “BUILTIN\Administrators”
[Group 2] = “Everyone”
[Group 3] = “NT AUTHORITY\Authenticated Users”

(X) SeChangeNotifyPrivilege = Bypass traverse checking

That’s why this doesn’t work.

Rick Valstar
Star Consulting
r + last name + at + gmail + dot + com

By: bob

bob — Sat, 16 Sep 2006 07:37:50 +0000

why not just use the Offline NT Password & Registry Editor: http://home.eunet.no/pnordahl/ntpasswd/

By: Kris

Kris — Wed, 23 Aug 2006 20:07:12 +0000

Has anyone already tried this?
It looks very easy … maybe a little to easy?
A while ago I lost my XP password and it took me a lot of efforts to reset it.