# Win Xp Home : Locked out of Admin Access :P



## ilobmirt (Apr 21, 2009)

A friend of mine wanted me to help secure their pc for them. One of the things I wanted to do, was to get them off admin privileges from their main account so that any rogue apps would also run with less privileges thus possibly reducing the impact a virus may have on their system.

Desired Setup:

(old)   ---> (new)
name/priveledge

Username/Administrators ---> Username/Users [Demote regularly used account]
Administrator/Administrators --> Guest1/Administrators [Disabled]
+ Username_root/Administrators [Allow root access when needed by user]
+ Administrator/Guests [Create spoof admin account]

I used MMC to edit the user accounts since it was more robust than going to "user accounts" in the control panel. Unfortuneatly, home editions of windows Xp don't like to play nice with advanced systems tools. I thought I was being clever by circumventing the "I can't look at the users/groups locally cause I'm xp home edition" message by connecting to another computer with ip address 127.0.0.1 (loopback).

By using the loopback address to change user accounts on mmc, the following took place after re-boot...

Resulting Setup:

(old)   ---> (new)
name/priveledge

Username/Administrators ---> Username/Users 
Administrator/Administrators --> Guest1/Administrators [Disabled]
+ Username_root/*Users*
+ Administrator/*Guests*

So it looks like the mmc module failed to apply any group changes to the user account at Administrators level. I wonder why this has happened and how I could possibly reverse these changes considering that my friend has no admin level accounts useable on that box. :X

In the meantime, I think I learned my lesson... Don't "hack" the crippled functionality of Windows Xp Home by reffering to 127.0.0.1 as the "target computer" in MMC.


----------



## ToeClaws (Apr 23, 2009)

Unfortunately yes - XP Home is a crappy version of XP with crippled or missing tools.  You could try to use the "Users" configuration system in the control panel and see if it offers the ability to elevate an account again, but if not, you might be left with using either a Linux hack tool, or just reinstalling the system (and preferably putting on Professional instead of Home).

There are a bunch of Linux type utilities you can use to reset passwords, but I'm not sure about resetting priviledges with them.  One I have used in the past: http://home.eunet.no/pnordahl/ntpasswd/


----------



## net-cat (Apr 23, 2009)

Echoing support for NTPASSWD.

Saved my ass more than a few times at work.


----------



## Irreverent (Apr 23, 2009)

If i read the OP's post correctly, he has the administrator account, but has modded it to have no privileges.  In which cast, a password reset wont help.  Is this the case Ilobmirt?


If true, you'll need something that will allow an account in the sam to have its privileges elevated.  Easy to do with a virus.....can't recall a linux util that will do this.

Sounds like a re-install is in order.


----------



## ilobmirt (Apr 23, 2009)

*ToeClaws -* I'd love for them to use an ACTUAL operating system. But that is aside from what they asked me to do. Perhaps another time... =P_P=

*Netcat + ToeClaws -* NTPASSWD seems like an interesting tool. I do still have that locked out admin account. If NTPASSWD can unlock that account, I'd be golden and could start undoing my silly mistake =X_X= *fires up his XP Virtual machines*
*
Irreverent** - *I changed the system's administrator account to be renamed as "Guest1". I then created a spoof account called "Administrator" in case a virus might want to run under that username. So really, the win xp "root" is still there, it's just under lock and key.


----------



## ilobmirt (Apr 23, 2009)

Here's an interesting idea....

1. Fire up a healthy win xp vm
2. Copy the SAM file from the healthy Win xp vm
3. Replace the SAM file on the problem machine with the copy taken from the healthy vm.

I am not sure of this, but aren't the SAM files found in Windows containing more than just users/passwords, but their priveledges and status (enabled/disabled)

Hopefully, there would be no problems with replacing one SAM file with another. *>_>*


----------



## net-cat (Apr 23, 2009)

Last I checked, NTPASSWD can't change user groups. It can, however, unlock disabled accounts. That would be your best bet. I can't say for sure on the SAM transplant thing, but I doubt it would work as the users wouldn't have the same SID's.


----------



## ToeClaws (Apr 23, 2009)

ilobmirt said:


> *ToeClaws -* I'd love for them to use an ACTUAL operating system. But that is aside from what they asked me to do. Perhaps another time... =P_P=



Well then that rules out Windows. :mrgreen:  (booo... I know, but that was so walked into) 

I don't think the SAM transplant would work because Windows generates a hash code to represent the users in the registry, and that might vary from copy to copy. :/


----------



## ilobmirt (Apr 23, 2009)

*ToeClaws + Net-Cat -* Thank you for recommending this tool to me. Playing around with it on my XP Pro machine, I purposely disabled all accounts and  demoted them to guest permissions. By booting NTPASSWD, I was able to successfully elevate user permissions and re-enable them again. I certainly do hope this works with what my friends have. If all else fails, I got an XP Pro disk with their name on it with a stack of dvds for cheap data backup. :3

*ToeClaws -* *chuckles* it certainly does. =^_~= Unixes for the win!!! I'm hoping later to "wow" em with Compiz fusion and give em compatibility with W.I.N.E. for starters. Perhaps I should roll my own distro and tweak it for a basic desktop user's needs. (Alas, I should leave that for another thread ;P)


----------



## ToeClaws (Apr 23, 2009)

ilobmirt said:


> *ToeClaws + Net-Cat -* Thank you for recommending this tool to me. Playing around with it on my XP Pro machine, I purposely disabled all accounts and  demoted them to guest permissions. By booting NTPASSWD, I was able to successfully elevate user permissions and re-enable them again. I certainly do hope this works with what my friends have. If all else fails, I got an XP Pro disk with their name on it with a stack of dvds for cheap data backup. :3



Most welcome - just like NetCat, it's saved my butt (or rather, a former company's butt) many times.



ilobmirt said:


> *ToeClaws -* *chuckles* it certainly does. =^_~= Unixes for the win!!! I'm hoping later to "wow" em with Compiz fusion and give em compatibility with W.I.N.E. for starters. Perhaps I should roll my own distro and tweak it for a basic desktop user's needs. (Alas, I should leave that for another thread ;P)



Nah - why bring about that much work for yourself?  There's already SO many distributions of Linux/Unix that there's surely one that would suit them if you wanted to have them try.  

I know how you feel though - was trying to help a retired neighbour couple with a PC they couldn't get access to anymore.  It had a pirated copy of XP Pro on it, which no longer even lets them log in 'cause they've apparently been getting the Genuine advantage warning for over a year.  I said they had a license for Home, not XP (and they no longer had any install discs), but after I explained their various options, they're willing to try out Linux or Unix and see if they like it better, so gonna give it a shot.

Let us know how your adventure turns out.


----------



## ilobmirt (Apr 24, 2009)

*ToeClaws -* Of course :3 I'll be back up at my friend's place in one week. I'll let you guys know how it all turns out.


----------



## ilobmirt (May 3, 2009)

Alrighty... after having access to my friend's computers again, I was successfully able to correct the issue at hand thanks to ToeClaws and NetCat for recommending NTPASSWD.

Wewt! =^_^=


----------

