Hidden Admin account on Win7

[silenthunder]

For those of you Windows 7 that don't know, the default administrator that used to be on Windows XP still exists in Win7, but it is hidden and deactivated by default. This makes any computer running Win7 100% vulnerable to on-site attacks, all you need is a Win7 installation DVD (not startup repair, the actual install disc).

Say you're at school using a computer on a standard user account that has no administrator rights or privileges. If you're like me and want a clean desktop, you need admin rights to delete certain icons like flash player, java, etc. If you want to install a game/program to that computer, you need admin rights. If you want to allow the computer to update the java to get rid of that stupid pop-up saying there's a new version of java (cuz you know the school's not going to maintain them..), you need admin rights. So you happen to come across a Win7 Installation DVD laying around in you're computer teachers desk, go ahead and borrow it for a few seconds.

Step 1: Shut down the computer.
Step 2: Boot the computer from the disk. (tip: after you choose boot from disk, get ready to press any button, as it will flash across the screen to push any button or it will skip to normal boot)
Step 3: Choose language and OS
Step 4: Click "repair you're computer"
Step 5: Choose to repair it using various tools (not sure of the actual wording on that, but you get the point.)
Step 6: run CMD
Step 7: type "net user administrator /active:yes" and hit enter
Step 8: type "net user administrator password" and hit enter (substitute "password" for whatever password you want)
Step 9: Take out the DVD, reboot the computer, log on as the administrator
Step 10: Have fun with you're new admin account

This only works on the ONE computer that you did this on, so if you're working with a huge network of computers and you want to be able to use this account on all of them, you have to do the same thing to all of them.

OR

Once logged on as the administrator, add you're real account (or create a new one) to the administrator's group and give it all the rights possible.

Kindof a herp-derp no brainer, but sometimes people are so focused on the awesome bad-ass hard way of doing things that they forget that there IS easier ways to do things. If you don't have access to an installation disc at all, download a Win7 ISO or IMG file and make one. The rumors about those discs not working because the disc doesn't have the protection seal on it are false, I've done it a number of times. This method is also very discrete and it's impossible (unless I overlooked something) to tell that the account was ever activated or used unless somebody is specifically looking for the usage of that account.

[iTpHo3NiX]

Only problem with this is most schools have their computers imaged on a network. So instead of it loading the the OS, it actually loads the OS from the network which when rebooted everything gets reset to their factory image.

Another quick way is press Windows+R and type in "control userpasswords2" and you might just be able to set up an admin account.

Also most school computers still Run XP. I don't know though it might have changed as I havent been in school for like 4 years

[silenthunder]

Only problem with this is most schools have their computers imaged on a network. So instead of it loading the the OS, it actually loads the OS from the network which when rebooted everything gets reset to their factory image.

My school is this way, but I was just using schools as an example. It could be any situation, like breaking into someones house for data on their computer, or if you're like me the school give's you the old computers that break down and would otherwise be ultimately thrown away..

Also most school computers still Run XP. I don't know though it might have changed as I havent been in school for like 4 years

A lot of schools still do, but it would seem to me that most schools made the switch to Win7 about a year ago, or when the first service pack was released, it all depending on the school. At least they were smart enough to wait till most bugs were worked out, even though I'd still consider Win7 a beta.

[lifecabal]

Damnn, So if they 100% vulnerable to on-site attack. Microsoft still didn't patch it?

[silenthunder]

I'm sure microsoft made it that way on purpose, as there always has to be an administrator account. Since they didn't think anyone would want to use it so they could futher customize their account, they disabled it and tucked it away out of site. There HAS to be SOME way to do it..this was one of the least obvious ways. Since you have to have an installation disc in order to do this, they chose the disc method of activation, as most people who own a disc probably also own a custom computer. If they need the administrator account, it's there for them. However, they didn't take into consideration that these people with the discs and custom computers are probaly also the ones that hack other's computers.. So no, they haven't patched it, and with Windows 8 about to release, they're never going to.

[Nstraw]

Hey can't we open the administrator by just running in safe mode

[relax]

Hey can't we open the administrator by just running in safe mode

yes we can

[silenthunder]

Actually, doing it in safe mode doesn't always work..it depends on how the computer is set up. In the particular situation I described, you're normal user account logs into a server and then allows you to use the actual computer, meaning you'd be running in safe mode without admin rights still..because using certain commands in cmd requires admin privileges, you wouldn't be able to activate the account. When you do get the account active though, when you sign onto it you're signing onto the actual computer, not the server. That's another reason it's so discrete, when you sign on to the computer it's not recorded on the server.

[iTpHo3NiX]

If you can press F8 at startup, you should be able to load a command prompt on the machine and then use this command to add a new user:

Code: [Select]

net user /add useraccountname mypassword

net localgroup administrators useraccountname /add

net share concfg*C:\\/grant:useraccountname,full

net user useraccountname *

[silenthunder]

BIOS and everything on these is completely locked down..got them from some guy that works on the AF Base for really cheap and a lot of things are locked down on them..good specs but they're shit computers, there's at least one per week that goes down for good.

[iTpHo3NiX]

BIOS and everything on these is completely locked down..got them from some guy that works on the AF Base for really cheap and a lot of things are locked down on them..good specs but they're shit computers, there's at least one per week that goes down for good.

Don't need to go into bios to press F8 before the computer passes post and loads the OS