Saturday, 17 August 2013

Simple methods to get a System Shell in Windows

There are several ways to get a system shell in Windows without knowing the admin password.

One way is to see whats tasks on the taskbar are launched by System, explore them and look for a open file dialog box which can then be used to launch cmd.exe.  Another way is to see if the cmd.exe can be launched as a service with system privileges.

If you can bring up a local command prompt, with basic user privileges you can try to run the following:


sc create testsvc binpath= "cmd /K start" type= own type= interact
sc start testsvc



You can rename testsvc to whatever you want, like WindowsUpdateDaemon and the best part is that the service can be stopped and restared at any time.

And of course to remove the service:

sc delete testsvc


So what can you do with this?
If you were locked out from removing programs, editing services, checking system properties, things that involve the mmc console...
You could probably invoke these now using the command line.  Most of these programs exist in system32 folder.  Some may not be there or disabled, but there is no harm in trying.
Services Management     services.msc
Shared Folders     fsmgmt.msc
Remote Desktops     tsmmc.msc
Group Policy Management     gpmc.msc
Computer Management     compmgmt.msc

Bigger list here:  http://social.technet.microsoft.com/wiki/contents/articles/417.windows-mmc-snap-ins-msc.aspx


Ref: http://blogs.msdn.com/b/adioltean/archive/2004/11/27/271063.aspx

WindyCityTech Blogger
WindyWindyCityTech Wordpress

No comments:

Post a Comment