Windows NT/2K/XP/2K3 manual removal of the Administrator account || kuro5hin.org


	create account \| help/FAQ \| contact \| links \| search \| IRC \| site news

Everything

We need your support: buy an ad | premium membership | k5 store

Windows NT/2K/XP/2K3 manual removal of the Administrator account (Technology)

By esrever
Mon Jul 5th, 2004 at 02:28:12 PM EST

Or, how to remove the power of the builtin Administrator account without deleting it (delete it if you like ;-).

Introduction
The following is an article that I wrote some time ago after doing some testing and research with a VMware Windows Server install I had set up. It answered some questions I had and proved useful on at least one occasion. I have had it posted on my homepage for some time now, and given the number of hits I get from google from variations on 'hack administrator XP', I thought it might be of interest to the kuro5hin crowd.
DISCLAIMER
Before I begin, I am obliged to point out that editing the Registry in Windows is risky at the best of times, and that following the steps in this article is downright nuts. Microsoft surely will not help you if you touch your registry even following one of their KB articles (Microsoft Knowledge Base). If you mess this up you have every chance of rendering your system completely unusable (I ought to know, I did it a good dozen+ times getting this sorted out). Even if you follow these steps perfectly you could still render your system mangled by unintentionally removing all administrative accounts. Read the entire article first, then, if you're still really keen, try it out on a non-production, development box ONLY until you are satisfied that you understand exactly what you are doing and why. After that you're on your own ;-) Please understand that this is not an escalation-of-privileges exploit or anything like it; with the exception of the one instance that I mention at the end of this article, you need to already have administrative privileges to perform these steps.
First a rather lengthy backgound...
I ran into a situation several years or ago where I was presented with the problem that for a truly high-security machine --where security trumps other concerns (like always being able to access a machine no-matter-what, etc)-- that it was necessary to be able to either remove or disable the builtin Administrator account in NT. This is a problem because NT doesn't provide you with any way to do this.
So, I spent a rather lengthy amount of time working my way around the SAM (the Security Accounts Manager, a piece of the Windows Registry database that holds user security information) and was able to finally make sense of how it controls access to its security groups. I took this approach, as NT grants privileges based on group membership, rather than individually (that is; if you create a new local user account and put it in the local Administrators group, it is effectively as good as the builtin Administrator account).
Based on that reasoning, I decided that the easiest way to achieve my purpose was not to try and delete the Administrator account, but to simply remove it from the local Administrators group (thus removing its privileges). Armed with an understanding of how NT controls its groups in the SAM, I removed the builtin Administrator account from the local Administrators group, and voilà! I have a builtin Administrator account that now can't even log in to the server/workstation/whatever. It is effectively a member of no groups, and thus has utterly no rights (less even than a Guest).
An explanation of the issues and technical details
NOTE: You can follow through these steps in real life on a test computer to see what I'm talking about and it will be a lot easier to understand.
Make sure that the Scheduler service (Task Scheduler) is running as the LocalSystem account and that it is allowed to Interact with the Desktop (this information is accessible via the Administrative Tools applet in the Control Panel). Then open a cmd console and type the command:

at <some-point-in-the-near-future> /interactive cmd

This will launch a cmd.exe window running under the security context of the LocalSystem account. Any program you then launch from this window will run as LocalSystem. This is highly desirable as LocalSystem processes on Windows run in ring0, or kernel space. Use it to run regedit.exe (it's easier to follow what's happening with this tool than regedt32.exe...). Drill down to:

HKLMSAMSAMDomainsBuiltinAliases00000220

It will hold a single value of type REG_BINARY labelled C. Double-click to modify this (by the way, each number under Aliases references one of the local groups on the system, 00000220 is the local Administrators group). On row 0028 the 5th byte of data (each row should be arrayed with 8 bytes of data in hex) is a simple checksum that records (in hex) how many bytes of data there are at the end of the binary record that holds user sids (I'll explain more in a moment).
As you add and remove users normally, the system appends and removes 28-byte blocks of data to the end of the binary information in this registry key. Thus, the value held in this byte of data will always be a multiple of 28, which in hex will show as either 1C, 38, 54, etc (or 00 if there is no-one in the Administrators group ;-). On row 0030 the first byte of data holds the number of users in the group currently. Or, to put it another way, if you divide the number present at row 0028 byte 5 by 28 (decimal), you should get the number of users in the group, and that's the number that should be in row 0030, byte 1. I'm sure you get it, but just to be sure, some examples are thus:

If one user is in the local Administrators group, then row 0028 byte 5 should read 1C and row 0030 byte 1 should read 01.

If there are 5 people in the local Administrators group, then row 0028 byte 5 should read 8C and row 0030 byte 1 should read 05.

Finally, at the end of the binary data (probably starting from about row 0168 byte 5, it starts recording the SIDs (Security Identifiers) of all the members of the group (these are the 28 byte blocks of data that get added and removed as users are added and removed, and that the first two items I talked about refer to). They are all padded at the start with 12 bytes of data that look like:

01 05 00 00 00 00 00 05 15 00 00 00

followed by 16 bytes of data that record the actual unique SID. Getting a SID is trivial; there are so many ways that I will only deal here with local-machine accounts (because they're interesting). To find the SID of an account on the local machine, drill down to:

HKLMSAMSAMDomainsAccountUsers

Under here are the numbered keys holding the data about each local user. The key for the builtin Administrator account is 000001F4. You can cross-reference what number relates to what account by drilling to:

HKLMSAMSAMDomainsAccountUsersNames<insert-name-of-user-here>

The default value in this key will be 0x<whatever> and this is the number of the key under:

HKLMSAMSAMDomainsAccountUsers

that holds their details and SID.
In other words, to find the local Administrator's SID, go to:

HKLMSAMSAMDomainsAccountUsersNamesAdministrator The default value under this key is 0x1f4, thus, the key that holds the data about the builtin Administrator is:

HKLMSAMSAMDomainsAccountUsers000001F4
Once you've found the right key for the user you want to add/remove double click on the REG_BINARY value labelled V and scroll to about the middle of the data. With a bit of practice you should be able to spot the padding sequence of:

01 05 00 00 00 00 00 05 15 00 00 00

This is followed by the 16 bytes of data that hold the unique SID.
Finally, using all this information to perform the "hack"
From here, you're on the home straight, so here's how you actually perform the hack.
TO ADD A MEMBER:

You can simply copy&paste all 28 bytes of the user's SID data to the bottom of the C value under:

HKLMSAMSAMDomainsBuiltinAliases00000220

Then adjust the checksum and counter values (at rows 0028 and 0030)up by 28 (+1C in hex) and 1 respectively, and you've added a user to the Administrators group.
TO REMOVE A MEMBER:

(Even the builtin Administrator) You simply cut the 28 bytes of data that correspond to the user that you want to remove from the bottom of the C value under:

HKLMSAMSAMDomainsBuiltinAliases00000220

Then adjust the checksum and counter values (at rows 0028 and 0030)down by 28 (-1C in hex) and 1 respectively, and you've removed a user from the Administrators group.
SOME FOOTNOTES:

Actually doing this is simple, understanding why is a little harder. Hopefully my (rather lengthy) discussion of whats-what above will help you to find your way around. If you manually remove external security principals (say, Domain accounts) from the Administrators group, you also need to remove the appropriate key under:

HKLMSAMSAMDomainsBuiltinAliasesMembers<SID of modified Group>

I can't really explain this one easily - just add and remove a Domain Account through the GUI while watching this key and you should see what I mean. Don't worry about this if you're adding accounts or only working with local accounts. Finally, be aware that every action taken through the GUI increments a counter in one of the values under:

HKLMSAMSAMDomains...

It's been a long time since I personally did this, and I can't remember now exactly where it is, but you don't need to be bothered with it when doing things manually. I assume it is used with SAM versioning for PDC's that replicate with BDC's etc, but I've never tested it. Bonus points for anyone who goes and finds it and reports back to the class ;-)
And finally, the escalation of privileges exception I mentioned at the start
Microsoft include several default groups in a Windows Server installation. One of these is the Server Operators group; a relatively trusted group with physical access to the server. This group has permissions for adding printers, performing maintenance etc, but they are not Administrators; they can't make other accounts and give them privileges like their own.
However, Microsoft included a special privilege that can be switched on for this group (it is disabled by default, thank goodness) to allow them to Schedule Tasks. In light of what you've just read above, I'm sure you can see that this presents nearly limitless possibilities for an enterprising young Server Operator. If they are given the rights to Schedule Tasks and the Task Scheduler service is left running as LocalSystem (almost always the case), then a Server Operator can perform the steps (or similar ones) described in this article and add themselves to the Administrators group, thus escalating their privileges beyond what was originally intended. Additionally of course, they can remove the builtin Administrator account. Food for thought...
Wrap-up
So that's it.

It took me about 2 weeks to make sure that I understood everything that was being changed and to replicate it manually. Have fun hacking around.
esrever_otua
Other articles that relate and may be of interest:

The canonical copy of this whitepaper

A whitepaper on the SAM that references this work, by NullAck

Manual uninstallation of a Windows 2K/2K3 Active Directory

Sponsors

Managed Servers

Managed Clusters

Virtual Hosting

www.johncompanies.com

Looking for a hosted server? We provide Dedicated, Managed and Virtual servers with unparalleled tech support and world-class network connections.

Starting as low as $15/month
Linux and FreeBSD
No set-up fees and no hidden costs
Tier-one provider bandwidth connections

Poll

I read the article and tried it out

Yes 2%

No 45%

Are You Crazy?!? 52%

Votes: 42
Results | Other Polls

View: Display: Sort:

Windows NT/2K/XP/2K3 manual removal of the Administrator account | 75 comments (62 topical, 13 editorial, 1 hidden)

Registry (none / 1) (#64)
by Armada on Fri Jul 9th, 2004 at 02:46:10 AM EST

The thing that has always boggled my mind is how susceptible Windows is to registry edits.

Windows Firewall in the way of connecting to your homemade trojan? Simple, just write a script to disable it. My roommate does this with little effort. He's even coded something and installed it on his compromised boxen in anticipation of XP SP2.

By the time people flip over, he's already using new "features" to find even more about them than they want. All because he had a chance to screw around with RC1 and RC2 for the latest SP.

If you want more info on how to do this I suggest you check out his post here: (registration and approval required):

http://www.governmentsecurity.org/forum/index.php?showtopic=8702

Re: Registry by BCoates, 07/11/2004 09:39:14 PM EST (none / 0)

Boy by Armada, 08/12/2004 11:19:10 AM EST (none / 0)

Not quite good enough. (none / 1) (#62)
by jolly st nick on Wed Jul 7th, 2004 at 06:57:08 PM EST
(grumpynerd at yahoo dot com) http://kamthaka.blogspot.com

If you have physical access to the machine, you can either boot linux or an NT recovery CD and fix the SAM, or simply poke around.

If the issue here is that you don't want somebody with physical access to be able to get to data, it's child's play to get around this. Encrypting sensitive data is a must.

However, if the point is to make the machine secure over the network, this procedure could conceivably gum up some remote "root' exploits.

We shall see next saturday... (none / 2) (#57)
by Maljin Jolt on Tue Jul 6th, 2004 at 10:27:00 PM EST

It's a real gem. I mean, both method of adding and removing a user to/from admin group. And publishing this subtlety with such a nice and clever cover story is an excercise of wits and social skills. Bravo, esrever.

So, for those who does not see the connection between facts, I speak a prophesy: Finally, the nightmare will come to it's end. Because after next wave of windows worms no admins will be able to patch anything.

I am glad I abandoned that foul platform long ago.

Madness (2.83 / 6) (#56)
by pmc on Tue Jul 6th, 2004 at 06:51:38 PM EST

Anyone that does this is a production environment (as you claim to have done) should get shot.

But if you are (lord knows why) willing to indulge in such lunacy, do it the easy way. Want to edit the SAM registry entries - log in as administrator and run regedt32 and give yourself full control over the key (see the fifth menu along, the one labelled security, guess what that does).

I had a look at your forcible AD removal tool (you might want to remove the ring 0 stuff from this article to, it being wrong). Very interesting, but there is a much, much easier way: http://www.petri.co.il/reset_domain_admin_password_in_windows_2000_ad.htm

What else? Ah - you were talking about EFS with no recovery agent, which you claim is impossible in W2k. It is possible - export the recovery agents accounts' certificates with private key and delete them (instead of doing the normal thing and storing them in the safe) and you're set: you can never use the recovery accounts to recover data as they (you) no longer have their private key. Well done, you have put your company's data at risk of being irretreviable for absolutely no gain, but there is nothing to stop you doing such a stupid thing.

Really guys, do this at home, not at work. If you want to lockdown a Windows system properly there are loads of sites telling you how. Start with http://www.nsa.gov/snac/downloads_os.cfm?MenuID=scg10.3.1.1 and look at MS site too - they have good guides too.

And remember the goal of security is to make sure you can access your data but the bad guys can't - going to great lengths to make a system flakey in the misguided belief that this will make it harder for the bad guys isn't security. Ditto other approaches with the "if we can't read it they can read it either" philosophy.

Some responses by esrever, 07/07/2004 02:22:52 AM EST (none / 0)

Lunacy by loteck, 07/12/2004 02:56:42 PM EST (none / 1)

Fascinating by esrever, 07/12/2004 05:17:26 PM EST (none / 0)

Just a few quick comments by pmc, 07/07/2004 06:22:11 AM EST (none / 0)

how to secure the NT administrator account (none / 1) (#50)
by the77x42 on Tue Jul 6th, 2004 at 04:14:56 AM EST
(d@ve.smells)

Modifying the registry on security accounts on a machine that you want to be secure is not a good idea.

Rename the account
Set a random password with extended ASCII chars (alt-###, etc.)
Put a piece of paper with the administrator password on it in the bank or a safe

This is not a lie... or is it...yes, it is...? ־‮־

4. Create dummy "administrator" account. by Ipslore, 07/15/2004 04:56:15 PM EST (none / 0)
And by IntlHarvester, 07/11/2004 03:14:41 PM EST (none / 0)
Easy by jolly st nick, 07/07/2004 06:49:49 PM EST (none / 0)
and... by the77x42, 07/06/2004 04:17:04 AM EST (none / 1)

Odd.. (none / 0) (#40)
by tzanger on Mon Jul 5th, 2004 at 03:11:08 PM EST
(tzanger@spam.blows.mixdown.ca) http://www.mixdown.ca

On my Win2kServer box I go HKLM/SAM/SAM and there's absolutely NOTHING under it aside from (Default) REG_SZ (value not set).

I'm logged in as a domain admin (not a local admin) -- is my system already secure? :-)

Did you follow the steps involving "at"? by Dotcher, 07/05/2004 05:08:24 PM EST (none / 0)
You need to be LocalSystem, admin by esrever, 07/05/2004 05:04:28 PM EST (none / 0)

RIng 0 ? (none / 2) (#38)
by blackpaw on Mon Jul 5th, 2004 at 08:42:35 AM EST

I *really* don't think LocalSystem accounts run in kernel space - they just have very high access priviliges, a different kettle of fish I could be wrong of course, but I don't think so.

That's what I thought too... by Ranieri, 07/05/2004 10:12:06 AM EST (none / 0)

All I know by CheezyDee, 07/05/2004 03:31:02 PM EST (none / 0)

Correct, but not ring 0 by blackpaw, 07/05/2004 11:26:17 PM EST (none / 0)

WTF WHY? (3.00 / 6) (#31)
by Run4YourLives on Sun Jul 4th, 2004 at 07:18:26 PM EST
('run4yourlives'@'gmail'.'com') http://run4yourlives.com

What's wrong with the damn administrator account? Do you normally remove the root account in Linux too? I mean seriously, this is just doing something for the sake of doing something.

Just give the damn thing an enourmously ridiculous password and let it be.

It's slightly Japanese, but without all of that fanatical devotion to the workplace. - CheeseburgerBrown

Remote Login by Xoder, 07/06/2004 02:20:56 PM EST (none / 0)

um.. by Run4YourLives, 07/06/2004 03:39:34 PM EST (none / 0)

Peanut! by Xoder, 07/24/2004 04:44:40 PM EST (none / 0)

When you have a fully locked down computer by jeremyn, 07/05/2004 01:45:51 AM EST (none / 1)

Yeah by CaptainSuperBoy, 07/05/2004 03:04:41 AM EST (none / 0)
um, dude... by Run4YourLives, 07/05/2004 01:59:07 AM EST (none / 0)

And the answer is... by mirleid, 07/05/2004 03:34:30 PM EST (none / 0)

huh? by Run4YourLives, 07/05/2004 04:30:29 PM EST (none / 0)

I think by starsky, 07/09/2004 11:30:45 AM EST (none / 1)

lol... by Run4YourLives, 07/11/2004 06:04:43 PM EST (none / 0)

Caveats (none / 2) (#6)
by CaptainSuperBoy on Sun Jul 4th, 2004 at 11:15:37 AM EST
(paul at jimmysquid dot com) http://jimmysquid.com/

Windows XP and 2003 allow you to diable the local administrator account through the local users and groups snapin. I'm pretty sure that Windows 2000 lets you do this as well. Is this article only relevant to NT4? I mean it's nice to know, but you're about 5 years late on the info.

Anyway as another user pointed out, why not just rename the account and give it a very tough password?

--
jimmysquid.com - I take pictures.

The down-low :) by esrever, 07/04/2004 04:57:12 PM EST (none / 1)

Bootdisks by CaptainSuperBoy, 07/04/2004 05:23:02 PM EST (none / 1)

Depends on the level of savvy; by esrever, 07/04/2004 05:44:22 PM EST (none / 0)

I think that's naive by CaptainSuperBoy, 07/04/2004 06:55:37 PM EST (none / 1)

Best way to remove the Administrator account (1.00 / 9) (#5)
by b1t r0t on Sun Jul 4th, 2004 at 10:39:13 AM EST
(-@-)

FORMAT C: /Y

-- Indymedia: the fanfiction.net of journalism.

Interesting but... (3.00 / 4) (#4)
by onealone on Sun Jul 4th, 2004 at 09:09:22 AM EST

does this really give much extra security over simply renaming the administrator account and giving it a hugely long random password?

In short, yes, it does :) by esrever, 07/04/2004 04:58:45 PM EST (none / 0)

Accounts are irrelevent... by onealone, 07/04/2004 05:56:14 PM EST (none / 1)

Of course by esrever, 07/04/2004 06:03:49 PM EST (none / 1)

yeah, I already gave +1 for the interest factor... by onealone, 07/04/2004 06:28:30 PM EST (none / 0)

Not as crazy as it sounds by duffbeer703, 07/05/2004 12:18:37 AM EST (none / 0)
A: security over data retention by esrever, 07/04/2004 06:45:41 PM EST (none / 0)

As usual, MS thinks it's smarter than you [nt] by Dwonis, 07/05/2004 10:39:23 PM EST (none / 0)

Nah. by Anonymous Hiro, 07/06/2004 11:23:11 AM EST (none / 0)

Windows NT/2K/XP/2K3 manual removal of the Administrator account | 75 comments (62 topical, 13 editorial, 1 hidden)

View: Display: Sort:

All trademarks and copyrights on this page are owned by their respective companies. The Rest � 2000 - 2005 Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
If you can read this, you are sitting too close to your screen.