User somehow managed to get admin rights

B

blair

New member
Hello wondering if you guys can help me. I'm in charge of about 30 pcs at work and they have windows 10 running each pc has an admin account and a standard account, only I have the admin password.

Yet somehow a user managed to change the standard account to admin whilst having no access to control panel or settings they can't even change the wallpaper. I'm at a loss how they managed it as they can't run CMD as admin or access group policy or registry so no idea how they changed the account any ideas?

Thanks
 
have used the admin account that come with windows?
It is possible to do this by booting into safe mode
 
Last edited:
The local admin account is disabled.


I even disabled access to CMD and powershell yet they still managed to make themselves admin even though they still cannot open either of these.

Is there some flaw in Windows.
 
Right well found out how they did it though not 100% on all but they replaced sethc.exe with cmd.exe then at the lock screen if you hit shift 5 times it opens a command prompt with admin rights then they ran (net localgroup administrators "accountname" /add) this made them admin.

However after undoing their cmd and sethc switch I tried to replicate from beginning and couldn't copy cmd as sethc even with command prompt it said access denied trying to copy manually asks for admin password.

The only way I can get to work is by using a installation disk and running command from that and copying cmd as sethc, but they did not boot from any disc or USB when they did it. Wondering if I accidently left them as admin then they planted the exploit and then could carry it out without needing access to system32 folder.
 
blair said:
Right well found out how they did it though not 100% on all but they replaced sethc.exe with cmd.exe then at the lock screen if you hit shift 5 times it opens a command prompt with admin rights then they ran (net localgroup administrators "accountname" /add) this made them admin.

However after undoing their cmd and sethc switch I tried to replicate from beginning and couldn't copy cmd as sethc even with command prompt it said access denied trying to copy manually asks for admin password.

The only way I can get to work is by using a installation disk and running command from that and copying cmd as sethc, but they did not boot from any disc or USB when they did it. Wondering if I accidently left them as admin then they planted the exploit and then could carry it out without needing access to system32 folder.
Click to expand...

Perhaps they used a rename instead of a copy? Or made a shortcut that was simply named sethc?
 
Sounds like you need to put in more secure stuff and have a meeting telling people to stop trying to get around the network.
 
blair said:
Right well found out how they did it though not 100% on all but they replaced sethc.exe with cmd.exe then at the lock screen if you hit shift 5 times it opens a command prompt with admin rights then they ran (net localgroup administrators "accountname" /add) this made them admin.

However after undoing their cmd and sethc switch I tried to replicate from beginning and couldn't copy cmd as sethc even with command prompt it said access denied trying to copy manually asks for admin password.

The only way I can get to work is by using a installation disk and running command from that and copying cmd as sethc, but they did not boot from any disc or USB when they did it. Wondering if I accidently left them as admin then they planted the exploit and then could carry it out without needing access to system32 folder.
Click to expand...

Does your company have an IT policy that staff should follow.

If you know who it is you really should be showing them the door.
 
Kaapstad said:
Does your company have an IT policy that staff should follow.

If you know who it is you really should be showing them the door.
Click to expand...

Yeah, that employee should be fired. They went well out of their way to exploit the system. Who knows what else they are doing.

When I started my current job I found some keyloggers installed on a few machines. Everyone had local admin access before I started so they could install what they wanted. First thing I did was remove those accounts. Anyway, the person who installed them was spying on female employees, getting their passwords for personal accounts etc. Because it was a shared environment we had no way to prove who did it. We had an idea and the keylogger installations all matched the person's schedule, but we couldn't prove it 100%.

I released a letter to the employees that basically said change all your personal account info and cancel your credit cards because someone had installed keyloggers. It caused a panic and eventually the person who did it came forward. The authorities ended up taking his personal computers from his home and found some inappropriate images of children on them. Needless to say he was fired and ended up serving some jail time.
 
You must log in or register to reply here.

Similar threads

P
Do some people never learn from the past?
Replies
2
Views
780
Pugsport
P
K
How to stop windows 11 from sneeking onto your PC
Replies
2
Views
6K
KingNosser
K
R
Samsung Galaxy Tab Saga
Replies
6
Views
3K
RobCharles1981
R
D
Dell Optiplex 7040 7050 and 5040 how to enable Vcore
Replies
0
Views
2K
danwat1234
D
P
just wanted to get this off my chest and see if i get any advice
Replies
4
Views
5K
KingNosser
K
Back
Top