Re: Windows 2003 – recover password


guyt
Member
#192322

Well…. you can run but you can’t hide :-)

1) You need a valid AD account that can logon to the DC. It does not have to be Domain Admin. Lets call that mortal account MYDOMAntid0t

2) Logon in Directory Restore Mode and navigate to
HKLMSoftwareMocrosoftCurrentControlSetWindowsRunOnce

3) Add a new value:

Code:
Type: String (REG_SZ)
Name: MightyCMD
Data: at 17:51 /INTERACTIVE cmd.exe

You will have to adjust the time (make sure you leave yourself enough time to reboot and logon)

4) Reboot normally and logon with MYDOMAntid0t

5) Wait till the hour you specified at the registry.

6) See command shell popup :D

7) Type “whoami” at the prompt…

8 ) You should be NT AUTHORITYSYSTEM
:roll:

9) Continue according to Daniel’s instructions…

The reason 2 new account have been introduced in 2003 is that Local System Account has way too many power over the system and the system could be compromised by exploiting almost any system service. The Microsoft’s solution was to introduce 2 less powerfull accounts (Local Service and Network Service) and make some services run in the context of those accounts instead of LSA…

HTH,
Guy