I have already cracked the password for the admin account...I just need to make it accept keyboard input at a login prompt instead of auto-login.
I was able to extract the image using ghost explorer. I extracted it to a spare partition without worrying about it being bootable and then browsed the files with my xp box.
No Norton or any other kind of antivirus/security software from what I could tell.
Next I started up the registry editor and loaded the user hive into a subkey and poked around in there for a while. I think I may have found something of interest;
CODE
Windows Registry Editor Version 5.00
[HKEY_USERSaaaSoftwareMicrosoftWindowsCurrentVersionPolicies]
[HKEY_USERSaaaSoftwareMicrosoftWindowsCurrentVersionPoliciesActiveDesktop]
[HKEY_USERSaaaSoftwareMicrosoftWindowsCurrentVersionPoliciesActiveDesktopAdminComponent]
[HKEY_USERSaaaSoftwareMicrosoftWindowsCurrentVersionPoliciesComdlg32]
"NoBackButton"=dword:00000001
"NoFileMru"=dword:00000001
"NoPlacesBar"=dword:00000001
[HKEY_USERSaaaSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer]
"NoDriveTypeAutoRun"=dword:00000095
"ClearRecentDocsOnExit"=dword:00000001
"Intellimenus"=dword:00000001
"MaxRecentDocs"=dword:00000001
"NoAddPrinter"=dword:00000001
"NoChangeStartMenu"=dword:00000001
"NoClose"=dword:00000001
"NoCloseDragDropBands"=dword:00000001
"NoCommonGroups"=dword:00000001
"NoComputersNearMe"=dword:00000001
"NoDesktop"=dword:00000001
"NoDFSTab"=dword:00000001
"NoDrives"=dword:00000004
"NoFavoritesMenu"=dword:00000001
"NoFind"=dword:00000001
"NoInstrumentation"=dword:00000001
"NoLogoff"=dword:00000001
"NoNetHood"=dword:00000001
"NoNetworkConnections"=dword:00000001
"NoRecentDocsHistory"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoResolveSearch"=dword:00000001
"NoResolveTrack"=dword:00000001
"NoRun"=dword:00000001
"NoSaveSettings"=dword:00000001
"NoSetFolders"=dword:00000001
"NoSetTaskbar"=dword:00000001
"NoSMHelp"=dword:00000001
"NoSMMyDocs"=dword:00000001
"NoStartMenuSubFolders"=dword:00000001
"NoTrayContextMenu"=dword:00000001
"NoViewOnDrive"=dword:00000004
"NoWindowsUpdate"=dword:00000001
"StartMenuLogOff"=dword:00000001
[HKEY_USERSaaaSoftwareMicrosoftWindowsCurrentVersionPoliciesNetwork]
"NoEntireNetwork"=dword:00000001
[HKEY_USERSaaaSoftwareMicrosoftWindowsCurrentVersionPoliciesNonEnum]
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"=dword:00000001
;///////////////////////////////////////// specifically this entry anyone know what this is???
[HKEY_USERSaaaSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem]
"DisableChangePassword"=dword:00000001
"DisableLockWorkstation"=dword:00000001
"DisableRegistryTools"=dword:00000001
"DisableTaskMgr"=dword:00000001
I am gonna be taking another crack (pardon the pun) at it today and hopefully get access.
anyone up for a tech challenge?
-
AYHJA
- 392
- Posts: 37990
- Joined: Fri Sep 17, 2004 2:25 pm
- Location: Washington, D.C.
- Contact:
As for my other theory, maybe a switch of keyboard types might confuse the system...If you could use a usb keyboard instead maybe..? Damn, I haven't been stumped in a minute...I"m gonna look around, drop a note about the incident among other tech heads, and see what they can come up with...
| BBcode: | |
| Hide post links |
-
emanon
- Posts: 2122
- Joined: Wed Feb 16, 2005 3:46 pm
-
AYHJA
- 392
- Posts: 37990
- Joined: Fri Sep 17, 2004 2:25 pm
- Location: Washington, D.C.
- Contact:
Everyone is stumped as far as I can tell...Someone suggested hooking the machine up to where it would be part of a domain or network, and possibly using a mother system to change the permissions, but I didn't think that sounded viable, as you would still need to have some sort of privledge I think....
Sounds like time to install a CD ROM, and write some 0's....
Sounds like time to install a CD ROM, and write some 0's....
| BBcode: | |
| Hide post links |
-
emanon
- Posts: 2122
- Joined: Wed Feb 16, 2005 3:46 pm
well there has been a couple of small victories....
We are no longer prevented from using the keyboard to supply a differnet username and password. It did not make sense to me that the shift key would halt the autologin but then not allow you to enter text. So I performed a series of reboots, each time starting to hold the shift key at a different part of the boot sequence. I found a combo that stops the autologin while keeping the keyboard active. My theory is that the first few times I was doing this, the "sticky keys" warning dialog had popped up but was hidden or covered by the splash screen that is displayed (which also effectively hides the status messages). So that is a big step to getting closer to the goal.
Now we are faced with Windows 2000 privileges and access restrictions. I have elevated the default user to admin privs, however, when logged in as that user, we still are unable to browse the C drive, use control-alt-delete to get the taskmanager, or run the registry editor. I am still hunting on the web for ways around some of these stumbling blocks, but I am confident that we are well underway to achieving our ultimate goal. On the list of things to try are an alternate file manager run off the USB interface, find and reverse the restrictions preventing the actions listed above, create a new user and see if the same restrictions are in place. One of the requirements is that this activity is inconspicuous enough that it does not alert anyone that this is going on, which a couple of these options might not do.
My exposer to windows 2000 is a little limited, and perhaps someone can shed some light on this. In windows xp, when using the regeditor, there is an option in the File menu to Import Registry Hive. I have seen no such option in windows 2000. WHen logged in as Admin, I would like to edit the registry and have the changes be effective for the default user. Normally this would be done by editing the HKCU hive, but CU = admin when I am able to edit the registry and not the default user. I am sure there is a way to do it I have not read about yet, and I apologize if this seems like a ridiculously easy task for anyone reading this. I will have more time to spend on this project next week. The rest of this week that equipment that is run by this PC is needed and I can not take the chance of making a 1/2 million dollar machine inoperable because I was trying to tweak the registry the night before.
If anyone has some guidance on the aforementioned registry editing situation I would love to hear it.
-E
We are no longer prevented from using the keyboard to supply a differnet username and password. It did not make sense to me that the shift key would halt the autologin but then not allow you to enter text. So I performed a series of reboots, each time starting to hold the shift key at a different part of the boot sequence. I found a combo that stops the autologin while keeping the keyboard active. My theory is that the first few times I was doing this, the "sticky keys" warning dialog had popped up but was hidden or covered by the splash screen that is displayed (which also effectively hides the status messages). So that is a big step to getting closer to the goal.
Now we are faced with Windows 2000 privileges and access restrictions. I have elevated the default user to admin privs, however, when logged in as that user, we still are unable to browse the C drive, use control-alt-delete to get the taskmanager, or run the registry editor. I am still hunting on the web for ways around some of these stumbling blocks, but I am confident that we are well underway to achieving our ultimate goal. On the list of things to try are an alternate file manager run off the USB interface, find and reverse the restrictions preventing the actions listed above, create a new user and see if the same restrictions are in place. One of the requirements is that this activity is inconspicuous enough that it does not alert anyone that this is going on, which a couple of these options might not do.
My exposer to windows 2000 is a little limited, and perhaps someone can shed some light on this. In windows xp, when using the regeditor, there is an option in the File menu to Import Registry Hive. I have seen no such option in windows 2000. WHen logged in as Admin, I would like to edit the registry and have the changes be effective for the default user. Normally this would be done by editing the HKCU hive, but CU = admin when I am able to edit the registry and not the default user. I am sure there is a way to do it I have not read about yet, and I apologize if this seems like a ridiculously easy task for anyone reading this. I will have more time to spend on this project next week. The rest of this week that equipment that is run by this PC is needed and I can not take the chance of making a 1/2 million dollar machine inoperable because I was trying to tweak the registry the night before.
If anyone has some guidance on the aforementioned registry editing situation I would love to hear it.
-E
| BBcode: | |
| Hide post links |
-
AYHJA
- 392
- Posts: 37990
- Joined: Fri Sep 17, 2004 2:25 pm
- Location: Washington, D.C.
- Contact:
-
WAY
- Site Admin
- Posts: 2411
- Joined: Sat Nov 06, 2004 4:43 am
- Location: Sydney, Australia
- Contact:
1) Accessing the C drive while restrictions are in place is pretty easy to bypass. Simply create a new text document on the desktop, add the following line:
CODE<a href="file:///C:/">clicky</a>
close and save, rename the extension from .txt to .htm, and open the file with IE. Now all you do is click the word "clicky" and C drive should magically appear..!
If this doesn't work, try right clicking on one of the folder sub-menus in the Program list in the start menu, and clicking Explore. Note that right-clicking might also be disabled.
2) If, as AYHJA suggested, the group policy editor is inaccessable, as long as the control panel and/or Run is available from the start menu, creating a new admin user should be done by clicking Run and typing CONTROL USERPASSWORDS2
3) TweakUI always has helpful ways to disable things..
4) Access restrictions should be able to be bypassed by starting the system in Safe Mode, but I'm sure you've already tried that. I can't remember if it'll still ask for the Administrator password in Windows 2000 however.
Photos/Screenshots would also be greatly appreciated, since I was never very good with words, and pictures are prettyful..
CODE<a href="file:///C:/">clicky</a>
close and save, rename the extension from .txt to .htm, and open the file with IE. Now all you do is click the word "clicky" and C drive should magically appear..!
If this doesn't work, try right clicking on one of the folder sub-menus in the Program list in the start menu, and clicking Explore. Note that right-clicking might also be disabled.
2) If, as AYHJA suggested, the group policy editor is inaccessable, as long as the control panel and/or Run is available from the start menu, creating a new admin user should be done by clicking Run and typing CONTROL USERPASSWORDS2
3) TweakUI always has helpful ways to disable things..
4) Access restrictions should be able to be bypassed by starting the system in Safe Mode, but I'm sure you've already tried that. I can't remember if it'll still ask for the Administrator password in Windows 2000 however.
Photos/Screenshots would also be greatly appreciated, since I was never very good with words, and pictures are prettyful..
| BBcode: | |
| Hide post links |
-
emanon
- Posts: 2122
- Joined: Wed Feb 16, 2005 3:46 pm
I am sorry, I should have mentioned this before. The start Menu has been redirected from the normal folder in the documents and settings folder to another folder in the main application directory. In this folder there are only two shortcuts, restart and shutdown. Also, as you suspected, the right click is disabled. I will give the text editor trick a try. I did try typing "c:" in the address bar of internet explorer as well as "file:///c:/" and variations thereof with little success.
as the administrator I started gpedit.msc and upon my quick survey it appears as though most everything is in default mode. The registry script i posted earlier was achieved by extracting the default user profile directory from a ghost image to a usb drive and then using windows xp to load the registry hive as mentioned earlier. From my perspective, I just need to find a way to change those settings for the default user from an account that is NOT the default user. Does this seem accurate?
will gpedit.msc settings overide those outlined in this registry script? what about domain policies? the machine is not networked and I have not tried plugin anything into the ethernet jack to see if it is live, but domain settings will trump local machine policy correct? Domain settings can be in place even if the machine is not networked right? more avenues to investigate if the others dont pan out I guess...
as the administrator I started gpedit.msc and upon my quick survey it appears as though most everything is in default mode. The registry script i posted earlier was achieved by extracting the default user profile directory from a ghost image to a usb drive and then using windows xp to load the registry hive as mentioned earlier. From my perspective, I just need to find a way to change those settings for the default user from an account that is NOT the default user. Does this seem accurate?
will gpedit.msc settings overide those outlined in this registry script? what about domain policies? the machine is not networked and I have not tried plugin anything into the ethernet jack to see if it is live, but domain settings will trump local machine policy correct? Domain settings can be in place even if the machine is not networked right? more avenues to investigate if the others dont pan out I guess...
| BBcode: | |
| Hide post links |
-
WAY
- Site Admin
- Posts: 2411
- Joined: Sat Nov 06, 2004 4:43 am
- Location: Sydney, Australia
- Contact:
I don't know much about group policies and the like, hence I'm not a systems administrator (what other reason am I here?), but that does seem the right way to do thinks, judging by it's current setup. I still think there is a 3rd party driver or application involved, which is why I previously suggested Safe Mode on startup, because that'll only load the base drivers and processes (which I'm sure you already know - just for clarification).
What I am still unsure about is whether or not you did eventually bypass the login issue. Judging from your previous success, you did, however, I don't understand why you can't login to the administrator account to adjust the settings for the default user.
QUOTE(emanon)I just need to find a way to change those settings for the default user from an account that is NOT the default user
Why would you need to do this if the default user has administrative privilliges that you gave it, and it can suffeciently change it's own settings on the same user?
QUOTE(emanon)I did try typing \"c:\" in the address bar of internet explorer as well as \"file:///c:/\" and variations thereof with little success.
Yes, this is disabled, basically typing anything in the address bar of My Computer (or a file location of Internet Explorer) will cause it to flag a "disallowed" error. However, following a link will not cause it to detect the need to access the drives, since you followed a link and you didn't change the address in the address bar manually..
I'm pretty sure at least some of my suggestions work correctly..
technology :: who.am.i
What I am still unsure about is whether or not you did eventually bypass the login issue. Judging from your previous success, you did, however, I don't understand why you can't login to the administrator account to adjust the settings for the default user.
QUOTE(emanon)I just need to find a way to change those settings for the default user from an account that is NOT the default user
Why would you need to do this if the default user has administrative privilliges that you gave it, and it can suffeciently change it's own settings on the same user?
QUOTE(emanon)I did try typing \"c:\" in the address bar of internet explorer as well as \"file:///c:/\" and variations thereof with little success.
Yes, this is disabled, basically typing anything in the address bar of My Computer (or a file location of Internet Explorer) will cause it to flag a "disallowed" error. However, following a link will not cause it to detect the need to access the drives, since you followed a link and you didn't change the address in the address bar manually..
I'm pretty sure at least some of my suggestions work correctly..
technology :: who.am.i
| BBcode: | |
| Hide post links |
-
emanon
- Posts: 2122
- Joined: Wed Feb 16, 2005 3:46 pm
even with admin privs for default user, winkey-R, shortcut to explorer i put in startup folder (when logged in as admin), double clicking .reg files, all result in popup warning indicating the action has been prevented and see system admin etc etc...
so, as default user, I can not edit registry. when logged in as admin, a different hive is loaded which has different setting for the diff user. as admin, i need to load the default user's hive and make changes, but in this win2000 installation, load registry hive is not an option in file menu of reg editor.
so, as default user, I can not edit registry. when logged in as admin, a different hive is loaded which has different setting for the diff user. as admin, i need to load the default user's hive and make changes, but in this win2000 installation, load registry hive is not an option in file menu of reg editor.
| BBcode: | |
| Hide post links |