IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

IWETHEY Home / IWETHEY Board / Windows vX.X Forum / There is a way.
Post #198,667
by static
3/14/05 8:54:09 PM
Reply
New There is a way.
Simple example: use at to open a cmd prompt. You'll be surprised at what that prompt has access to. (hint: it's *more* than Administrator.) Disclaimer: I have not tested this as a pleb.

I saw this some months ago as a way to modify some certain Registry Keys in the locals Users area* that even Administrator can't even see, let alone change. Windows security is just so complex and poorly documented...**

Wade.

* not the local user's area, the local users area.
** to which I suspect people are going to disagree. :-)

Is it enough to love
Is it enough to breathe
Somebody rip my heart out
And leave me here to bleed
 
Is it enough to die
Somebody save my life
I'd rather be Anything but Ordinary
Please

-- "Anything but Ordinary" by Avril Lavigne.
Post #198,757
by Arkadiy
Picture of Arkadiy
3/15/05 11:26:57 AM
Reply
New It's LocalSystem
And yes, it's more than Administrator, on local machine.
I could not find an easy way to disable it, apart from disabling the schedule service. What a sordid mess! It should run as the user that scheduled the action, not as LocalSystem.

--


And what are we doing when the two most powerful nations on earth -- America and Israel -- stomp on the elementary rights of human beings?

-- letter to the editor from W. Ostermeier, Liechtenstein
     Undetectable VX2!!!!!! - (Andrew Grygus) - (39) - March 13, 2005, 12:25:13 PM EST
         Maybe because it isn't the traditional one? - (folkert) - (3) - March 13, 2005, 05:07:21 PM EST
             This one was real VX2 . . - (Andrew Grygus) - (2) - March 13, 2005, 05:32:16 PM EST
                 Is there even room to fit one more nail? ;-) -NT - (n3jja) - (1) - March 13, 2005, 05:33:05 PM EST
                     Depends on how many infections a given machine has. -NT - (ben_tilly) - March 13, 2005, 05:58:44 PM EST
         Re: Undetectable VX2!!!!!! - (andread) - (3) - March 14, 2005, 09:39:16 AM EST
             Of course. -NT - (Andrew Grygus) - (2) - March 14, 2005, 11:52:52 AM EST
                 Yeap, just like that. - (folkert) - (1) - March 14, 2005, 02:26:02 PM EST
                     My root post for this thread did refer to . . - (Andrew Grygus) - March 14, 2005, 03:30:07 PM EST
         Assuming that I am a complete dolt, - (Arkadiy) - (29) - March 14, 2005, 04:29:37 PM EST
             Rootkit worms for windows abound - (jake123) - March 14, 2005, 05:09:26 PM EST
             Well, just for starters . . - (Andrew Grygus) - (8) - March 14, 2005, 05:18:45 PM EST
                 Apart from the first point - (Arkadiy) - (7) - March 14, 2005, 05:31:55 PM EST
                     Let's see, point #3 - (jake123) - (5) - March 14, 2005, 06:13:07 PM EST
                         Sounds like the OS/2 WPS (ducks, runs) -NT - (altmann) - (2) - March 14, 2005, 06:32:48 PM EST
                             Nah, Office has users. - (pwhysall) - March 14, 2005, 06:33:17 PM EST
                             :) - (jake123) - March 15, 2005, 01:45:00 PM EST
                         Sounds like Gnome - (Arkadiy) - (1) - March 14, 2005, 07:35:05 PM EST
                             No, another disagreement here. - (folkert) - March 14, 2005, 09:48:51 PM EST
                     On our network... - (Steven A S) - March 15, 2005, 04:18:20 PM EST
             Win32 message service - (inthane-chan) - (18) - March 14, 2005, 05:23:59 PM EST
                 If you're not an admin, you don't have - (Arkadiy) - (17) - March 14, 2005, 05:34:23 PM EST
                     Nope. I have a machine at work. - (folkert) - (16) - March 14, 2005, 06:48:52 PM EST
                         I don't know :( - (Arkadiy) - (13) - March 14, 2005, 07:41:31 PM EST
                             I don't agree with your assessment. - (folkert) - (12) - March 14, 2005, 09:29:10 PM EST
                                 That I don't understand - (Arkadiy) - (11) - March 15, 2005, 11:10:03 AM EST
                                     That's where messaging comes in. - (inthane-chan) - March 15, 2005, 01:09:32 PM EST
                                     Not like Windows... - (folkert) - (6) - March 15, 2005, 04:41:09 PM EST
                                         It was quite helpful - (Arkadiy) - (5) - March 15, 2005, 05:05:47 PM EST
                                             It isn't documneted the way you'd think. - (folkert) - (4) - March 15, 2005, 09:34:49 PM EST
                                                 Well, the only things that grant access to file system - (Arkadiy) - (3) - March 16, 2005, 09:52:25 AM EST
                                                     Then how do you explain the fact that it happens? - (folkert) - (2) - March 16, 2005, 11:35:43 AM EST
                                                         I have no explanation that I am sure of. - (Arkadiy) - (1) - March 16, 2005, 11:36:22 AM EST
                                                             Thank you. (new thread) - (folkert) - March 16, 2005, 11:43:24 AM EST
                                     Re: That I don't understand - (andread) - (2) - March 16, 2005, 09:51:34 AM EST
                                         Are they members of other groups? - (Arkadiy) - (1) - March 16, 2005, 09:53:35 AM EST
                                             Domain Users -NT - (andread) - March 16, 2005, 03:35:33 PM EST
                         There is a way. - (static) - (1) - March 14, 2005, 08:54:09 PM EST
                             It's LocalSystem - (Arkadiy) - March 15, 2005, 11:26:57 AM EST
         VX2 on 2 servers - (andread) - March 31, 2005, 12:31:50 PM EST

He's so far to the right of the bell curve he could drop a marble and it wouldn't roll away.
170 ms