It's no secret that Windows security is akin to that of cheesecloth. As if you needed yet another reason to switch to a real operating system, let's take a look at how to get administrative access on any Windows 2000, XP, Vista, or 7 box that you can physically access, and change the boot medium on.
This hack is nothing new. I'm not reinventing the wheel. I am, however, bringing this information to the masses of followers that I have, that might not be reading the same things I do online. I do not take credit for this hack, but merely for making you (the reader) aware of it. Also, I am not responsible for any misuse of this information. All information presented here is for educational purposes only, and I do not condone the misuse of this information. With that said...
Let's get right into this hack, shall we? You're going to need some sort of linux boot media for this. I suggest Backtrack linux, but anything you can boot off of and mount an NTFS partition as read/write should do the trick. You're also going to need to be able to boot that media -- booting a CD or DVD on a netbook doesn't work so well, and some older motherboards won't boot from a pen drive, so you're going to have to choose the best method for the machine you're working on.
Boot your linux distro of choice, and mount your Windows drive locally. Make sure you have read/write access to it. In the past, this may have been more difficult, but with the current state of linux distros, it should be trivial. Once mounted, open a command prompt and navigate to the Windows\System32 directory of your Windows disk. That could be something that looks like this: /media/sda1/Windows/System32. Now, enter the following commands:
- $ mv Utilman.exe Utilman.old
- $ cp cmd.exe Utilman.exe
This will back up (important!) the Utilman.exe, and create a copy of cmd.exe in its place. Go ahead and unmount the disk, reboot the machine, and load Windows. At the login prompt, press Win+U on your keyboard, and you will be presented with a command line. Type 'whoami' to verify that you are the System account, and then type 'explorer' to launch your start menu, taskbar, system tray, and the like. Presumably, you could kill the winlogon process to remove the login screen, although I have not tested this. If someone can verify, please leave it in the comments.
There you have it. You've successfully gained administrative access on the Windows box of your choosing. Remember, when you're done, boot back in to linux, and replace the old .exe by coping Utilman.old to Utilman.exe.
Note: The post title has been changed due to input received from peer response. Thanks for the suggestions, guys.