makemeadmin – Windows XP Admin Escalation Tool

Being a mostly Windows Admin, I constantly find myself in the following situation: A field user with user-only rights calls in from the field with a problem requiring Admin rights to fix. As we don’t use any fancy-dancy two-factor authentication systems, we usually end up having to give the user the Admin password for their Windows XP or 2000 machine over the phone. We keep the passwords very complex, but some users still write the passwords down, then use them later to load their machines up with all their favorite, spyware-laden toys (like CoolWebSearch!). I recently found a tool called makemeadmin which, when paired with XP Remote Assistance, solves the dilemma of having to give out the Admin password to a particular machine.

The makemeadmin tool works like this:

1) You log onto the user’s machine under their normal account using Remote Assistance.
2) You launch the makemeadmin or makemepu (power user) program on the command line and the program asks you for the Admin password.
3) Once the (obscured) correct Admin password is typed, the program launches another Windows Session, makes the current user account an Admin and then asks you to type the user’s password.
4) When the user’s password is correctly typed, a new, red command prompt window opens. This window is essentially another user session running under with Admin privileges. Then you can run commands like [i]net localgroup /add “administrators” “username here”[/i] to make the user part of the Admin group.

From here you can do all kinds of nifty stuff like change IP addresses, access network stores, share out parts of the hard drive and, my personal favorite, make the user a permanent part of the Admin group. One thing that I haven’t figured out yet is how to enable a network interface in Windows from the command prompt. Usually at this point, we will remotely log the user off, ask them to log back on and then they have full Admin rights so that we can install programs, configure IP, etc. all over Remote Assistance and without compromising the Admin password. Once completed, the user can easily be demoted back to User status from Admin and all is well.

The scripts that make up the kit are lightweight (around 300k zipped) and work great. The article that describes the scripts and the process is located at:

http://blogs.msdn.com/aaron_margosis/archive/2004/07/24/193721.aspx
http://blogs.msdn.com/aaron_margosis/archive/2005/03/11/394244.aspx

Some of the drawbacks to the tool:
1) It is command-line only so you need to know your Windows command line well to do anything.
2) The program does not invoke a GUI session, so see 1 above.
3) The tool still requires user intervention on the other side of the Remote Assistance session to logoff, log on, etc.

The advantages are pretty obvious and I won’t bore you with them here. While this program isn’t to be considered a cracking tool to get Admin rights when you don’t know the Admin password, it does have tremendous usage potential in every day scenarios for Windows administrators.

Leave a Reply

You must be logged in to post a comment.