No administrator level accounts

[guitarzan]

Well here's one I've never seen before.

Client calls me up, saying they are seeing fake malware messages. I log in as that user (limited user), and it's Antimalware Doctor. So, I log off and log in as an administrator-level account I use, but noticed that I didn't have access to some things. I checked "Computer Management > Users", and THIS user also had only "User" rights (limited user). Ditto for the "Administrator" account. So, I can't make myself an administrator, and can't create a new account.

Since I can only remote in, I cannot go into Safe Mode, so clearly I'm not going to be able to fix this remotely. But even at the console... how would I get administrator control over this computer???

 

[BadBigBen]

I am afraid there is no easy way to reset the Administrator account (other than the password)...

you will most likely need to take the drive out of the ailing PC, hook the drive up to another PC, and scan said drive from that PC, deleting any malware...

then reattach the drive to the original PC, and do an Inplace Upgrade Install (aka Repair Install), reapply any Hotfixes and Updates...

unless someone else knows where the permissions may be hiding in the Registry, then you may be able to edit the registry using a BartPE or WinPE CD...

Ben
"If it works don't fix it! If it doesn't use a sledgehammer..."
How to ask a question, when posting them to a professional forum.
Only ask questions with yes/no answers if you want "yes" or "no"

 

[kjv1611]

Well, you couldn't do that remotely, I don't think, but if you can get the user to boot from a bootable CD specifically for wiping viruses and such, you could perhaps walk them through the scans, etc... then after that, see if killing off the malware, or enough malware, will let you back at the administrator settings.. just a thought, anyway. That's definitely one of the limitations with remote support.

 

[guitarzan]

Thanks to both of you,

BigBadBen, yes that's pretty much what I figured. I have an image of this computer (old as it may be), I will just restore from the image and reinstall their other applications.

KJV: Somehow I doubt that even cleaning the virus out would restore the administrator levels, not sure though. I'm kind of curious what really would solve it short of a reload, but I just don't have the time for it.

Scary though... I may make a post in the Virus forum just out of curiosity

 

[goombawaho]

I'm not sure that even if we KNEW the registry entries to manipulate via connecting the hard drive as a slave that we would be ABLE to discuss that in light of the other discussion on "hacking".

http://www.tek-tips.com/viewthread.cfm?qid=1643647

I would say this falls under the same category - upgrading your user rights on a system to Admin. Then you could do anything you want. Slippery slope that, n'est pas?

Another reason why I'm pro-"hacking" discussions.

 

[guitarzan]

It's a fine line between fighting the bad guys and hacking sometimes. Good point, I don't want this thread removed, although I can understand the site's position. It's not like I don't know the passwords... they are just ALL non-administrator accounts now.

Actually, I guess I would be disappointed if there were an easy fix, as malware would be able to do this easily. But ... I guess it already can (and did) in this case! I hope this was a fluke, because if malware can regularly revoke admin rights from other user accounts... and even do it from a LIMITED account (as seems to have happened in this case), wow...

At any rate, the repair install is a viable non-hacking solution.

 

[goombawaho]

I'm playing devil's advocate here 100%. I don't think you're a baddie.