Google for cmdasuser.exe. Then from the commandline: cmdasuser localsystem
-----Original Message----- From: Wim Remes [mailto:[EMAIL PROTECTED] Sent: Thursday, May 11, 2006 8:50 PM To: James Zaros Cc: [email protected] Subject: RE: cmd.exe hack James, you should do this through the at command in a command prompt. Through the GUI you're required to submit a user. this is no requirement for the at command. syntax : C:\>at 21:31 cmd.exe This is not a 'real hack' since you already need sysadmin rights to perform this action. -----------------OFF TOPIC All other [email protected] subscribers, please tweak your OOO-settings, because getting the "I'm not here", "I left the company and will not return before 2099", "I won the lottery so I'm outta here" message 50+ times in under 10 seconds is no fun at all ! -------------------------- Regards, Wim -----Original Message----- From: James Zaros [mailto:[EMAIL PROTECTED] Sent: donderdag 11 mei 2006 18:31 To: [email protected]; Wim Remes Subject: cmd.exe hack This question relates to the post immediately below. When the cmd.exe task is running it shows to be running as the administrator in the task manager. Is that incorrect, it is actually running as SYSTEM? -------------------------------------------------------------------------------- From: Wim Remes [mailto:[EMAIL PROTECTED] Sent: Mon 5/8/2006 4:11 AM To: Admin.mmm; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [email protected] Subject: RE: Tracking moved files? you can gain SYSTEM privileges by scheduling cmd.exe as administrator. When the app starts it runs under SYSTEM. This was shown to me by MS support when I had some GPO stuff where one of my admins took to many righs away. When running cmd.exe scheduled, from there you can start mmc or any other app, that app will run under the same privileges. It allowed me to reset privileges on the GPO stuff and see them again on a normal MMC. just my €.02 Wim -----Original Message----- From: Admin.mmm [mailto:[EMAIL PROTECTED] Sent: maandag 8 mei 2006 13:11 To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [email protected] Subject: RE: Tracking moved files? I vaguely remember something about a DLT system in w2k. It tracks the files for indexing purposes and creates a hidden log file. I dragged this off the MS site: "The DLT Client service monitors activity on NTFS volumes and stores maintenance information in a file called Tracking.log, which is located in a hidden folder called System Volume Information at the root of each volume. This folder is protected by permissions that allow only the system to have access to it. The folder is also used by other Windows services, such as Indexing Service." If you could log in as system you may glean something from there. J -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, May 08, 2006 3:51 AM To: [EMAIL PROTECTED]; [email protected] Subject: Re: Tracking moved files? Did you check the recent items to look for a reference to the file on the thumb drive? All I could think of on a Sunday morning. Mike Mackrill -----Original Message----- From: Serge Jorgensen <[EMAIL PROTECTED]> To: [email protected] <[email protected]> Sent: Thu May 04 10:16:08 2006 Subject: Tracking moved files? Hello! I'm try to show that files were copied and/or moved off a W2K drive onto a USB stick. Obviously the registry and setupapi files show the USB installation info - but I can't find the log file (or other method?) that Windows must use to track files being moved and copied. I don't have the USB device - which would make this a whole lot easier. Any ideas would be great. Thanks. George Blessed is the man who, having nothing to say, abstains from giving wordy evidence of the fact. George Eliot (1819-1880, British Novelist) This mail was checked for viruses by GFI MailSecurity. GFI also develops anti-spam software (GFI MailEssentials), a fax server (GFI FAXmaker), and network security and management software (GFI LANguard) - www.gfi.com
