NOTE: Turns out lusrmgr.msc might only show up if you're running Windows Pro or higher, not home. You can still enable the account via the command prompt method later in the video.
But the built-in account won't let you do a lot of things. Using a regular user account with admin privileges (and disabling UAC) will give you a lot more freedom. At least when I last tried it years ago, a lot of programs and actions refused to run under this account, saying "dude, this account is for maintenance and, well, _administration._ If you want to just use stuff, be a _user"_ (might not be verbatim) I don't remember which things exactly, but I think MS Office, specifically Outlook, was among them.
As you mentioned, the SYSTEM account has the highest privileges within Windows. Anything that runs under this account is basically treated as part of the OS itself. A fun fact though is that if you use the task scheduler, you can actually make anything run using the SYSTEM account by ticking 'run with highest privileges'. This bypasses UAC even if it's enabled so it can be useful if you want to give a program admin permissions on login for example (of course only if you 100% trust it and know what you're doing)
That works on windows NT, 2000 and XP, but i could not make this trick works in more recent Windows versions. That's was a very unsefull trick when I needed to remove viruses by hand from infected systems. If you have a way to make it work on actual version of windows, i'll take it.
Curious when you'll talk about the OOBE of win 10 and its "secret" keyboard shortcuts. (Ctrl-shift-F3 for pre-oobe admin environment, shift-F10 for console, windows 5 times for Autopilot deployments, ...) I use them daily to set up Laptops at work, but it was amazing to learn about them initially as they are so incredibly rarely used by anyone aside Enterprise IT Admins.
Older Windows versions in the NT family also had other ways to get in and / or escalate privileges, including methods that involved renaming the logon screensaver or even scheduling a task to run an elevated Task Manager (before Win7 made it easier to do so.) Fortunately it was rare that such methods were needed, but handy in emergencies.
I remember watching him so long ago that he used to be like do this if you want your Xbox to turn into a ps4 and the fact some people fell for it made me laugh
Maybe the reason your default admin was not enabled in safe mode is because you had a regular admin account enabled. The default admin is only enabled in safe mode if: 1. There is no other admin or privileged account you can log on (all regular admin users being disabled,...), and 2. The computer is NOT part of a domain.
Best practice is to create a new account to be the administrator, so it has a different SID than the built-in Administrator account, and put a strong password on it. Then use a regular User account for your day-to-day use. Then when the UAC comes up it will ask for the password for the admin account rather than just asking "hey ya wanna?".
you can also just change the default account you create to non admin. OFC you have these idiots who use microsoft accounts that have auto admin privaleges :C
but if the user isn't admin, the user rather types the password into a fake UAC. with the admin account, most people would think before they type when they just normally click
@@rohansampat1995 Microsoft accounts can be set to be standard account; they are not required top be admin. The account must be another account other than the out of the box first account though, as the PC needs to have at least one active admin account. If a user has logged as Microsoft account on first setup, they can create another account, or activate this administrator account, go to the other admin account and then set their main Microsoft account as standard account.
Thio still seems young so this use case might have escaped him. When you've migrated files from computer to computer... one day you might be looking for a file you created back in the 90's and have no access. The user accounts and from years ago might not be what you use today. Thus, that "Secret" Admin account (which wasn't a secret to me) turned out to be very useful in manually setting permissions of old files so that users of the current computer could access them. The regular admin account hadn't such power.
Omg, that hadn't occured to me as I was just slammed by something pre existing that has root on every hard drive now as I was migrating old drives to a central hub. Took over day 1 New 16char wifi 6 network access (from 4, where it followed from) & sideloaded the droid.+ Factory reset on that Win account. Whatever it was used this, and even air gapped it managed to make my old memories now a time bomb or future storage, from W7-11, Android 11 + 13, (changed to some Chinese bullshit.) Never in my life had tech go this sideways. Oh, found an Access Point through Verizon, that's cute. Fml.
For anyone who wants to enable this on windows 10 HOME, open cmd and type net user administrator (Enter a password here) then type net user administrator /active:yes. That will enable the cccount on any HOME version of windows that does not have the group policy editor.
On Windows 7 there was actually a way to use the "SYSTEM" account (most equivalent to Root on Linux actually) with the Windows Explorer and everything. What you had to do was replace the executable for the Windows Accessibility Stuff with "cmd.exe". Then on the login screen when you clicked on the accessibility button a Command prompt would open. From there you'd have to kill the login screen process (probably the trickiest part) and then run explorer.exe from said command prompt. You're now using the System user with UI and all _Technically_ it's still possible on Windows 8 and newer, but the explorer will not run if you're not logged into a regular user account (or the here discussed Admin account)
@@RokeJulianLockhart.s13ouq ofc, but it's not a full user experience with taskbar, start menu and all (which is what I was explaining in my original comment)
@@Chickenbreadlp Indeed. Why engineers in later versions of Windows didn't evaluate explorer.exe with higher levels of privilege than merely administrative is very, very weird. The predecessors bothered to. (After all, file pickers for standard Win32 WinForms software is provided by an API that is independent to explorer, as this demonstrates.)
Yeah about this. Once I forgot the password to my user account and I has no other accounts setup as a backup. So I enabled this admin account from the recovery (by selecting cmd) . I changed the password for my user account and then created another account to be used as a backup
5:05 There is a Microsoft-provided tool that _can_ open an interactive Powershell or a command prompt (etc.) as SYSTEM… but for 99.99% of admin tasks it's like using a snowplow to scramble eggs.
I remember accessing this account on old school computers to install the software I wanted. I accessed it by booting in safemode and there was no password. Back then (around 2005-2010) it always seemed like it was enabled and without a password as default... at least on pre-built machines
I use the Administrator when I need to copy the files off an old drive user folder as you can copy the files without waiting for it to change the permissions which can take ages. Open an administrator command line and type "net user administrator /active:yes" to disable it again with "net user administrator /active:no"
This is both correct and incorrect - the build in Administrator account is part of the local Administrators group. Default NTFS permissions on all drives include Administrators group with full control. If you have an account which you promoted to local administrator by adding it to the local Administrators group, you would not need to do this. Also, if you are able to do "net user administrator /active:yes", then you are already an administrator and this is unnecessary :).
@@ivanpanchev5894 If you add a drive from an old installation of windows you can access the user files from the main account but it will spend an age on the permissions before you can access it. From the hidden administrator, it justs opens the user folder for you to do with as you wish.
Hi Brian. If you open elevated CMD (or Powershell) with account which is part of the Administrators group - you can browse profile folders without any permissions modification. However, opening it trough Explorer will result in 'you need read permissions' in the security tab (also if you try opening it trough explorer it will start granting explicit permissions to your account). I suspect this is because explorer is not ran in the Administrator context - else non admin users won't be able to use it :D. Could you please try it?
In Windows XP, the account was active and enabled by default, at least prior to SP2. It just wasn't visible on the Welcome Screen. To log in to it, you'd have to press CTRL+ALT+DEL twice when at the Welcome Screen. You'd then be presented with a classic (i.e. Windows 2000 style) login box, and you could just type administrator as the user name and no password (again: default) to log in. I believe Microsoft may have changed the default status of the administrator account in Windows XP Service Pack 2, but, as I said, at least prior to that it was always enabled.
Hidden / Disabled account in Vista and newer. The administrator account was commonly used in 2k / XP / 2k3. Same with "guest" account. It wasn't considered a best practice, but it was extremely common.
In XP it the first account created had full administrator privileges as there was no UAC so someone had to have it, and the account named Administrator could be enabled in Pro. In 2k and lower it was the default account you set a password for in the installer. In 2000 there was also an option to create a less privileged user before first login but it didn't make any effort to persuade me to do so. On NT4 you had to figure it out for yourself. I ran both as administrator at the time on my personal machine because I didn't know better.
I think it was enablable in XP home too - can't remember how but it wouldn't show on the welcome screen so had to ctrl-alt-del twice to reveal the traditional login dialog. I didn't use home for long though.
Very interesting video! If I may add some precision to the use of the Default account, I've had the opportunity to set up a deployment server for a company once, and the Default account came in quite handy. First should I say that MDT (Microsoft Deployment Toolkit for making install sequences and other stuff) is using the "super-admin" account, and you can definitely see it using that account when it has to auto-log into it multiple times, doing reboots and all that kind of stuff, so it definitely has a huge utility there. Back to my Default account. Since we were sending around 2 to 3 sometimes up to 5 computers per day on busy days, deploying those computers fast and as automatically as possible is crucial. Though every time we had finished deploying a computer, we had to send it to the user over France, then once the user received it, he had to log in, and call us so we could finish the setup for him. That included setting up shortcuts, bookmarks in chrome, iniatializing the VPN and other stuff. That was quite the time consuming task. So when I prepared that WDS/MDT server (it's the deployment server), we made use of the Default account as a template. Turns out every time you log into a computer with a new user, Windows uses that Default account as template to create your account folder and everything. Knowing this, we could setup the common parameters and for example throw the chrome bookmarks and desktop shortcuts inside that Default folder to their respective place, and it was working like a charm! Windows was loading the modified Default account and when we logged with a new user, everything we could setup with the Default account was there and operating! At least this is the use we made it out of. I'm sure there is some other uses to it! Apologise for the grammar mistakes if I made any!
Onced use this administrator account when I accidentally changed the rights of my own account to 'docker-user only'. Couldn't do anything anymore, this saved me
I do actually use this account as my main account. I've done so for years on both windows 7 and 10. I do understand why you recommend not using it but for an advanced user, such as myself, I know not to go to certain sites, open certain e-mails, download certain things, etc. I also have a 3rd party firewall as well as a firewall in my router, an anti-virus software running 24/7, a malware detection program that can also detect rootkits and I also disable remote desktop and remote registry. I know this isn't going to guarantee I'll never have a problem but I feel comfortable with it. My brother writes some pretty sophisticated security programs for his personal use so I have the benefit of having access to those as well.
Oh I have gained access to it by accident. I formated my PC and for some reason it redirected me to the Administrator account instead of my normal user account.
@@tzarg laugh out loud out loud out loud *at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch*
I am a software developer and need to run a lot of batch files, compile applications that modify the registry, and stuff like that on a daily basis. I found that in order to keep my sanity and to be able to do my job efficiently I run Windows using the 'Administrator' account all the time. To run as a regular admin user, I would need to change the permission on the whole C:\ drive and run the command prompt with elevated privileges all the time. I don't use any web browser or email applications on my dev machine and try to minimize the risk of download malware. Thanks for your video and clear explanations.
The SID 500 account .\Administrator does in fact have rights over regular local admins and domain admins. For example, if you deactivate UAC regulary for another .\Administrators member, a hidden uac feature still is active that prevents certain actions from remote execution. This restriction can only be globally disabled via registry hack, but the .\Administrator is never affected. In rare cases it can make sense to temporarily enable 500 in server environments for this. The main reason you don't use the 500 is that it can be bruteforced endlessly, because it can't be locked out.
That 500 Admin account CAN be locked out/banned, if you enforce a lock on "X failed password attempts" using GPO. I noticed that, when I opened a telnet port on my server towards the internet and that account was banned in less then 10 seconds.
@@Purple.Tentacle It gets even wierder, if I tell you, that account wasn't even enabled. They managed to ban an inactive account over telnet. Had to geoblock countries after that - and then switched to Arch Linux last year.
That's more like a "hidden" admin account rather than a "super" admin account because it doesn't do more than what an actual admin account could do anyway except that there is no UAC popup. Anyways very good info. I never knew about this.
My windows just corrupted where i just lost all my admin rights last night then out comes your video which helped me to get the super admin account through safe mode where i can do a repair upgrade instead of a clean install and all my files can stay intact
I’ve seen business PCs in 2020 with Windows XP (could not be a big deal if it was not expose to threats like internet) using the Administrator account as the main account as an everyday consult PC, and we talk about a shop with personal with no particular formation in avoiding malware, at least the putted a password to admin although it was four characters long
My computer doesn't have an account called "administrator".....however, since I have pro edition I have modified the name in there to "thy lord and master"......that said, I also have the system account and the psutils to access it. In cmd it reads whoami as ntauthority/system Edit @5:10 Yes the heck you can Using psutils you can run am instance of cmd as system, close explorer.exe then reopen from cmd and you ARE logged in as system at that point
I fucked up my windows installation yesterday, but I thankfully had the four USB sticks you told me to make. I only used the windows one but thanks anyway!
there is another way... at the first setup screen on a fresh windows install (OOBE), hit CTRL+shift+F3. the pc reboots and logs in as "administrator" in "sysprep audit mode". dont close the sysprep popup, uninstall bloatware etc, then OK the sysprep popup. handy shortcut. its mainly used for cloning PCs, preinstall apps.
You can run programs with the System account and kinda log in to it, though it surely is not to be recommended. :D With certain modifications you can launch a system cmd in the windows login, launch the explorer process with it, and suddenly youre kinda logged in with system account.
On my main PC I've been running as full admin since before Vista came out. I was a beta tester for Vista. Not a single issue has arisen in all these years.
This "super admin" account is NOT the root account of Windows NT. The real actual root user is System. It is possible to invoke NT authority System from a user in the Administrators group. Trustedinstaller is also root user. I came back to this video now 2 years later because I somehow turned my normal account into a "super admin" so everything is run as admin, same in the run dialog but I forgot how to disable it.
Oh yeah, I remember this account, it was the account that my dumb younger self actually activated, renamed and used as main account each time I reinstalled Windows.
The apps used on default account is just the apps specifically is used between all users with basic privileges. If you give an app permissions above the defaults access it will run that process in a elevated state through the admin accounts but the reat of fhe app or processes will stay running within the default account. Apps can run in multiple accounts at the same time or at least its parts run in whichever account it has privileges to run in
the XP also had prompt to give this Admin account password when installing windows, but only on Pro, Home installs were left without the password. so only thing you needed to get into XP machine with Home was to boot into safe mode and use unprotected Administrator to create your new admin account. Woked on like 99% cases, very few ppl using home even heard of it, much less bothered to add password for it.
Using the sethc exploit on the login screen allows you to use the whole pc as system excluding some features like explorer. A lot of functions break under system
@@oyerkproto using psutils from Microsoft you can use system as the entire system including an instance of explorer running under the system account, also full access to regedit, including all the hidden stuff
With some tricks you can log into System and even run explorer.exe. It just isn't useful most of the time because most programms say the user account is invalid but it is useful for removing Malware.
Nothing secret about the "RID500" account, it's the only true local admin account on a Windows machine. All other members of the administrators are under the "Admin Approval Mode" it's like root vs super user.
7:30 actually you can relatively easily escalate to the NTAuthority/System account which has even more permissions than the Administrator account (as in, it doesn't need to edit the ACL to modify core system files).. so yeeah.. disabling the Administrator account to prevent priv escalation isn't really useful
@@ToniMorton Doesn't matter. The restriction is only for the explorer (ie. the explorer checks if its running as SYSTEM and kills itself, if thats the case). A maleware with a priv escalation exploit can still escalate to SYSTEM without any problems.
@@ToniMorton sure, but unlocked physical access is usually out of scope. Even if VID/PID attacks eg Razor drivers are easy to block, hardware probing (SPI/RAM) is usually doable. Silent Windows privescs are common, but I wouldn't call them trivial by any means (at least theory-wise, being a skiddie is always easy). LAPS or disabling LA are industry-standard for good reasons.
This is not completely accurate: - the default "Administrator" account always existed (just look at Windows NT 3, 4 and Windows 2000); - the account with the highest level of privileges, that is equivalent to the Linux' "root" account, is the so-called built-in "SYSTEM" account on Windows. - the "Administrator" account on Windows is slightly less privileged compared to "SYSTEM".
You rarely use the root account in Linux/unix anyway. If you need root-type privileges, you just type sudo and put in the root password. It only works for one session/task, and if you do more admin stuff, you have to type sudo again. So if you have to do a lot of tasks that require admin, you log in as root, do the stuff, and log out and back into a regular user account.
Using WinAeroTweaker, there is a registry edit that allows you to enable UAC on the "Super Admin" account, thus nullifying some of it's security risks if a hacker finds out a way to enable it.
Windows server pack (2003, 2008, 2012, 2016, 2019, 2022) are enable since installation which when u are installing its, you will be asked to create a account, which is administrator account,
It also gives privileges to routine jobs they don’t want you to stop. Like the registration numbers of programs and matches with registered name opens communication so they can shut your computer down
When you want to capture your own .wim media, you may like the Administrator account. And there is a setting in group policy to turn on UAC for this account. So it is ok for an IT guy to use it carefully.
You can actually secure the Administrator account. To do that you can download a program called Winaero Tweaker and it has some options to force uac on the Administrator account.
There is a EnableLUA DWORD in the registry. If you set it to 0 you get the same thing the Built-in Administrator account does. Don't do this though. Also, TrustedInstaller is the SYSTEM user. And the SYSTEM user is a user account. You just can't login to it (well, when you're on the login screen you technically are logged in). To prove this, try creating an account called "TrustedInstaller". Then try to create an account called "SYSTEM". See what happens.
In fact in XP days was almost considered a backdoor, you want to enter a password protected Windows XP, enter safe mode hitting F8 during initial Windows Boot and voilá Administrator doesn’t have password and can delete the other admins passwords
In my opinion you can make two .bat files, one to enable and another to disable admin account or one that enable/disable and keep them in your pc just in case of need but i have not found a situation to use "Admin" account, however there will be always someone that will try so i suggest that if you are going to mess with your windows better create a system image for recovery
A really cool video, thank you, do post these videos, I remember one of your videos where you showed how to open the hidden cores in the cpu, it would great if you could repost it, thanks.
I think this was a decent explanation at levels people who don't know would like to understand. Great work. One more important thing is that if a bad guy can get on your computer, and you are an administrator (even not the Windows Administrator account), and the bad guy can then use those admin permissions to escalate to the NT AUTHORITY\SYSTEM account that you can't login to, and it's very trivial to accomplish this using Microsoft's own administrator tools available from Microsoft. These permissions (SYSTEM) are far above the rest, and closest to "root" on Windows. This is where Windows Rootkits can be installed, which are extremely dangerous things, and nearly undetectable within the operating system. Don't do anything as Admin if you don't NEED to do it as admin... and always require a password, and make it a good one.
The main security issue with Administrator account is that is can never be locked out from logging on locally due to wrong password. Major security breach. This feature can be used to try and brute force it through another accont.
I actually enabled it because I somehow corrupted my main account so I had to enable it from linux to be able to do anything on Windows. Man I love Windows ;))) Update: Corrupt past the point of recovery. I couldn't even delete it w/o crashing my software.
If I remember correctly, administrator cannot bi locked after whatever number of unsuccessful logon attempts is defined in group policy. That is also one of the properties that other admin accounts do not have.
that account can be exploited even with it disabled. It is actually running in the login screen. There are ways to change the sticky keys app to cmd by just using a recovery disc. No passwords needed. Then you restart, press shift a whole bunch and bam, you have a completely elevated command prompt without even logging in. From there you can do just about anything if you know what you are doing.
I can remember the good old days of sitting in class in junior high school constantly "fixing" my classmates PC's by removing the battery while our windows 7 PC's booted So used to do some magic with windows 7 diagnostics, as at the very end you culd open a .txt file to go trught the logs used to open that txt file and then "save as" then chouse to show all file extentions Navigate my way to windows\system32 and make a copy of cmd.exe and rename sethc.exe to sethc.exe.old then rename the cmd - copy to sethc.exe Then just quit the diagnostics without saving, boot normaly inn to windows 7. Press shift 5 times, then cmd wuld start, doing a "whoami" wuld result in "nt authority\system" made a good few NOK (Norwegian kroner) as a 13-14 year old kid. anything to play games and bypass the firewall with proxys and vpn's
After testing this agen on a virtual computer i have found out it is not Windows 7 Diagnostics, but the "Startup Repair" option you get if you kill the power while it's loading windows My bad
5:06 you CAN get into the SYSTEM account, at least up to windows 7, I have not tested this on windows 8+ however (makes me actually want to check this at a somewhat soon, but later date)
JOE I'm a I.T Guy the reason I used this Account is to Install Some Programs on My Domain Certain Programs we use only will run on the Administrator Account these program will not install on the Computer even if the user is a Admin on the Domain
there's a super SUPER admin called "SYSTEM" in windows, you might have seen it in windows xp, it was pretty easy to get into it. but that has changed. in vista and above, you replace c:\windows\system32\sethc.exe with cmd, go into logonui and press shift 5 times. then you can open explorer, but you can't open file explorer or control panel
NOTE: Turns out lusrmgr.msc might only show up if you're running Windows Pro or higher, not home. You can still enable the account via the command prompt method later in the video.
Hi
What is ThioTangent™
Cool Thanks Joe That was actually my question
It's worthless, it asks to enter password to log in
I use pro
its fine to always use administrator acc if you're like, sentient and know how to not download malware
First to this commet
true
But the built-in account won't let you do a lot of things. Using a regular user account with admin privileges (and disabling UAC) will give you a lot more freedom.
At least when I last tried it years ago, a lot of programs and actions refused to run under this account, saying "dude, this account is for maintenance and, well, _administration._ If you want to just use stuff, be a _user"_ (might not be verbatim)
I don't remember which things exactly, but I think MS Office, specifically Outlook, was among them.
I'm gaming
100%
As you mentioned, the SYSTEM account has the highest privileges within Windows. Anything that runs under this account is basically treated as part of the OS itself. A fun fact though is that if you use the task scheduler, you can actually make anything run using the SYSTEM account by ticking 'run with highest privileges'. This bypasses UAC even if it's enabled so it can be useful if you want to give a program admin permissions on login for example (of course only if you 100% trust it and know what you're doing)
Correction: system is the second highest. TrustedInstaller has the highest privileges
That works on windows NT, 2000 and XP, but i could not make this trick works in more recent Windows versions. That's was a very unsefull trick when I needed to remove viruses by hand from infected systems.
If you have a way to make it work on actual version of windows, i'll take it.
@@oyerkproto I understood that no user or privilege has full OS access on recent windows versions. But I may have misunderstood something.
Speaking of system, I am trying to log into that user.
@@thepianozoopmasterMAN you can't. It's not a user, it is a privilege.
I don't know how, but whenever am stuck with something on my PC, Thio uploads the exact same video as the solution the next day😂
You may have psychic powers.
Please don't hurt me
You're a wizard,Dhamu
bro.. my name is harsh aswell... but not dhamu my name is harshvardhan nair
*Plot Twist: ThioJoe is the Super Admin*
LOL XD
true:)
lol
*ThioJoe Ban Hammer Sounds intensifies*
lol
Curious when you'll talk about the OOBE of win 10 and its "secret" keyboard shortcuts. (Ctrl-shift-F3 for pre-oobe admin environment, shift-F10 for console, windows 5 times for Autopilot deployments, ...)
I use them daily to set up Laptops at work, but it was amazing to learn about them initially as they are so incredibly rarely used by anyone aside Enterprise IT Admins.
That's not known in our company... Can someone tell me more about it?
Older Windows versions in the NT family also had other ways to get in and / or escalate privileges, including methods that involved renaming the logon screensaver or even scheduling a task to run an elevated Task Manager (before Win7 made it easier to do so.) Fortunately it was rare that such methods were needed, but handy in emergencies.
I remember watching him so long ago that he used to be like do this if you want your Xbox to turn into a ps4 and the fact some people fell for it made me laugh
I haven't watched Thio since I was 7 (I'm 13 now)
first video I seen was Turn your ps3 to ps4 🤣🤣🤣
lol true
i didnt fall for it but my friend did
What do you mean “fall for it,” all of them work.
Clickbait king
Maybe the reason your default admin was not enabled in safe mode is because you had a regular admin account enabled. The default admin is only enabled in safe mode if:
1. There is no other admin or privileged account you can log on (all regular admin users being disabled,...), and
2. The computer is NOT part of a domain.
Best practice is to create a new account to be the administrator, so it has a different SID than the built-in Administrator account, and put a strong password on it. Then use a regular User account for your day-to-day use. Then when the UAC comes up it will ask for the password for the admin account rather than just asking "hey ya wanna?".
That would be good for the malware that doesn’t need admins permission.
Do this if your kids using pc
you can also just change the default account you create to non admin. OFC you have these idiots who use microsoft accounts that have auto admin privaleges :C
but if the user isn't admin, the user rather types the password into a fake UAC. with the admin account, most people would think before they type when they just normally click
I use Administrator account and set to ask for password when UAC comes up.
@@rohansampat1995 Microsoft accounts can be set to be standard account; they are not required top be admin.
The account must be another account other than the out of the box first account though, as the PC needs to have at least one active admin account.
If a user has logged as Microsoft account on first setup, they can create another account, or activate this administrator account, go to the other admin account and then set their main Microsoft account as standard account.
Thio still seems young so this use case might have escaped him. When you've migrated files from computer to computer... one day you might be looking for a file you created back in the 90's and have no access. The user accounts and from years ago might not be what you use today. Thus, that "Secret" Admin account (which wasn't a secret to me) turned out to be very useful in manually setting permissions of old files so that users of the current computer could access them. The regular admin account hadn't such power.
Omg, that hadn't occured to me as I was just slammed by something pre existing that has root on every hard drive now as I was migrating old drives to a central hub. Took over day 1 New 16char wifi 6 network access (from 4, where it followed from) & sideloaded the droid.+ Factory reset on that Win account. Whatever it was used this, and even air gapped it managed to make my old memories now a time bomb or future storage, from W7-11, Android 11 + 13, (changed to some Chinese bullshit.) Never in my life had tech go this sideways. Oh, found an Access Point through Verizon, that's cute. Fml.
Linux makes this super easy with chmod and chown
For anyone who wants to enable this on windows 10 HOME, open cmd and type net user administrator (Enter a password here) then type net user administrator /active:yes. That will enable the cccount on any HOME version of windows that does not have the group policy editor.
You mean the Local User Management MMC console ;)... (GPO editor is something else)
...by the way he said that in the video
On Windows 7 there was actually a way to use the "SYSTEM" account (most equivalent to Root on Linux actually) with the Windows Explorer and everything.
What you had to do was replace the executable for the Windows Accessibility Stuff with "cmd.exe". Then on the login screen when you clicked on the accessibility button a Command prompt would open. From there you'd have to kill the login screen process (probably the trickiest part) and then run explorer.exe from said command prompt.
You're now using the System user with UI and all
_Technically_ it's still possible on Windows 8 and newer, but the explorer will not run if you're not logged into a regular user account (or the here discussed Admin account)
The filesystem can be navigated via an Open File dialogue of notepad.exe.
@@RokeJulianLockhart.s13ouq ofc, but it's not a full user experience with taskbar, start menu and all (which is what I was explaining in my original comment)
Windows has a system integrity system that will replace the changed original exe.
@@Chickenbreadlp Indeed. Why engineers in later versions of Windows didn't evaluate explorer.exe with higher levels of privilege than merely administrative is very, very weird. The predecessors bothered to. (After all, file pickers for standard Win32 WinForms software is provided by an API that is independent to explorer, as this demonstrates.)
As Enderman usually demonstrates, sethc.exe usually isn't checked as part of System Integrity Protection@@RKingis
Yeah about this. Once I forgot the password to my user account and I has no other accounts setup as a backup. So I enabled this admin account from the recovery (by selecting cmd) . I changed the password for my user account and then created another account to be used as a backup
@@SeventhEntropy oh boy. If that's the case then you just learned a new method
@@r.g7261 I just use Kali Linux, there was a program chntpw(not sure of the name) by using that u can change or remove the password
5:05 There is a Microsoft-provided tool that _can_ open an interactive Powershell or a command prompt (etc.) as SYSTEM… but for 99.99% of admin tasks it's like using a snowplow to scramble eggs.
I remember accessing this account on old school computers to install the software I wanted. I accessed it by booting in safemode and there was no password. Back then (around 2005-2010) it always seemed like it was enabled and without a password as default... at least on pre-built machines
I use the Administrator when I need to copy the files off an old drive user folder as you can copy the files without waiting for it to change the permissions which can take ages. Open an administrator command line and type "net user administrator /active:yes" to disable it again with "net user administrator /active:no"
or use the installer to change utilman.exe to a cmd and then use an even powerful cmd on the login screen to do it
@@DarkBraveStuff usually this would be on Joe Public's computer so giving them access to a more powerful cmd is not a good idea.
This is both correct and incorrect - the build in Administrator account is part of the local Administrators group. Default NTFS permissions on all drives include Administrators group with full control. If you have an account which you promoted to local administrator by adding it to the local Administrators group, you would not need to do this.
Also, if you are able to do "net user administrator /active:yes", then you are already an administrator and this is unnecessary :).
@@ivanpanchev5894 If you add a drive from an old installation of windows you can access the user files from the main account but it will spend an age on the permissions before you can access it. From the hidden administrator, it justs opens the user folder for you to do with as you wish.
Hi Brian. If you open elevated CMD (or Powershell) with account which is part of the Administrators group - you can browse profile folders without any permissions modification. However, opening it trough Explorer will result in 'you need read permissions' in the security tab (also if you try opening it trough explorer it will start granting explicit permissions to your account). I suspect this is because explorer is not ran in the Administrator context - else non admin users won't be able to use it :D. Could you please try it?
In Windows XP, the account was active and enabled by default, at least prior to SP2. It just wasn't visible on the Welcome Screen. To log in to it, you'd have to press CTRL+ALT+DEL twice when at the Welcome Screen. You'd then be presented with a classic (i.e. Windows 2000 style) login box, and you could just type administrator as the user name and no password (again: default) to log in. I believe Microsoft may have changed the default status of the administrator account in Windows XP Service Pack 2, but, as I said, at least prior to that it was always enabled.
Yes. That account being perma enabled also helped with the spread of certain viruses, thats why it's locked and restricted to local login now.
Hidden / Disabled account in Vista and newer. The administrator account was commonly used in 2k / XP / 2k3. Same with "guest" account. It wasn't considered a best practice, but it was extremely common.
I believe that the GUID of the "administrator" account was the same on all systems, which had pros and cons.
In XP it the first account created had full administrator privileges as there was no UAC so someone had to have it, and the account named Administrator could be enabled in Pro. In 2k and lower it was the default account you set a password for in the installer. In 2000 there was also an option to create a less privileged user before first login but it didn't make any effort to persuade me to do so. On NT4 you had to figure it out for yourself. I ran both as administrator at the time on my personal machine because I didn't know better.
I think it was enablable in XP home too - can't remember how but it wouldn't show on the welcome screen so had to ctrl-alt-del twice to reveal the traditional login dialog. I didn't use home for long though.
9:38 If you use the windows installation media (Thio mentioned that last video), then you do not need to type in any password.
Correct. Drive encryiption is the only solution to protect the installation here.
Very interesting video!
If I may add some precision to the use of the Default account, I've had the opportunity to set up a deployment server for a company once, and the Default account came in quite handy.
First should I say that MDT (Microsoft Deployment Toolkit for making install sequences and other stuff) is using the "super-admin" account, and you can definitely see it using that account when it has to auto-log into it multiple times, doing reboots and all that kind of stuff, so it definitely has a huge utility there.
Back to my Default account. Since we were sending around 2 to 3 sometimes up to 5 computers per day on busy days, deploying those computers fast and as automatically as possible is crucial. Though every time we had finished deploying a computer, we had to send it to the user over France, then once the user received it, he had to log in, and call us so we could finish the setup for him. That included setting up shortcuts, bookmarks in chrome, iniatializing the VPN and other stuff. That was quite the time consuming task. So when I prepared that WDS/MDT server (it's the deployment server), we made use of the Default account as a template. Turns out every time you log into a computer with a new user, Windows uses that Default account as template to create your account folder and everything. Knowing this, we could setup the common parameters and for example throw the chrome bookmarks and desktop shortcuts inside that Default folder to their respective place, and it was working like a charm! Windows was loading the modified Default account and when we logged with a new user, everything we could setup with the Default account was there and operating!
At least this is the use we made it out of. I'm sure there is some other uses to it!
Apologise for the grammar mistakes if I made any!
Onced use this administrator account when I accidentally changed the rights of my own account to 'docker-user only'. Couldn't do anything anymore, this saved me
i had forgotten about that, i remember having to enable it in Vista for some reason.
I do actually use this account as my main account. I've done so for years on both windows 7 and 10. I do understand why you recommend not using it but for an advanced user, such as myself, I know not to go to certain sites, open certain e-mails, download certain things, etc. I also have a 3rd party firewall as well as a firewall in my router, an anti-virus software running 24/7, a malware detection program that can also detect rootkits and I also disable remote desktop and remote registry. I know this isn't going to guarantee I'll never have a problem but I feel comfortable with it. My brother writes some pretty sophisticated security programs for his personal use so I have the benefit of having access to those as well.
Oh I have gained access to it by accident. I formated my PC and for some reason it redirected me to the Administrator account instead of my normal user account.
Well I'm definitely not gonna enable that (I might do it on my script tester virtual machine)
lololololololoololol
@@tzarg laugh out loud out loud out loud *at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch at lunch*
GioFilms r/ihadastroke reference
@@cycrothelargeplanet LOL XD
I am a software developer and need to run a lot of batch files, compile applications that modify the registry, and stuff like that on a daily basis. I found that in order to keep my sanity and to be able to do my job efficiently I run Windows using the 'Administrator' account all the time. To run as a regular admin user, I would need to change the permission on the whole C:\ drive and run the command prompt with elevated privileges all the time. I don't use any web browser or email applications on my dev machine and try to minimize the risk of download malware. Thanks for your video and clear explanations.
Your content is always amazing. Thank-you.
5:03 The TrustedInstaller user is really the SYSTEM user with less privledges.
The SID 500 account .\Administrator does in fact have rights over regular local admins and domain admins. For example, if you deactivate UAC regulary for another .\Administrators member, a hidden uac feature still is active that prevents certain actions from remote execution. This restriction can only be globally disabled via registry hack, but the .\Administrator is never affected.
In rare cases it can make sense to temporarily enable 500 in server environments for this.
The main reason you don't use the 500 is that it can be bruteforced endlessly, because it can't be locked out.
That 500 Admin account CAN be locked out/banned, if you enforce a lock on "X failed password attempts" using GPO. I noticed that, when I opened a telnet port on my server towards the internet and that account was banned in less then 10 seconds.
@@Sypaka Interesting, did not know you can force it via GPO, might actually be useful for me in one case.
The Telnet ban gave me a good laugh :D
@@Purple.Tentacle It gets even wierder, if I tell you, that account wasn't even enabled. They managed to ban an inactive account over telnet. Had to geoblock countries after that - and then switched to Arch Linux last year.
Just remembered this account existed. I used to follow this account like 8 years ago and it’s crazy the content hasn’t changed at all
YET ONE MORE TIME JOE UPLOADS LIFE JUICE.
That's more like a "hidden" admin account rather than a "super" admin account because it doesn't do more than what an actual admin account could do anyway except that there is no UAC popup. Anyways very good info. I never knew about this.
U always make vids I like thanks for the great content
My windows just corrupted where i just lost all my admin rights last night
then out comes your video
which helped me to get the super admin account through safe mode
where i can do a repair upgrade instead of a clean install
and all my files can stay intact
Hi, Thio! Respect!
You already talked about it i think, already knew, Nice video man
I thought it would be the NT Authority/System account, since that is abused often during privilege escalation
Same
Same here too
It indeed is the "SYSTEM" builtin account that is equivalent to the linux "root" account.
@@hbm293 wrong. NT Authority/System cant delete certain files (example hal.dll). The account that actually has all privileges is TrustedInstaller.
@@kenziewebm That's correct, in Windows Vista+.
I’ve seen business PCs in 2020 with Windows XP (could not be a big deal if it was not expose to threats like internet) using the Administrator account as the main account as an everyday consult PC, and we talk about a shop with personal with no particular formation in avoiding malware, at least the putted a password to admin although it was four characters long
My computer doesn't have an account called "administrator".....however, since I have pro edition I have modified the name in there to "thy lord and master"......that said, I also have the system account and the psutils to access it. In cmd it reads whoami as ntauthority/system
Edit
@5:10
Yes the heck you can
Using psutils you can run am instance of cmd as system, close explorer.exe then reopen from cmd and you ARE logged in as system at that point
I fucked up my windows installation yesterday, but I thankfully had the four USB sticks you told me to make. I only used the windows one but thanks anyway!
Thio: Is that Express V-neck tee? Love it! ☺
there is another way... at the first setup screen on a fresh windows install (OOBE), hit CTRL+shift+F3. the pc reboots and logs in as "administrator" in "sysprep audit mode". dont close the sysprep popup, uninstall bloatware etc, then OK the sysprep popup. handy shortcut. its mainly used for cloning PCs, preinstall apps.
You can run programs with the System account and kinda log in to it, though it surely is not to be recommended. :D
With certain modifications you can launch a system cmd in the windows login, launch the explorer process with it, and suddenly youre kinda logged in with system account.
On my main PC I've been running as full admin since before Vista came out. I was a beta tester for Vista. Not a single issue has arisen in all these years.
I've never been in a car accident but I'm not about to stop wearing my seatbelt.
Just because you've been lucky so far doesn't make it a smart idea.
I like your background colors so much! And the video quality got so much better
Fun fact: He was an admin.
This "super admin" account is NOT the root account of Windows NT. The real actual root user is System. It is possible to invoke NT authority System from a user in the Administrators group. Trustedinstaller is also root user. I came back to this video now 2 years later because I somehow turned my normal account into a "super admin" so everything is run as admin, same in the run dialog but I forgot how to disable it.
Oh yeah, I remember this account, it was the account that my dumb younger self actually activated, renamed and used as main account each time I reinstalled Windows.
The apps used on default account is just the apps specifically is used between all users with basic privileges. If you give an app permissions above the defaults access it will run that process in a elevated state through the admin accounts but the reat of fhe app or processes will stay running within the default account. Apps can run in multiple accounts at the same time or at least its parts run in whichever account it has privileges to run in
*plot twist: ThioJoe is Bill gates.*
the XP also had prompt to give this Admin account password when installing windows, but only on Pro, Home installs were left without the password. so only thing you needed to get into XP machine with Home was to boot into safe mode and use unprotected Administrator to create your new admin account. Woked on like 99% cases, very few ppl using home even heard of it, much less bothered to add password for it.
This isn't a super administrator or root account, this is just the default built in Administrator account. The root account in Windows is SYSTEM.
Using the sethc exploit on the login screen allows you to use the whole pc as system excluding some features like explorer. A lot of functions break under system
@FuchsPlayZ the sethc exploit is like the one key to the whole system
@@oyerkproto ah yes this is the real sneaky sneaky one
@@oyerkproto using psutils from Microsoft you can use system as the entire system including an instance of explorer running under the system account, also full access to regedit, including all the hidden stuff
I'll try to find and run it using VMware when I get the chance, thanks for telling me!
This has baffled me for a while. Thanks for reviewing this.
I love when ThioJoe tries so hard to be relevant in the thumbnail. ☻😂
What’s that white smile face emoji?
@@weeezer212 ☻
THANK YOU! This randomly popped into my feed and was the answer to the question i had for MONTHS
i lost count how many times you've warned not to enable the super admin account... I'm scared and curious at the same time
With some tricks you can log into System and even run explorer.exe. It just isn't useful most of the time because most programms say the user account is invalid but it is useful for removing Malware.
Nothing secret about the "RID500" account, it's the only true local admin account on a Windows machine. All other members of the administrators are under the "Admin Approval Mode" it's like root vs super user.
Lol came to say exact same thing
*when the it guy at school forgot to turn off super admin *
Me: well let’s delete system 32
There's another account that has even higher privileges than Administrator. It's called NT AUTHORITY/SYSTEM and it's hidden by default.
Back to back awesome videos by ThioJoe
7:30 actually you can relatively easily escalate to the NTAuthority/System account which has even more permissions than the Administrator account (as in, it doesn't need to edit the ACL to modify core system files).. so yeeah.. disabling the Administrator account to prevent priv escalation isn't really useful
@@ToniMorton Doesn't matter. The restriction is only for the explorer (ie. the explorer checks if its running as SYSTEM and kills itself, if thats the case). A maleware with a priv escalation exploit can still escalate to SYSTEM without any problems.
What's your privesc method? I didn't think it was particularly easily until PrintNightmare etc came along
@@ToniMorton sure, but unlocked physical access is usually out of scope. Even if VID/PID attacks eg Razor drivers are easy to block, hardware probing (SPI/RAM) is usually doable. Silent Windows privescs are common, but I wouldn't call them trivial by any means (at least theory-wise, being a skiddie is always easy). LAPS or disabling LA are industry-standard for good reasons.
Where ThioJoe get these knowledge? INTERESTING!!!!!!!!!!!!
Linux gang 😎😎
linux on windows gang 😎😎
Windows AND Linux gang 😎😎
I Dunno What To Pick Gang 😎😎
unix gang 😎😎
Same but I am Linux windows 10 , 7 ,xp and Mac to gang😎😎
Last video watched from you was breaking into house for wi fi password...got recommended after long time...
Wao love from Pakistan 💕😘😘😘
Is valid in India or not?
@@Freddy_Guy bruh obviously why wouldnt it windows isnt region locked
Thanks for the video, Joe!
This is not completely accurate:
- the default "Administrator" account always existed (just look at Windows NT 3, 4 and Windows 2000);
- the account with the highest level of privileges, that is equivalent to the Linux' "root" account, is the so-called built-in "SYSTEM" account on Windows.
- the "Administrator" account on Windows is slightly less privileged compared to "SYSTEM".
You didn't watch it all
You rarely use the root account in Linux/unix anyway. If you need root-type privileges, you just type sudo and put in the root password. It only works for one session/task, and if you do more admin stuff, you have to type sudo again. So if you have to do a lot of tasks that require admin, you log in as root, do the stuff, and log out and back into a regular user account.
Using WinAeroTweaker, there is a registry edit that allows you to enable UAC on the "Super Admin" account, thus nullifying some of it's security risks if a hacker finds out a way to enable it.
Windows server pack (2003, 2008, 2012, 2016, 2019, 2022) are enable since installation which when u are installing its, you will be asked to create a account, which is administrator account,
Best tech videos . Always ready to watch
2:45 unless you’re running disk encryption someone with physical access to a computer can already do whatever they want.
It also gives privileges to routine jobs they don’t want you to stop. Like the registration numbers of programs and matches with registered name opens communication so they can shut your computer down
When you want to capture your own .wim media, you may like the Administrator account. And there is a setting in group policy to turn on UAC for this account. So it is ok for an IT guy to use it carefully.
That thumbnail is so funny! 😂
Appreciate the knowledge shared on this topic ThioJoe! Quite useful 👍
You can actually secure the Administrator account.
To do that you can download a program called Winaero Tweaker and it has some options to force uac on the Administrator account.
There is a EnableLUA DWORD in the registry. If you set it to 0 you get the same thing the Built-in Administrator account does. Don't do this though.
Also, TrustedInstaller is the SYSTEM user. And the SYSTEM user is a user account. You just can't login to it (well, when you're on the login screen you technically are logged in). To prove this, try creating an account called "TrustedInstaller". Then try to create an account called "SYSTEM". See what happens.
In fact in XP days was almost considered a backdoor, you want to enter a password protected Windows XP, enter safe mode hitting F8 during initial Windows Boot and voilá Administrator doesn’t have password and can delete the other admins passwords
Actually you just needed to double tap CAD, and would show the older style login screen.
in some linux distros, root is disabled by default. (if you want root privilages, use sudo, if you want a root shell use sudo su) : )
In my opinion you can make two .bat files, one to enable and another to disable admin account or one that enable/disable and keep them in your pc just in case of need but i have not found a situation to use "Admin" account, however there will be always someone that will try so i suggest that if you are going to mess with your windows better create a system image for recovery
A really cool video, thank you, do post these videos, I remember one of your videos where you showed how to open the hidden cores in the cpu, it would great if you could repost it, thanks.
I learn more from this guy than my computer teacher like seriously
U can run as the SYSTEM user if u manage to replace sethc.exe to cmd.exe and do 5x shift on login screen then ur SYSTEM
I think this was a decent explanation at levels people who don't know would like to understand. Great work. One more important thing is that if a bad guy can get on your computer, and you are an administrator (even not the Windows Administrator account), and the bad guy can then use those admin permissions to escalate to the NT AUTHORITY\SYSTEM account that you can't login to, and it's very trivial to accomplish this using Microsoft's own administrator tools available from Microsoft. These permissions (SYSTEM) are far above the rest, and closest to "root" on Windows. This is where Windows Rootkits can be installed, which are extremely dangerous things, and nearly undetectable within the operating system. Don't do anything as Admin if you don't NEED to do it as admin... and always require a password, and make it a good one.
The main security issue with Administrator account is that is can never be locked out from logging on locally due to wrong password. Major security breach. This feature can be used to try and brute force it through another accont.
I like how the thumbnail looks like that one kid (i think hes named billy?) Playing in an early 2000's/late 90's computer lol
Ahhh, the account i use to circumvent my time limitation. Its also used to display the login screen and other basic features in the beginning
So, NT AUTHORITY\SYSTEM?
@@Z9R. everything you can run before loging in
I also learned that ThioJoe looks cool with his sunglasses on from the thumbnail.
I actually enabled it because I somehow corrupted my main account so I had to enable it from linux to be able to do anything on Windows. Man I love Windows ;)))
Update: Corrupt past the point of recovery. I couldn't even delete it w/o crashing my software.
If I remember correctly, administrator cannot bi locked after whatever number of unsuccessful logon attempts is defined in group policy. That is also one of the properties that other admin accounts do not have.
This super administrator mode gives me 2014 thiojoe vibes back when he used to "turn" ps3s' into ps4s ahahah
The thumbnail is amazing
Good job Thio... and no booting into safe mode does not enable the admin account.
that account can be exploited even with it disabled. It is actually running in the login screen. There are ways to change the sticky keys app to cmd by just using a recovery disc. No passwords needed. Then you restart, press shift a whole bunch and bam, you have a completely elevated command prompt without even logging in. From there you can do just about anything if you know what you are doing.
I can remember the good old days of sitting in class in junior high school constantly "fixing" my classmates PC's by removing the battery while our windows 7 PC's booted
So used to do some magic with windows 7 diagnostics, as at the very end you culd open a .txt file to go trught the logs
used to open that txt file and then "save as" then chouse to show all file extentions
Navigate my way to windows\system32 and make a copy of cmd.exe and rename sethc.exe to sethc.exe.old then rename the cmd - copy to sethc.exe
Then just quit the diagnostics without saving, boot normaly inn to windows 7. Press shift 5 times, then cmd wuld start, doing a "whoami" wuld result in "nt authority\system"
made a good few NOK (Norwegian kroner) as a 13-14 year old kid. anything to play games and bypass the firewall with proxys and vpn's
After testing this agen on a virtual computer i have found out it is not Windows 7 Diagnostics, but the "Startup Repair" option you get if you kill the power while it's loading windows
My bad
5:06 you CAN get into the SYSTEM account, at least up to windows 7, I have not tested this on windows 8+ however (makes me actually want to check this at a somewhat soon, but later date)
it is unchanged, it will work even on Windows Server 2022 and Windows 11 ;)
JOE I'm a I.T Guy the reason I used this Account is to Install Some Programs on My Domain Certain Programs we use only will run on the Administrator Account these program will not install on the Computer even if the user is a Admin on the Domain
there's a super SUPER admin called "SYSTEM" in windows, you might have seen it in windows xp, it was pretty easy to get into it. but that has changed. in vista and above, you replace c:\windows\system32\sethc.exe with cmd, go into logonui and press shift 5 times. then you can open explorer, but you can't open file explorer or control panel