[Cyberbob]

No big surprise here, but yet another security flaw in Windows XP. :(
What makes this interesting though is how easy it is. Read Link below for full information on this.

Passwords Rendered Useless
by Brian Livingston
http://pubs.logicale...icle.asp?ID=173

Now this is performed using a Windows 2000 cd, and possibly XP's own recovery console itself, if you have a key enabled in regedit. HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\WindowsNT\CurrentVersion\Setup\REcoveryConsole with the DWORD "Security Level" value set as 1. There could be also many other ways to manupulate the XP's Console that I don't know. So to play it safe, I have removed Recovery Console from my system because if my system is screwed up, I just do a reinstall. (I recommend to backup regularly)


How To Remove Recovery Console

1. Open My Computer

2. Double-Click on the Drive Windows is Installed upon. (usually C:)

http://vcl.ncsu.edu/eweImages/help/-47477cfa8d0b5d7a83c05cdbfd763787/09_drives2.jpg

3. Delete the Cmdcons folder. ("Show Hidden Files" enabled in FolderOptions)
* After delete, I got a message saying "Windows recovered from an error" although there was no crash or system instability*
4. Delete the file Cmldr.

5. Still in the C: Drive, right-click the Boot.ini file and then click Properties, clear the Read-Only check box and click ok.

6.Open Boot.ini in Notepad, and remove the entry for the Recovery Console. It will look similar to this:

C:\cmdcons\bootsect.dat="Microsoft Windows Recovery Console" /cmdcons

(You may not have this entry, if so, your done.)

↓↓ Boot.ini should look similar after deleting the entry ↓↓
http://www.microsoft.com/technet/images/security/prodtech/windowsxp/images/DEPcnf09.gif

7. Save the file and exit.

8. Right-Click the Boot.ini file and then click Properties, Fill in the Read-Only check box and click ok.

Now doing this should disable Xp's Recovery Console. I'm not sure though if it disables Windows 2000 cd due to the fact I havn't got one for testing purposes. By doing this you probably won't stop a dedicated cracker into getting into your system, but why make it easy for them? :huh:

[Cyberbob]

Terribly sorry, bad link up top

Try this...

http://pubs.logicale...icle.asp?ID=173

*Sorry I just figured out how to use the edit command, Still new at this :blink: *

[kingvandal]

Quote

However, contrary to what you might have heard on the net, this is not at all foolproof and did not work in my tests�the net user commands resulted in an access denied message. So, I can't say who it works for. But as I already stated, this, by no means, prevents access to the file system. You just enter explorer.exe at the command prompt and the desktop loads and you have the ability to browse the XP system and open folders and files, as well as copy, move or delete them. You can also enter other app names at the command line and they will load too, such as regedit.exe, iexplore.exe control.exe, and many more. Access isn't full, but more than enough for a corporate or home hacker to gain access to your personal or sensitive files and folders and to make system changes.

wow I posted this months ago. a post called system logon achieved. you can do LOTS more then what he is saying, and you cannot change username and passwords. You get Error Code 5. Access Denied. You can browse network shares if you have passwords, alothough I could not go across segments.. I am to lazy to find the post I made...

kv-

[talaxian]

yes, old news indeed.

[linux_dude]

Ehh, I'm throughly confused here. The parent and the guy writing the article are claiming that the OS isn't secure because the OS can't control what you do while it isn't even running?

WELL DUH!!! You can't really secure an OS when you operate outside of it, what is XP supposed to do? No allow you to turn off your computer?

Besides, wouldn't accessing the file system outside of the OS be done easier with something like NTFSDOS? Or even a live cd that can mount NTFS?

Don't remove your recovery console, just set your HD to the 1st boot device and put a bios pass on. :-/

And yes, I know that's still bypassable given enough time, so why not use another feature of NTFS and ENCRYPT YOUR FILES if they're that sensitive!!!!! :D

[Cyberbob]

I'm wondering on how to prevent this :huh:
I don't have a windows 2000 cd to play around with, so if anybody has one feel free to check this out. I doubt by removing Recovery Console from Windows XP will stop the Windows 2000 cd because it is most likely ran from the cd. But it should stop someone without a 2000 cd.

I wonder if it has to access a certain file on the local system to gain full control, and if it does how to prevent access to it. Also, If you have encryption in Windows XP; will you be able to access these files? Administrator has full access to these files under windows, but would an admin under recovery console be able to? :unsure:

Just a couple of questions for anybody who as a Windows 2000 cd who would like to look into this.

*My apologies to Kingvandal* :)

[linux_dude]

No, it won't stop someone from using the 2k CD.
-Put a bios pass on, set HD to 1st boot device

Anyone mounting the NTFS partition can *ignore* the file permissions if they want to
-No, even an admin in XP can't read someone's encrypted files, neither can someone outside XP.