GetAdmin Utility Grants Users Administrative Rights

This article was previously published under Q146965
This article has been archived. It is offered "as is" and will no longer be updated.
A utility, Getadmin.exe, is being circulated on the Internet that grantsnormal users administrative rights by adding them to the Administratorsgroup. This utility can be run from any user context except Guest andgrants a local user account administrative rights.

This problem does not occur on Windows NT 3.51.
Getadmin.exe works because of a problem in a low-level kernel routine thatcauses a global flag to be set which allows calls to NtOpenProcessToken tosucceed regardless of the current users permissions. This in turn allows auser to attach to any process running on the system, including a processrunning in the system's security context, such as WinLogon. Once attachedto such a process, a thread can be started in the security context of theprocess.

In the specific case of GetAdmin, it attaches to the WinLogon process,which is running in the system's security context, and makes standard APIcalls that add the specified user to the administrators group.

It is important to note that any account which has been granted the rightsto "Debug Programs" will always be able to run Getadmin.exe successfully,even after the application of the hotfix. This is because the "DebugPrograms" right allows a user to attach to any process. The "DebugPrograms" right is initially granted to Administrators and should be onlygranted to fully trusted users.

Also, if Getadmin.exe is run with an account that is already a member ofthe administrators local group, it will still work (even after applyingthe hotfix). This is by design. Members of the administrators group alwayshave the rights to make the calls GetAdmin needs in order to succeed.

A fix to the Windows NT Kernel routine, which was being used to set theglobal flag, has been developed by Microsoft. This fix prevents anapplication, such as Getadmin.exe, from attaching to WinLogon (or anyother process not owned by the user) and from granting administrativerights to users.

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack

For your convenience, the English version of this post-SP3 hotfix has beenposted to the following Internet location. However, Microsoft recommendsthat you install Windows NT 4.0 Service Pack 4 to correct this problem.
Microsoft has confirmed this problem could result in some degree ofsecurity vulnerability in Windows NT version 4.0. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.
Getadmin.exe must be executed locally and works for accounts on aworkstation or member server and for domain accounts on a primary domaincontroller (PDC). The utility does not function on a backup domaincontroller (BDC) because the account database on a BDC is read only. Theonly way to use GetAdmin to modify a domain account database is to log onto a primary domain controller and run the utility locally on the PDC.

For more information on Windows NT security, please see the followingInternet sites:

NOTE: Because the Microsoft Web site is regularly updated, the siteaddress may change without notice. If this occurs, link to the Microsofthome page at the following address:
4.00 security hole breach

Article ID: 146965 - Last Review: 12/04/2015 14:11:43 - Revision: 1.2

Microsoft Windows NT Server 4.0, Terminal Server Edition, Microsoft Windows NT Workstation 4.0 Developer Edition, Microsoft Windows NT Server 4.0 Standard Edition

  • kbnosurvey kbarchive kbbug kbfile kbfix kbnetwork KB146965