I ran into the same "issue". I believe that the recovery environment is the equivalent of booting into a windows live image. When you run the net user command and add a user you are actually modifying the live image and not your install.
On Mon, Jul 8, 2013 at 3:47 PM, some one <s3cret.squir...@gmail.com> wrote: > Errrr > > The user wasn't there never mind him being admin... > > I'll test this out again when i next do a win7 review on a job > On 8 Jul 2013 11:39, "Fabien DUCHENE" <f.duch...@car-online.fr> wrote: > >> There may be an Active Directory domain policy which only allows a >> configured set of groups/users to be admin of your workstation. >> Keep in mind domain policies are applied at startup and periodically. >> >> > Message: 1 >> > Date: Mon, 1 Jul 2013 15:16:45 +0100 >> > From: some one <s3cret.squir...@gmail.com> >> > To: full-disclosure@lists.grok.org.uk >> > Subject: Re: [Full-disclosure] Abusing Windows 7 Recovery Process >> > Message-ID: >> > <CA+1kKf460FE0uo7ps780N3f=gFh8G= >> i0+o1yr5w1upoczub...@mail.gmail.com> >> > Content-Type: text/plain; charset="iso-8859-1" >> > >> > I tried this out onsite today. Got the cmd.exe as described and added a >> > user into local admin group... Restart the box try and login as new user >> > and it isn't there... >> > >> > Logged in as a legit admin and ran net users and no mention of my >> created >> > account... Weird... >> > On Jun 30, 2013 10:54 AM, "Cool Hand Luke" < >> coolhandl...@coolhandluke.org> >> > wrote: >> > >> >> -----BEGIN PGP SIGNED MESSAGE----- >> >> Hash: SHA512 >> >> >> >> On 06/29, Grandma Eubanks wrote: >> >> > However, I think this is still interesting. It's been a while since >> I've >> >> > played with Windows boxes and won't have access to one for a couple >> days, >> >> > but isn't this triggering off of vendor supplied recovery partitions? >> >> This >> >> > is a regular Windows 7 sole partition box you tried this one? >> >> >> >> from a first look, i don't think a vendor-supplied recovery partition >> is >> >> necessary. it appears that it would also be possible if the "system >> >> restore" setting was enabled (but don't quote me on that). >> >> >> >> i'm not sure how likely that is in your average large, corporate >> >> environment. the ones i've seen have system restore disabled and opt to >> >> reimage systems instead when issues occur. i'm sure there are some >> >> environments where this could be useful, however. >> >> >> >> - -chl >> >> >> >> - -- >> >> cool hand luke >> >> >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/