So I was playing around with my PC, and tried to experiment with my computer's NTLM hashed passwords. I found this
Python script that was supposed gave me the hashed passwords. It involved a Powershell script that temporarily gave out permissions for the script to scour for the registry keys. Before I ran the script, I exported the keys in HKLM/SYSTEM and HKLM/SAM into hives. I also noticed that the HKLM/SAM key only had the SAM subkey, and the SAM subkey had no subkeys or values.
Then I ran the script while forgetting that I should run it as administrator, and it prompted me to run it as administrator. So I when I ran it as administrator, it ran for a few minutes, yet still prompted me to run it as administrator. I'm not sure if it really lacked the permissions, or if it was due to the Python exception handling.
Finding nothing out of it, I moved onto other things, and I didn't notice any issue until I had to use the On-Screen Keyboard. The error message said, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." After I clicked OK, I tried to press Win + R and run the on-screen keyboard from there. Didn't work. Tried running it as administrator, also didn't work.
When I tried to open System32 through Windows Explorer, Another dialog saying I do not have the permissions appeared. I tried opening Task Manager, and I didn't find any suspicious programs. I tried running explorer from there, also didn't work. Tried Control Panel, also didn't work. Tried cmd, it worked. I tried to start explorer from there, it didn't work. I tried opening Windows Explorer from the Start Menu, it unexpectedly yet fortunately worked.
I went to see on-screen keyboard's Properties, I saw that SYSTEM's permissions were only read and execute. Same with two Account Unknowns (S-1-5-32-544 and S-1-5-32-545), TrustedInstaller, on the other hand, had Full Control permissions, and was the owner of the object. My user account didn't show up in the list. I tried to edit the permissions, but a dialog box saying "Cannot open access control editor. Access is denied." popped up. Tried auditing it and changing ownership, same thing. Calculator, which I successfully opened, also had the same set of permissions and popped the same dialog box.
So I opened System32's Properties, and it had a partial Read-only attribute to the folder. CREATOR OWNER, SYSTEM, and S-1-5-32-544 only had special permissions, S-1-5-32-545 had Read, execute, and list folder contents permissions while TrustedInstaller only had list folder contents and special permissions. Access is still denied, and TrustedInstaller is still the owner.
And so I asked myself, why is the access control editor unavailable, and what does it do with some programs not being accessible?
Here are the results of whoami /all:
Rich (BB code):
USER INFORMATION
----------------
User Name SID
========== =============================================
S-1-5-21-2581155749-3306209192-473852525-1002
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-21-2581155749-3306209192-473852525-1003 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
Unknown SID type S-1-5-32-559 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Disabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
I tried doing sfc /scannow, and Windows Resource Protection found corrupt files and successfully repaired
them. The system file repair changes will take effect after the next reboot. I haven't rebooted my PC yet because I am afraid I wouldn't be able to login again. Some of the keys that I use to log in with my keyboard are broken so I use on-screen keyboard for that, and I'm still unable to buy a replacement due to the quarantine. The resource checker left some logs on the file repair that I will include here.
Some suggested me to do a System Restore, but this cannot be done because System Restore doesn't detect my drive properly (though that would warrant a new thread). I can't do a reinstall or recovery either.
Before I forget, here are system information:
OS Version: Microsoft Windows 7 Professional, Service Pack 1, 64 bit, Build 7601, Installed 20180115142633.000000+480
Processor: Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz, Intel64 Family 6 Model 42 Stepping 7, CPU Count: 4
Total Physical RAM: 8 GB
Graphics Card: VNC Mirror Driver, 4 MB
Hard Drives: C: 917 GB (256 GB Free); D: 13 GB (7 GB Free);
Motherboard: Dell Inc. 0K0DNP, ver A01, s/n /CPGX2R1/CN1296118I0C88/
System: Dell Inc., ver DELL - 6222004, s/n CPGX2R1
Antivirus: None
Now I hope that you folks can help me rectify the proper access control in my computer and restore my computer's normal operation.
