Tech Support Guy banner

My access control messed up

589 Views 2 Replies 2 Participants Last post by  swep
So I was playing around with my PC, and tried to experiment with my computer's NTLM hashed passwords. I found this Python script that was supposed gave me the hashed passwords. It involved a Powershell script that temporarily gave out permissions for the script to scour for the registry keys. Before I ran the script, I exported the keys in HKLM/SYSTEM and HKLM/SAM into hives. I also noticed that the HKLM/SAM key only had the SAM subkey, and the SAM subkey had no subkeys or values.

Then I ran the script while forgetting that I should run it as administrator, and it prompted me to run it as administrator. So I when I ran it as administrator, it ran for a few minutes, yet still prompted me to run it as administrator. I'm not sure if it really lacked the permissions, or if it was due to the Python exception handling.

Finding nothing out of it, I moved onto other things, and I didn't notice any issue until I had to use the On-Screen Keyboard. The error message said, "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." After I clicked OK, I tried to press Win + R and run the on-screen keyboard from there. Didn't work. Tried running it as administrator, also didn't work.

When I tried to open System32 through Windows Explorer, Another dialog saying I do not have the permissions appeared. I tried opening Task Manager, and I didn't find any suspicious programs. I tried running explorer from there, also didn't work. Tried Control Panel, also didn't work. Tried cmd, it worked. I tried to start explorer from there, it didn't work. I tried opening Windows Explorer from the Start Menu, it unexpectedly yet fortunately worked.

I went to see on-screen keyboard's Properties, I saw that SYSTEM's permissions were only read and execute. Same with two Account Unknowns (S-1-5-32-544 and S-1-5-32-545), TrustedInstaller, on the other hand, had Full Control permissions, and was the owner of the object. My user account didn't show up in the list. I tried to edit the permissions, but a dialog box saying "Cannot open access control editor. Access is denied." popped up. Tried auditing it and changing ownership, same thing. Calculator, which I successfully opened, also had the same set of permissions and popped the same dialog box.

So I opened System32's Properties, and it had a partial Read-only attribute to the folder. CREATOR OWNER, SYSTEM, and S-1-5-32-544 only had special permissions, S-1-5-32-545 had Read, execute, and list folder contents permissions while TrustedInstaller only had list folder contents and special permissions. Access is still denied, and TrustedInstaller is still the owner.

And so I asked myself, why is the access control editor unavailable, and what does it do with some programs not being accessible?

Here are the results of whoami /all:

Rich (BB code):

User Name  SID
========== =============================================


Group Name                                                    Type             SID                                           Attributes
============================================================= ================ ============================================= ===============================================================
Everyone                                                      Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114                                     Mandatory group, Enabled by default, Enabled group
                                                              Unknown SID type S-1-5-21-2581155749-3306209192-473852525-1003 Mandatory group, Enabled by default, Enabled group
                                                              Unknown SID type S-1-5-32-544                                  Mandatory group, Enabled by default, Enabled group, Group owner
                                                              Unknown SID type S-1-5-32-559                                  Mandatory group, Enabled by default, Enabled group
                                                              Unknown SID type S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\INTERACTIVE                                      Well-known group S-1-5-4                                       Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON                                                 Well-known group S-1-2-1                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113                                     Mandatory group, Enabled by default, Enabled group
LOCAL                                                         Well-known group S-1-2-0                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288                                  Mandatory group, Enabled by default, Enabled group


Privilege Name                  Description                               State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Disabled
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled
I tried doing sfc /scannow, and Windows Resource Protection found corrupt files and successfully repaired
them. The system file repair changes will take effect after the next reboot. I haven't rebooted my PC yet because I am afraid I wouldn't be able to login again. Some of the keys that I use to log in with my keyboard are broken so I use on-screen keyboard for that, and I'm still unable to buy a replacement due to the quarantine. The resource checker left some logs on the file repair that I will include here.

Some suggested me to do a System Restore, but this cannot be done because System Restore doesn't detect my drive properly (though that would warrant a new thread). I can't do a reinstall or recovery either.

Before I forget, here are system information:

OS Version: Microsoft Windows 7 Professional, Service Pack 1, 64 bit, Build 7601, Installed 20180115142633.000000+480
Processor: Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz, Intel64 Family 6 Model 42 Stepping 7, CPU Count: 4
Total Physical RAM: 8 GB
Graphics Card: VNC Mirror Driver, 4 MB
Hard Drives: C: 917 GB (256 GB Free); D: 13 GB (7 GB Free);
Motherboard: Dell Inc. 0K0DNP, ver A01, s/n /CPGX2R1/CN1296118I0C88/
System: Dell Inc., ver DELL - 6222004, s/n CPGX2R1
Antivirus: None

Now I hope that you folks can help me rectify the proper access control in my computer and restore my computer's normal operation.


See less See more
Not open for further replies.
1 - 3 of 3 Posts
I've edited the title of your thread for language. Please be more careful in the future as this is a family friendly site.

I also removed several improperly used icode tags which are meant for programming language code not for individual words. Thanks for understanding.

We had a power shortage so my computer forcibly died. In the part where it says Starting Windows, it said something like "Applying registry changes [some registry path] 6/6". I had to use some alt codes to login, but after that, explorer and osk worked. However, the access control is still broken and my PC feels a bit slower.
1 - 3 of 3 Posts
Not open for further replies.