To protect users across the network, Windows UAC imposes token restrictions on local administrators logging in via the network (using the
net use \\computer\\c$ share for example). This means that a local administrator will not be able to perform administrative tasks and will not have the ability to elevate to full admin rights.
This works well if you are securing systems. However, during a pentest, hash/password reuse via psexec for example, will fail. Simply because connecting to the C$ admin share to run the psexec service will fail. My friend and systems hacker Anant Shrivastava pointed this out during some testing that he was doing, prompting me to blog about this.
exploit/windows/smb/psexecexploit module from metasploit to test this in my lab environment and saw the following error:
- Open the registry editor using the regedit command via Start > Run
- Navigate to
- In the right pane, if the
LocalAccountTokenFilterPolicyDWORD value doesn’t exist, create it.
- Set its value to 1
The changes take effect immediately. I tried the Metasploit exploit again and voila it worked this time: