Inspired by this post:
http://xdaforums.com/showthread.php?t=1885399&page=22
I wanted to play a bit to join my XPS10 to my home domain. But
So I loaded project into Visual Studio, changed target to 4.5 Any CPU. After that:
1. Took ownership of c:\windows\system32\sppsvc.exe and removed all rights (so noone, even system can execute it)
2. Created a copy of runJailbreak.bat and removed all exit commands in it (as a workaround for closing cmd - that will be needed later)
3. Added in registry:
HKEY_LOCAL_MACHINE\SYSTEM\Setup
SetupType=1
CmdLine="cmd.exe"
4. Reboot
After reboot I got cmd window on bootscreen background. Somehow, mouse cursor disappeared even with USB mouse.
5. Started jailbreak by running modified .bat
6. Started attached ProductPolicyEditor, enabled WorkstationService-DomainJoinEnabled policy, wrote changes to registry
7. Closed PPE, cmd, system self restarted in normal mode
8. Connected to domain as usual.
Proof - screenshots attached
After this RT went to not activated state. But when already connected to domain, I reverted changes I done (changed policy to 0, restored sppsvc rights), activated it again - everything works, computer is still in domain, only change is that in system properties I can only leave it, not change to another one.
This method may be used to exploit more hidden RT features.
http://xdaforums.com/showthread.php?t=1885399&page=22
I wanted to play a bit to join my XPS10 to my home domain. But
Well... it's for .net 4.0, AFAIR we have only 4.5, yep (?) And I was to lazy to read sourcecode.Check that the process is working on RT - a provided .NET program obviously would not work, so you should do the same manually
So I loaded project into Visual Studio, changed target to 4.5 Any CPU. After that:
1. Took ownership of c:\windows\system32\sppsvc.exe and removed all rights (so noone, even system can execute it)
2. Created a copy of runJailbreak.bat and removed all exit commands in it (as a workaround for closing cmd - that will be needed later)
3. Added in registry:
HKEY_LOCAL_MACHINE\SYSTEM\Setup
SetupType=1
CmdLine="cmd.exe"
4. Reboot
After reboot I got cmd window on bootscreen background. Somehow, mouse cursor disappeared even with USB mouse.
5. Started jailbreak by running modified .bat
6. Started attached ProductPolicyEditor, enabled WorkstationService-DomainJoinEnabled policy, wrote changes to registry
7. Closed PPE, cmd, system self restarted in normal mode
8. Connected to domain as usual.
Proof - screenshots attached
After this RT went to not activated state. But when already connected to domain, I reverted changes I done (changed policy to 0, restored sppsvc rights), activated it again - everything works, computer is still in domain, only change is that in system properties I can only leave it, not change to another one.
This method may be used to exploit more hidden RT features.
Attachments
Last edited: