Check or Attack Name: Getadmin Present

The getadmin exploit has been run. Problems in Windows NT kernel functions allowed a flag to be set inside the operating system that allows any user to gain administrator privileges. Getadmin leaves a Software\AntiShut key in the registry, and this key has been detected.

An early workaround to getadmin developed by ISS was to create that key and deny non-administrators access. If this key is present but is not writable by non-administrators, it is not considered to be a vulnerability.

Verify whether your system is compromised by checking for users with administration rights. If there are not any users with administrator rights, then fix the kernel by applying the latest Windows NT 4.0 Service Pack or the post-SP3 getadmin-fix. If users are present with administrator rights, reinstall Windows NT and then install the latest service pack or the getadmin-fix.

To verify your system, follow these steps:

1. Open User Manager. From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.
2. From the Policies menu, select User Rights to display the User Rights Policy dialog box.
3. Check if users have administrator privileges on that host.

—AND—

If your system is not compromised, apply the latest Windows NT 4.0 Service Pack or the post-SP3 getadmin-fix patch:

1. Open a web browser.
2. Go to http://support.microsoft.com/support/ntserver/Content/ServicePacks/ and follow the directions to download the appropriate service pack for your computer.
3. Find the installation program you downloaded to your computer.
4. Double-click the program icon to start the installation.
5. Follow the installation directions.

Windows NT 4.0 SP3 users must apply the post-SP3 lsa2-fix patch available from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/getadmin-fix.

Microsoft Knowledge Base Article Q146965, GetAdmin Utility Grants Users Administrative Rights, http://support.microsoft.com/support/kb/articles/q146/9/65.asp