The Secret Windows "Super Admin" Account

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
i bet you didn't know that there is a secret hidden super admin account in basically every version of windows so today that's what we're going to talk about what it is some cases where it might be useful and why you probably don't want to enable it by default now as a little bit of context most operating systems do have a super user account it's called where it's a special account that has the highest level privileges of the operating system in linux this is the root account and in windows it is the secret administrator account at least for the most part i'll get to that in a second and this administrator account exists in every installation of windows in every version of windows ever since the original windows nt and everything after it so like windows 2000 xp 7 even to 10 they all are gonna have it and i've been saying that they are a secret they're not exactly secret per se a lot of people know about it but they are indeed hidden and not enabled by default and you can actually see for yourself that this account does exist on your computer if you go into the start menu and type in lusr mgr so l usermanager.msc right as it says here then if you go to users you'll see in the list there is one called administrator and the description is built-in account for administering the computer slash domain then if you right-click this and go to properties you'll see that there is a checkbox that says account is disabled and it is checked by default so you can enable this account by just unchecking it here and there's also a couple other methods i'll get to later however i would actually recommend not enabling this unless it is necessary and you have a specific reason to it can be potentially a security risk and i will go over why that is a little bit later just know that you probably don't really want to enable it unless you have to now as a little bit of a side note if you look at this list you might also see a couple other hidden accounts such as default account and according to microsoft this one is used by so-called multi-user manifested apps or movement apps and based on the description microsoft gives i believe these are basically apps that don't run in the context of a single user so the example they give is the xbox app i guess it just runs for all users or something not just only one user so that might be one that's run by the default account so it doesn't have to run separately for all of them i don't really fully understand it maybe i'll have to make a whole separate video about that another time i'll also point out you might notice that the default administrator account does not actually have a password assigned to it by default if you enable it there's no password on it and this is not as bad as it sounds because from my understanding accounts on windows that do not have any password it's a blank password those accounts cannot be logged into remotely or through a network which means that on a network basis those accounts with blank passwords may actually pose less of a security risk than accounts with very weak passwords that are easy to guess so that's why sometimes you'll see the advice that no password is better than a weak password however of course a strong password is always recommended in every case still and of course if you have no password on an account then that means that anyone who does get physical access to the computer can do whatever they want with it so you might be wondering what you might actually use this super admin account for and i'll go over why it is called the super admin it does have some special properties but basically it's useful if for some reason maybe a user admin account that's usually used is maybe corrupted or inaccessible like you forgot the password or something on it and basically it's kind of like a disaster recovery account or potentially can be used when initially setting up lots of computers on a domain where there's no existing admin account right off the bat so overall if you have a perfectly fine working windows operating system and a working admin account then there really is no need for this so again i will say and i'll explain later why you probably shouldn't enable this account unless you have to and if you do enable it for some purpose always disable it after you're done with it so what are these special properties of this admin account what kind of makes it a super admin account well basically it kind of has an always on escalated privileges so it disables user account control completely you don't have a lot of times if you have to run a certain program as an admin it'll pop up a thing that says would you like to run as administrator whatever or you can right click a program and hit run as administrator and it runs with escalated privileges instead of just normal privileges well this default admin account always does that implicitly and does not require this extra uac prompt to do so it just always runs everything in escalated privileges even if it's not necessary the default admin account can also reset and change passwords of other admin accounts but that is something that all admin accounts can do even a regular user admin account but that is still one potential use if you forget the password on your only standard admin account i do want to importantly point out though that everything you can do with this super admin account you can also do with a regular administrator account it just might take a little bit of more hoop jumping so even though it's easier to do these things with the super admin account it's not like it has any absolutely special permissions that can't be done by any other admin account now even though i've been calling this account the super admin account or the super user it's technically not even actually an equivalent to a root account on linux and that's because from my understanding it does not have 100 full control over everything in the computer i do believe that the system trusted installer account does have the highest permissions of any kind of account on a computer on windows the difference is though that trusted installer and the system account are not actually user accounts that you can log into ever they're just basically sets of permissions whereas the default admin account is actually a user account you can log into so the default admin account is the user account with the highest permissions that you can actually log into and as for the other ones windows has a set of security features and protocols called windows resource protection which basically its purpose is to protect core system files so it essentially assigns ownership of these core files to trusted installer so that theoretically only this super high level trusted access account run by the system itself can change these things of course you can kind of work around that like i said before but in most cases a user is not going to go and do that therefore it's more protected against viruses and stuff so again even though there's no technical root account in windows you can basically achieve a lot of the same stuff by just manipulating around some permissions all right now before i explain other ways to enable this admin account i do want to point out some reasons why you probably should not do so the first one being even though you may have never heard of this secret account believe me hackers and malware writers absolutely have and the reason is it is a security feature that is enabled on all versions and installations of windows basically and even though it's not enabled by default there might potentially still be a large number of computers where it is enabled so if hackers were able to find some way to exploit it it would be a very easy thing to check for and target computers that do have this enabled and then they would know that it would work on basically any kind of computer they could come across with enabled and also even if you change the name of the account from administrator to something else it's going to have the same user id on all computers so that's not going to trick any hackers one common thing that malware will typically try to do is what's called a privilege escalation attack it's basically just trying to get access to stuff that it's not supposed to so if there was some kind of exploit discovered by malware creators that was able to easily escalate to even user admin accounts that would be bad enough but potentially you could say well the user account control might be able to block it because even if it tried to run something as an admin then that would still pop up in some cases whereas if it was able to use some exploit that escalated to the default super admin account well my understanding would be there would be no prompt or anything but now it has basically nothing stopping it if it can escalate to that super admin privilege but of course if that account is not enabled then that's not something you have to worry about now i've also seen people discussing using the super admin default account as like their main account for everything in windows and that is something again i would absolutely not recommend ever and that should probably be self-explanatory is why but basically if you run again a malicious program on a even admit account again the uac pop-up might protect against that in some cases unless there's some more exploits going on but there is still that barrier between the actual escalated privileges of requiring a user to actually do something and it's not like with the super admin account where if you run a program there's no prompt to run as administrator everything is run as administrator so instantly that virus or whatever malicious file you run by accident is going to have admin account access and again like i said from my understanding there's not actually anything you can't do with a regular admin account that you can do with the super admin account at least without a little bit extra work all right so now that i explained all that let's actually go over a couple ways where you can enable it so i already did the one where you check the box in that l user manager msc window but you can also use the command prompt if you're already logged into windows and everything so to activate it you go to the command prompt so run cmd as an admin and you type in this command net user administrator slash active colon yes and then that'll do it and then after you can check that it is by typing in net user administrator and then see if it says active yes next to it and then it's enabled then if you want to disable the account you do the same thing run cmd as administrator and use the opposite command net user administrator active no so that's how you enable it if you are able to log into an admin account but that's not as useful as if you can't log into an admin account and you have to do it from outside windows so you can actually do this and enable it from the recovery environment in windows this can be done a couple ways if you can at least get to the login screen in windows you can shift and then click restart and then you'll have the options to run with the recovery environment or if you interrupt the boot process of windows while it's booting up two to three times that'll also trigger the recovery environment anyway however you get into the recovery environment do you then go to advanced options and then command prompt and then using the same type of command before you just type in net user administrator slash active yes and that'll work now if you can't even boot to the recovery environment in windows you probably have bigger problems that just enabling the admin account is not going to solve so i would probably just use some other kind of rescue disk again if windows isn't starting up then the super admin account is not going to help you there's really no need to enable it for any other reason really than a corrupted regular user account or something like that one final thing i'll point out is that i have read that if you boot into safe mode in windows that that will enable the admin account every time but that has not been my experience when i tested it on my computer so your mileage may vary in that case i know that was the case in windows xp for example but that might not be the case anymore even if people are saying it i don't know you could try it so yeah that's pretty much a pretty good overview of the super secret admin account in windows now you pretty much know everything you really need to know about it's not exactly useful in most cases but hey it's better to know than not speaking of having problems booting windows if you guys want to keep watching the next video i'd highly recommend is one where i went over four different usb rescue boot drives that you should probably make before it's too late i went over a couple so you can just click that right there so thanks so much for watching guys i'll see in the next video
Info
Channel: ThioJoe
Views: 314,428
Rating: undefined out of 5
Keywords: technology, tech, windows, computers, computer tips, information technology, computer skills, computer repair, microsoft windows, operating system, windows admin, windows super admin, windows administrator, root, superuser
Id: e3qRQOCWp-Q
Channel Id: undefined
Length: 10min 48sec (648 seconds)
Published: Sat Apr 24 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.