{"id":28559891,"url":"https://github.com/ghostpack/restrictedadmin","last_synced_at":"2025-07-15T14:10:48.900Z","repository":{"id":102885237,"uuid":"402592456","full_name":"GhostPack/RestrictedAdmin","owner":"GhostPack","description":"Remotely enables Restricted Admin Mode","archived":false,"fork":false,"pushed_at":"2021-09-03T15:58:04.000Z","size":19,"stargazers_count":205,"open_issues_count":0,"forks_count":38,"subscribers_count":6,"default_branch":"main","last_synced_at":"2024-11-21T10:36:29.645Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GhostPack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-09-02T23:49:47.000Z","updated_at":"2024-11-03T20:00:41.000Z","dependencies_parsed_at":"2023-06-15T18:00:19.809Z","dependency_job_id":null,"html_url":"https://github.com/GhostPack/RestrictedAdmin","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FRestrictedAdmin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FRestrictedAdmin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FRestrictedAdmin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FRestrictedAdmin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GhostPack","download_url":"https://codeload.github.com/GhostPack/RestrictedAdmin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GhostPack%2FRestrictedAdmin/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":259043764,"owners_count":22797161,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-10T09:06:32.932Z","updated_at":"2025-06-10T09:06:33.558Z","avatar_url":"https://github.com/GhostPack.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# RestrictedAdmin\n\nQuick and dirty C# program that remotely enables \"Restricted Admin Mode\".\n\nRestricted Admin Mode was introduced in Windows 8.1 as an attempt to prevent credential exposure via RDP. While well intentioned, this unfortunately introduced the ability to pass-the-hash to RDP.\n\nWhile Restricted Admin Mode is not enabled by default on systems, we can enable it by setting the value of `DisableRestrictedAdmin` to 0 at `HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Lsa`. In order to do this remotely, we could use remote registry, however this is not always enabled on systems (particularly workstations). Instead, we can use the [StdRegProv WMI class](https://docs.microsoft.com/en-us/previous-versions/windows/desktop/regprov/stdregprov) to flip this value remotely. This approach was later expanded by @airzero24 in his [WMIReg](https://github.com/airzero24/WMIReg) project.\n\nThe TypeLib GUID of RestrictedAdmin is **79F11FC0-ABFF-4E1F-B07C-5D65653D8952**. This is reflected in the Yara rules currently in this repo.\n\n**I did not invent or figure out any of this**. For more information and references on the work this was built on, see the **References** section at the bottom of this README.\n\n\n## Usage\n\n\n    C:\\Tools\u003eRestrictedAdmin.exe\n\n\n    Usage:\n\n            Check the DisableRestrictedAdmin value:\n                    RestrictedAdmin.exe \u003csystem.domain.com\u003e\n\n\n            Enabled Restricted Admin mode (set DisableRestrictedAdmin to 0):\n                    RestrictedAdmin.exe \u003csystem.domain.com\u003e 0\n\n\n            Disable Restricted Admin mode (set DisableRestrictedAdmin to 1):\n                    RestrictedAdmin.exe \u003csystem.domain.com\u003e 1\n\n\n            Clear the Restricted Admin mode setting completely:\n                    RestrictedAdmin.exe \u003csystem.domain.com\u003e clear\n\n\n\n## References\n\n* [Details on using this for PTH from Portcullis Labs.](https://labs.portcullis.co.uk/blog/new-restricted-admin-feature-of-rdp-8-1-allows-pass-the-hash/)\n* [PTH + RDP w/ restricted admin mode in Kali.](https://www.kali.org/blog/passing-hash-remote-desktop/)\n* [F-Secure has a post about offensively disabling Restricted Admin Mode.](https://labs.f-secure.com/blog/undisable/).\n* [Some Restricted Admin Mode details from Microsoft.](https://docs.microsoft.com/en-us/archive/blogs/kfalde/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2)\n* The StdRegProv approach was adapted from [this post](https://web.archive.org/web/20200212015446/http://softvernow.com/2018/09/02/using-wmi-and-c-registry-values/).\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghostpack%2Frestrictedadmin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fghostpack%2Frestrictedadmin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fghostpack%2Frestrictedadmin/lists"}