NOTE: Turns out lusrmgr.msc might only show up if you're running Windows Pro or higher, not home. You can still enable the account via the command prompt method later in the video.

As you mentioned, the SYSTEM account has the highest privileges within Windows. Anything that runs under this account is basically treated as part of the OS itself. A fun fact though is that if you use the task scheduler, you can actually make anything run using the SYSTEM account by ticking 'run with highest privileges'. This bypasses UAC even if it's enabled so it can be useful if you want to give a program admin permissions on login for example (of course only if you 100% trust it and know what you're doing)

I don't know how, but whenever am stuck with something on my PC, Thio uploads the exact same video as the solution the next day😂

its fine to always use administrator acc if you're like, sentient and know how to not download malware

Curious when you'll talk about the OOBE of win 10 and its "secret" keyboard shortcuts. (Ctrl-shift-F3 for pre-oobe admin environment, shift-F10 for console, windows 5 times for Autopilot deployments, ...) I use them daily to set up Laptops at work, but it was amazing to learn about them initially as they are so incredibly rarely used by anyone aside Enterprise IT Admins.

*Plot Twist: ThioJoe is the Super Admin*

I remember watching him so long ago that he used to be like do this if you want your Xbox to turn into a ps4 and the fact some people fell for it made me laugh

Older Windows versions in the NT family also had other ways to get in and / or escalate privileges, including methods that involved renaming the logon screensaver or even scheduling a task to run an elevated Task Manager (before Win7 made it easier to do so.) Fortunately it was rare that such methods were needed, but handy in emergencies.

Your content is always amazing. Thank-you.

Maybe the reason your default admin was not enabled in safe mode is because you had a regular admin account enabled. The default admin is only enabled in safe mode if: 1. There is no other admin or privileged account you can log on (all regular admin users being disabled,...), and 2. The computer is NOT part of a domain.

Appreciate the knowledge shared on this topic ThioJoe! Quite useful 👍

Best practice is to create a new account to be the administrator, so it has a different SID than the built-in Administrator account, and put a strong password on it. Then use a regular User account for your day-to-day use. Then when the UAC comes up it will ask for the password for the admin account rather than just asking "hey ya wanna?".

Thio still seems young so this use case might have escaped him. When you've migrated files from computer to computer... one day you might be looking for a file you created back in the 90's and have no access. The user accounts and from years ago might not be what you use today. Thus, that "Secret" Admin account (which wasn't a secret to me) turned out to be very useful in manually setting permissions of old files so that users of the current computer could access them. The regular admin account hadn't such power.

U always make vids I like thanks for the great content

THANK YOU! This randomly popped into my feed and was the answer to the question i had for MONTHS

I remember accessing this account on old school computers to install the software I wanted. I accessed it by booting in safemode and there was no password. Back then (around 2005-2010) it always seemed like it was enabled and without a password as default... at least on pre-built machines

On Windows 7 there was actually a way to use the "SYSTEM" account (most equivalent to Root on Linux actually) with the Windows Explorer and everything. What you had to do was replace the executable for the Windows Accessibility Stuff with "cmd.exe". Then on the login screen when you clicked on the accessibility button a Command prompt would open. From there you'd have to kill the login screen process (probably the trickiest part) and then run explorer.exe from said command prompt. You're now using the System user with UI and all _Technically_ it's still possible on Windows 8 and newer, but the explorer will not run if you're not logged into a regular user account (or the here discussed Admin account)

Yeah about this. Once I forgot the password to my user account and I has no other accounts setup as a backup. So I enabled this admin account from the recovery (by selecting cmd) . I changed the password for my user account and then created another account to be used as a backup

I like your background colors so much! And the video quality got so much better

Thanks for the video, Joe!

Hi, Thio! Respect!

I use the Administrator when I need to copy the files off an old drive user folder as you can copy the files without waiting for it to change the permissions which can take ages. Open an administrator command line and type "net user administrator /active:yes" to disable it again with "net user administrator /active:no"

You already talked about it i think, already knew, Nice video man

5:05 There is a Microsoft-provided tool that _can_ open an interactive Powershell or a command prompt (etc.) as SYSTEM… but for 99.99% of admin tasks it's like using a snowplow to scramble eggs.

Very interesting video! If I may add some precision to the use of the Default account, I've had the opportunity to set up a deployment server for a company once, and the Default account came in quite handy. First should I say that MDT (Microsoft Deployment Toolkit for making install sequences and other stuff) is using the "super-admin" account, and you can definitely see it using that account when it has to auto-log into it multiple times, doing reboots and all that kind of stuff, so it definitely has a huge utility there. Back to my Default account. Since we were sending around 2 to 3 sometimes up to 5 computers per day on busy days, deploying those computers fast and as automatically as possible is crucial. Though every time we had finished deploying a computer, we had to send it to the user over France, then once the user received it, he had to log in, and call us so we could finish the setup for him. That included setting up shortcuts, bookmarks in chrome, iniatializing the VPN and other stuff. That was quite the time consuming task. So when I prepared that WDS/MDT server (it's the deployment server), we made use of the Default account as a template. Turns out every time you log into a computer with a new user, Windows uses that Default account as template to create your account folder and everything. Knowing this, we could setup the common parameters and for example throw the chrome bookmarks and desktop shortcuts inside that Default folder to their respective place, and it was working like a charm! Windows was loading the modified Default account and when we logged with a new user, everything we could setup with the Default account was there and operating! At least this is the use we made it out of. I'm sure there is some other uses to it! Apologise for the grammar mistakes if I made any!

For anyone who wants to enable this on windows 10 HOME, open cmd and type net user administrator (Enter a password here) then type net user administrator /active:yes. That will enable the cccount on any HOME version of windows that does not have the group policy editor.

This has baffled me for a while. Thanks for reviewing this.

I am a software developer and need to run a lot of batch files, compile applications that modify the registry, and stuff like that on a daily basis. I found that in order to keep my sanity and to be able to do my job efficiently I run Windows using the 'Administrator' account all the time. To run as a regular admin user, I would need to change the permission on the whole C:\ drive and run the command prompt with elevated privileges all the time. I don't use any web browser or email applications on my dev machine and try to minimize the risk of download malware. Thanks for your video and clear explanations.

In Windows XP, the account was active and enabled by default, at least prior to SP2. It just wasn't visible on the Welcome Screen. To log in to it, you'd have to press CTRL+ALT+DEL twice when at the Welcome Screen. You'd then be presented with a classic (i.e. Windows 2000 style) login box, and you could just type administrator as the user name and no password (again: default) to log in. I believe Microsoft may have changed the default status of the administrator account in Windows XP Service Pack 2, but, as I said, at least prior to that it was always enabled.

YET ONE MORE TIME JOE UPLOADS LIFE JUICE.

Back to back awesome videos by ThioJoe

Best tech videos . Always ready to watch

i had forgotten about that, i remember having to enable it in Vista for some reason.

My windows just corrupted where i just lost all my admin rights last night then out comes your video which helped me to get the super admin account through safe mode where i can do a repair upgrade instead of a clean install and all my files can stay intact

Thio: Is that Express V-neck tee? Love it! ☺

9:38 If you use the windows installation media (Thio mentioned that last video), then you do not need to type in any password.

Oh I have gained access to it by accident. I formated my PC and for some reason it redirected me to the Administrator account instead of my normal user account.

Just remembered this account existed. I used to follow this account like 8 years ago and it’s crazy the content hasn’t changed at all

A really cool video, thank you, do post these videos, I remember one of your videos where you showed how to open the hidden cores in the cpu, it would great if you could repost it, thanks.

Fun fact: He was an admin.

My computer doesn't have an account called "administrator".....however, since I have pro edition I have modified the name in there to "thy lord and master"......that said, I also have the system account and the psutils to access it. In cmd it reads whoami as ntauthority/system Edit @5:10 Yes the heck you can Using psutils you can run am instance of cmd as system, close explorer.exe then reopen from cmd and you ARE logged in as system at that point

You can run programs with the System account and kinda log in to it, though it surely is not to be recommended. :D With certain modifications you can launch a system cmd in the windows login, launch the explorer process with it, and suddenly youre kinda logged in with system account.

Onced use this administrator account when I accidentally changed the rights of my own account to 'docker-user only'. Couldn't do anything anymore, this saved me

The SID 500 account .\Administrator does in fact have rights over regular local admins and domain admins. For example, if you deactivate UAC regulary for another .\Administrators member, a hidden uac feature still is active that prevents certain actions from remote execution. This restriction can only be globally disabled via registry hack, but the .\Administrator is never affected. In rare cases it can make sense to temporarily enable 500 in server environments for this. The main reason you don't use the 500 is that it can be bruteforced endlessly, because it can't be locked out.

I thought it would be the NT Authority/System account, since that is abused often during privilege escalation

I do actually use this account as my main account. I've done so for years on both windows 7 and 10. I do understand why you recommend not using it but for an advanced user, such as myself, I know not to go to certain sites, open certain e-mails, download certain things, etc. I also have a 3rd party firewall as well as a firewall in my router, an anti-virus software running 24/7, a malware detection program that can also detect rootkits and I also disable remote desktop and remote registry. I know this isn't going to guarantee I'll never have a problem but I feel comfortable with it. My brother writes some pretty sophisticated security programs for his personal use so I have the benefit of having access to those as well.

You rarely use the root account in Linux/unix anyway. If you need root-type privileges, you just type sudo and put in the root password. It only works for one session/task, and if you do more admin stuff, you have to type sudo again. So if you have to do a lot of tasks that require admin, you log in as root, do the stuff, and log out and back into a regular user account.

On my main PC I've been running as full admin since before Vista came out. I was a beta tester for Vista. Not a single issue has arisen in all these years.

I love when ThioJoe tries so hard to be relevant in the thumbnail. ☻😂

Thank you ThioJoe, very cool!

Perfect explanation much useful.👍

Nothing secret about the "RID500" account, it's the only true local admin account on a Windows machine. All other members of the administrators are under the "Admin Approval Mode" it's like root vs super user.

This isn't a super administrator or root account, this is just the default built in Administrator account. The root account in Windows is SYSTEM.

I’ve seen business PCs in 2020 with Windows XP (could not be a big deal if it was not expose to threats like internet) using the Administrator account as the main account as an everyday consult PC, and we talk about a shop with personal with no particular formation in avoiding malware, at least the putted a password to admin although it was four characters long

Thanks for information

i lost count how many times you've warned not to enable the super admin account... I'm scared and curious at the same time

Oh yeah, I remember this account, it was the account that my dumb younger self actually activated, renamed and used as main account each time I reinstalled Windows.

I fucked up my windows installation yesterday, but I thankfully had the four USB sticks you told me to make. I only used the windows one but thanks anyway!

Thanks, man!

7:30 actually you can relatively easily escalate to the NTAuthority/System account which has even more permissions than the Administrator account (as in, it doesn't need to edit the ACL to modify core system files).. so yeeah.. disabling the Administrator account to prevent priv escalation isn't really useful

There's another account that has even higher privileges than Administrator. It's called NT AUTHORITY/SYSTEM and it's hidden by default.

With some tricks you can log into System and even run explorer.exe. It just isn't useful most of the time because most programms say the user account is invalid but it is useful for removing Malware.

the XP also had prompt to give this Admin account password when installing windows, but only on Pro, Home installs were left without the password. so only thing you needed to get into XP machine with Home was to boot into safe mode and use unprotected Administrator to create your new admin account. Woked on like 99% cases, very few ppl using home even heard of it, much less bothered to add password for it.

Linux gang 😎😎

This is not completely accurate: - the default "Administrator" account always existed (just look at Windows NT 3, 4 and Windows 2000); - the account with the highest level of privileges, that is equivalent to the Linux' "root" account, is the so-called built-in "SYSTEM" account on Windows. - the "Administrator" account on Windows is slightly less privileged compared to "SYSTEM".

I learn more from this guy than my computer teacher like seriously

In my opinion you can make two .bat files, one to enable and another to disable admin account or one that enable/disable and keep them in your pc just in case of need but i have not found a situation to use "Admin" account, however there will be always someone that will try so i suggest that if you are going to mess with your windows better create a system image for recovery

Wao love from Pakistan 💕😘😘😘

Just a tip, this user account is enabled by default in all windows versions up to until windows 7 if I recall correctly, and can be easily accessed booting in safe mode, the account is just there, unprotected and you can for example log in and use NET USER commands to destroy the main accounts passwords and voilá, reboot and access all the accounts you want. This was a huge phisical security risk untill then. Since windows 8, you can no longer access the account by default through safe mode

there is another way... at the first setup screen on a fresh windows install (OOBE), hit CTRL+shift+F3. the pc reboots and logs in as "administrator" in "sysprep audit mode". dont close the sysprep popup, uninstall bloatware etc, then OK the sysprep popup. handy shortcut. its mainly used for cloning PCs, preinstall apps.

The thumbnail is amazing

You can actually secure the Administrator account. To do that you can download a program called Winaero Tweaker and it has some options to force uac on the Administrator account.

Last video watched from you was breaking into house for wi fi password...got recommended after long time...

Nice! Thank you.

For my previous install of Win 7 and now Win 10, in the Group Policy Editor the UAC is disabled and enable password required instead. I like the old Windows XP way. I always use a standard user account then if something needs higher permissions it pops up for the higher level credentials. A bit more work, but I will never hit Ok at the UAC prompt by mistake

Wait so as you said that you can enable it from cmd prompt which is also avalible in recovery mode right? Well what if I forgot my main user accounts password and want to recover it back, I can enable and use the admin account to change/delete the password of my main user account right?

Using WinAeroTweaker, there is a registry edit that allows you to enable UAC on the "Super Admin" account, thus nullifying some of it's security risks if a hacker finds out a way to enable it.

That thumbnail is so funny! 😂

Good job Thio... and no booting into safe mode does not enable the admin account.

in some linux distros, root is disabled by default. (if you want root privilages, use sudo, if you want a root shell use sudo su) : )

thanks for the video sir

That's more like a "hidden" admin account rather than a "super" admin account because it doesn't do more than what an actual admin account could do anyway except that there is no UAC popup. Anyways very good info. I never knew about this.

Windows server pack (2003, 2008, 2012, 2016, 2019, 2022) are enable since installation which when u are installing its, you will be asked to create a account, which is administrator account,

Ahhh, the account i use to circumvent my time limitation. Its also used to display the login screen and other basic features in the beginning

Where ThioJoe get these knowledge? INTERESTING!!!!!!!!!!!!

Wow! Thanks!

It also gives privileges to routine jobs they don’t want you to stop. Like the registration numbers of programs and matches with registered name opens communication so they can shut your computer down

Nice... I already Use this Feature

I remember my friend and I managing to get into the admin account on our high school computer feeling like the biggest hackers in the world, I can't fully remember how but we managed to make one of the accessibility options in the login window open cmd

Hi Thio Joe, Awesome channel I wanted to ask you can you activate God Mode in super admin privilege?

I also learned that ThioJoe looks cool with his sunglasses on from the thumbnail.

In fact in XP days was almost considered a backdoor, you want to enter a password protected Windows XP, enter safe mode hitting F8 during initial Windows Boot and voilá Administrator doesn’t have password and can delete the other admins passwords

Nice info thx

Can it help me access System Volume Information? or at least the hidden 5 partitions on my SSD? 1: no label C: NOT HIDDEN 2: ESP 3: Other 4: WINRETOOLS 5: Image 6: DELLSUPPORT

If I remember correctly, administrator cannot bi locked after whatever number of unsuccessful logon attempts is defined in group policy. That is also one of the properties that other admin accounts do not have.

The thumbnail is just cool

can you talk about WDAGUtilityAccount and its purposes, and also TrustedInstaller and how to get TrustedInstaller level permissions

Do u recommend a newbie do a Recovery in the Security section to Reset the PC? Thx

Finally a way I can easily run MEMz thanks

Looks like you have been really working out.