How can wmic be used to remotely query or modify the Restricted Admin Mode registry setting?

Question

How can wmic be used to remotely query or modify the Restricted Admin Mode registry setting?

Accepted Answer

wmic can remotely access the registry via the `stdregprov` class. To query `DisableRestrictedAdmin`, use: `wmic /node:<IP> /user:... /password:... path stdregprov call GetDWORDValue ^&H80000002,"System\CurrentControlSet\Control\Lsa","DisableRestrictedAdmin"`. To enable Restricted Admin Mode, call `SetDWORDValue` with the value `"0"` (0 enables it). Disabling it uses `"1"`. This technique is often part of lateral movement, similar to concepts covered in Penetration Techniques - Lateral Movement from VMware ESXI to Windows Virtual Machines.

How can wmic be used to remotely query or modify the Restricted Admin Mode registry setting?

Explore More Q&A