Socially engineering my employer

[MyndFyre]

So my coworker asked me to see about upgrading his account so that it would have local Administrator privileges on our machine.  I guess he wanted to install Firefox or something.  So, since I'd done it recently, I knew it involved logging onto the local Administrator account, but I couldn't remember precisely how to do that.  I hadn't done it for myself in about a year, possibly more, so I didn't remember the password.

So I call the help desk.  They were happy enough to help me the last time.
Them: "...so make sure you enter 'Administrator' in the username field and that 'Log on to' specifies '(this computer).'  Then press <enter>."
Me: "There's no password?"
Them: "Nope."
Me: (Stunned) "Um, I need to leave my desk accessible sometimes, is it okay if I put a password on this account?"
Them: "No, it's like that on almost all of our computers.  It's so we can fix things without having to track all of the administrator passwords."

The next time I saw our IT guy (the guy who usually comes to work on our computers at my facility), I asked him if I could set a local admin password, explaining that sometimes I need to leave my keyboard out at my desk while I step away from the desk for substantial amounts of time.  He said it was fine, to let him know what the password was and to e-mail the help desk with it.  I set it to a strong password and let him know.

What I want to do is go to our Town Manager (who is pretty much the highest-ranking non-elected official) and log into his computer, install a keylogger or something, and gain access to his account.  I then have access to any confidential data on his computer.  Is this possible?  Do I need to modify or install a new GINA DLL?  Can I install a kernel-mode keylogging service to operate at GINA time without hacking GINA in the first place?

I of course want to show this to him as I do it to demonstrate the simplicity of it.

Are there any other ways to elevate the privileges of the account?  For example, can I create a domain account or gain access to another domain account with higher privileges from the local administrator account?

We're running a Windows domain, but not Active Directory, so I tend to think we're on a Windows NT 4.0/Windows 2000 hybrid network server environment with XP SP1/SP2 mixed workstations.

[Sidoh]

Hehe, we just use the same administrator password for all of the machines.  That works pretty well.

As a heads up, I got in BIG trouble for doing something like this a few years ago.  Of course my intents were slightly less structured and rationalized than yours, but it's still the same sort of situation.  I'm sure you're fully aware of the risks, but just so you're explicitly warned.

I'm totally unsure of the answer to your question.  I know, I'm so useful.  Haha, the keylogger I had was pretty simple.

[MyndFyre]

Look at this!  All the security people here and we can't find even one person who can tell me how to execute an elevation of privileges attack on a domain.

[Quik]

If you're running Windows XP and have local access, it's not an issue to log into an Administrator account, even if the current one has a password.

By the way, I would suggest against installing malicious programs to prove a point. Reminds me of another situation with another person that ended quite badly, and I assume you know what I'm talking about.

About the comment on security experts on these forums: If it were a Linux machine, you'd have 10 ways posted in an hour, half of which by tmp I'm sure. But, being as the people who know the most about security here rarely use Windows, it's less likely. Still, this doesn't sound difficult at all and if you would explain more of your situation and exactly what you were trying to do, I could steer you in the right direction.

[MyndFyre]

If you're running Windows XP and have local access, it's not an issue to log into an Administrator account, even if the current one has a password.

By the way, I would suggest against installing malicious programs to prove a point. Reminds me of another situation with another person that ended quite badly, and I assume you know what I'm talking about.

About the comment on security experts on these forums: If it were a Linux machine, you'd have 10 ways posted in an hour, half of which by tmp I'm sure. But, being as the people who know the most about security here rarely use Windows, it's less likely. Still, this doesn't sound difficult at all and if you would explain more of your situation and exactly what you were trying to do, I could steer you in the right direction.

Quik it's clear to me that you didn't read my post.  Two things make it clear:
1.) I'm going to talk to the big boss, whom I see frequently, and get his explicit permission to show this to him on his computer.  If I have this permission, then I clearly do not have a problem with doing this, and I wouldn't get in trouble.
2.) I have explained in detail how this situation arose and what I want to do to correct it.  Twice I've asked for details about how to execute an elevation of privileges attack on a domain.  In other words, I want to become a network administrator.