- Hardening AppLocker - Thu, Jun 25 2020
- AppLocker Audit vs. Enforced mode - Tue, Jun 23 2020
- Creating AppLocker rules from the Windows event log - Wed, Jun 17 2020
The Immutable Law of Security says that if someone has physical access to your computer, it's not your computer anymore. These simple hacks, along with abusing tools on the logon screen such as Utilman.exe, DisplaySwitch.exe, or Sethc.exe, have existed since 2001 in Windows XP. Before that, you could do the same with the screensaver in Windows 2000, and before that, you could do the same with the Spooler service in NT 4. So in no way am I showing this in order to say it's something I invented—I’m doing this, as in my other blogs, to document the most common things I need when troubleshooting Windows.
The biggest reason for writing this blog (although similar blogs are available, even on 4sysops) is that in August 2018, Microsoft started blocking these Accessibility Feature hacks with Windows Defender. For 18 years before this, I had started many of my presentations with the same hack— you could hack yourself into any Windows version, from Windows XP to Windows Server 2016 Domain Controllers, with a single command. Even though this broke the Third Immutable Law of Security, I told Microsoft every time I visited Redmond that it was ridiculous how easy it was—one command to hack any Windows version. So in August 2018, Microsoft finally fixed it. Of course, they did it when I was on stage, showing the hack that I'd done 18 years in a row. It was a very important presentation, so I guess I got what I deserved—or it was a targeted attack.
So now Microsoft has made great progress on this. I can happily tell you that now it requires not one command, but one command and booting into Safe Mode to hack any Windows version.
A computer account that you don’t know the password for
Let's get going.
You need to boot up your machine with something that can read NTFS. Here are some options:
- Boot with any Windows installation media (the newer the version, the more likely it is that it has drivers for your hard disk)
- Linux with NTFS driver
- Windows PE (preinstallation environment)
In my example, I'm booting it with a standard Windows 10 installation DVD (actually an ISO of it, as this is a Hyper-V VM).
The computer booted up with a Windows installation DVD
After booting, there are two options I recommend:
- If your computer doesn't have BitLocker, just hit Shift+F10 to get to a command prompt.
- If your computer has BitLocker, start the Setup and choose Repair, as it will ask you for the BitLocker recovery key and then let you head on to a command prompt.
This computer doesn't have BitLocker, so I just hit Shift+F10 to get the prompt. After this, I’ll find the Windows installation that I can't access. In this case, it’s the D: drive.
Starting CMD with Shift+F10
Next you need to change the directory to D:\Windows\System32\.
The actual hack is done by the second command, but I recommend doing the first. (I'm showing this not as an attack, but as a procedure you are absolutely allowed to perform since you are the administrator on this PC.)
First, run the following command: copy sethc.exe ..
This command copies the sethc.exe as a backup to the parent folder with the "copy, space, sethc.exe, space, dot notation.
Second, run the following command: copy cmd.exe sethc.exe
This command replaces the Sticky Keys command with a command prompt.
Replacing the sethc.exe with the cmd.exe, after creating a backup
This is what we did for years. But now, Windows Defender will catch this on Windows 10. So what you need to do is get the computer to Safe Mode.
- Restart the computer.
Restart the machine
- On the logon screen, click Restart while pressing the Shift key.
Getting the computer to Safe Mode by using Shift+Restart
- Select Troubleshoot > Advanced Options > Startup Settings.
- Select Restart.
Select Restart to get to the F8 menu of Windows 10
- Choose the fourth option, Enable Safe Mode.
Choosing Safe Mode to avoid Windows Defender
When you are on the logon screen, press the Shift key five times rapidly to get a command prompt with system access.
Command prompt with SYSTEM access
Here, you can reset the user account passwords or create new users. Here are some examples:
- NET USER Master Qwerty1
- In my example, I have an account called Master. This will change its password to be Qwerty1.
- NET USER Administrator Qwerty1
- This changes the Administrator user's password to Qwerty1.
- NET USER Administrator /ACTIVE:YES
- This activates a disabled admin account.
- NET USER TEMP Qwerty1 /ADD
- This creates a new user.
- NET LOCALGROUP Administrators TEMP /add
- This makes the new user an admin.
- msc
- Open the Computer Management screen if you don't like my command-line examples.
Changing a user's password
Note: If you create a new user and the computer is part of a workgroup, you might need to boot the computer once more before you can log on with the user as it might not be listed on the logon screen.
Close the CMD and logon. After logon, there is still some cleanup to do because the computer is still "hacked," which you can verify by pressing the Shift key again five times. It still starts a command prompt. Close this command prompt and start a new one from the Start menu, elevating it with the Run as Administrator option.
Running a new CMD with admin rights (not the one that was started by the Shift key)
From this new CMD.exe, type the following command: Robocopy C:\Windows C:\Windows\System32 sethc.exe /B
- This uses the backup with your restored privilege.
- A normal copy won't do, as the file is protected by Windows Resource Protection.
Robocopy restoring the sticky keys to normal
You can verify that everything is back to normal by pressing the Shift key five times. Notice the Sticky Keys notification pops up.
StickyKeys is working normally
Now all that is left is to reboot the computer back to normal mode.
A few points to consider:
- This is not an attack. If you are worried that this would be used against you as an attack, just make sure you have BitLocker, as it will mitigate this.
- If StickyKeys is disabled via policy, you can try Utilman.exe or DisplaySwitch.exe. If those don't work either, there is a way to hack yourself in via Group Policy; however, that is a story for another post.
- If you can't access Safe Mode, you can also Disable Windows Defender by renaming MsMpEng.exe while in Windows PE.
This is so oldschool, it even works on Windows NT.
It surprised me MS put again the user and picture on the logon screen. Huge security risc.
Yes, this is exactly what his post is about. Great summary!
Hello and thank you very much for this usefull article.
As a small addition i have to say that when you are in the language selection screen (i tried it on a physical machine with a windows 10 boot USB), the key combination shift-F10 doesn’t bring a command prompt.You can get a command prompt by pressing next , then selecting ‘repair’ –> troubleshoot –> command prompt.You will find yourself in x:\Sources and then you have to changedir to c:\windows\system32\
After this point your instructions have worked flawlessly.
Please take no offence of my correction.thank you again and have a good day.
Thanks this helped me get past that point.
I just tried this in order to help a neighbour to get back into his PC but learned that even that approach does not work any longer. Both sethc.exe and utilman.exe renamed. But even with the way through safe mode (or disable defender) no command prompt opens. 🙁
I’ve been able to do this even with a new insider build… Maybe he has another anti-malware installed? Or a policy to block this.
And you copied the cmd.exe on top of sethc.exe just like in the blog post? I’m just asking cause you refer to ”renaming”
It does not work now, there was a new update. can you make another post or respond with steps to make it work now.
Which part is no longer working?
Hi Team
I am getting error while running this command copy cmd.exe sethc.exe
Also tried to rename via gui but unable to rename
Did you boot from a DVD?
When attempting to do this I receive a system error 5 has occured. Access denied.. I am not even able to add a new admin, active a disabled. Please help
Sami, an excellent post , thank you. I am looking at this from a security point, and reading this post I assume that there is no solution to prevent this, correct ?
regards henny
Enabling BitLocker prevents this.
What is the workaround, when the computer has UEFI bios and the operating system is not visible or accessible to overwrite the UTILMAN?
The only VOL listed in DISPART is the WINPE DISK [FAT32] REMOVABLE DRIVE
and the X:\Source is the pre-boot environment for the OS.
you should disable vmd in bios
This is not working. I copy cmd.exe over osk.exe, sethc.exe, UtilMan.exe. Then I restart the computer and get to the Login screen — and MS Defender has restored the files already. Rebooting again into Safe Mode is pointless: it is too late. (And yes, I did try it!)
Maybe MS has moved the Defender check earlier in the boot process, but you need to disable MS Defender BEFORE performing the cmd.exe copy and rebooting. Is that possible? Unless there is a way of booting into Safe Mode /without/ visiting the login screen first…