- Hardening AppLocker - Thu, Jun 25 2020
- AppLocker Audit vs. Enforced mode - Tue, Jun 23 2020
- Creating AppLocker rules from the Windows event log - Wed, Jun 17 2020
The Immutable Law of Security says that if someone has physical access to your computer, it's not your computer anymore. These simple hacks, along with abusing tools on the logon screen such as Utilman.exe, DisplaySwitch.exe, or Sethc.exe, have existed since 2001 in Windows XP. Before that, you could do the same with the screensaver in Windows 2000, and before that, you could do the same with the Spooler service in NT 4. So in no way am I showing this in order to say it's something I invented—I’m doing this, as in my other blogs, to document the most common things I need when troubleshooting Windows.
The biggest reason for writing this blog (although similar blogs are available, even on 4sysops) is that in August 2018, Microsoft started blocking these Accessibility Feature hacks with Windows Defender. For 18 years before this, I had started many of my presentations with the same hack— you could hack yourself into any Windows version, from Windows XP to Windows Server 2016 Domain Controllers, with a single command. Even though this broke the Third Immutable Law of Security, I told Microsoft every time I visited Redmond that it was ridiculous how easy it was—one command to hack any Windows version. So in August 2018, Microsoft finally fixed it. Of course, they did it when I was on stage, showing the hack that I'd done 18 years in a row. It was a very important presentation, so I guess I got what I deserved—or it was a targeted attack.
So now Microsoft has made great progress on this. I can happily tell you that now it requires not one command, but one command and booting into Safe Mode to hack any Windows version.
Let's get going.
You need to boot up your machine with something that can read NTFS. Here are some options:
- Boot with any Windows installation media (the newer the version, the more likely it is that it has drivers for your hard disk)
- Linux with NTFS driver
- Windows PE (preinstallation environment)
In my example, I'm booting it with a standard Windows 10 installation DVD (actually an ISO of it, as this is a Hyper-V VM).
After booting, there are two options I recommend:
- If your computer doesn't have BitLocker, just hit Shift+F10 to get to a command prompt.
- If your computer has BitLocker, start the Setup and choose Repair, as it will ask you for the BitLocker recovery key and then let you head on to a command prompt.
This computer doesn't have BitLocker, so I just hit Shift+F10 to get the prompt. After this, I’ll find the Windows installation that I can't access. In this case, it’s the D: drive.
Next you need to change the directory to D:\Windows\System32\.
The actual hack is done by the second command, but I recommend doing the first. (I'm showing this not as an attack, but as a procedure you are absolutely allowed to perform since you are the administrator on this PC.)
First, run the following command: copy sethc.exe ..
This command copies the sethc.exe as a backup to the parent folder with the "copy, space, sethc.exe, space, dot notation.
Second, run the following command: copy cmd.exe sethc.exe
This command replaces the Sticky Keys command with a command prompt.
Replacing the sethc.exe with the cmd.exe, after creating a backup
This is what we did for years. But now, Windows Defender will catch this on Windows 10. So what you need to do is get the computer to Safe Mode.
- Restart the computer.
- On the logon screen, click Restart while pressing the Shift key.
- Select Troubleshoot > Advanced Options > Startup Settings.
- Select Restart.
- Choose the fourth option, Enable Safe Mode.
When you are on the logon screen, press the Shift key five times rapidly to get a command prompt with system access.
Here, you can reset the user account passwords or create new users. Here are some examples:
- NET USER Master Qwerty1
- In my example, I have an account called Master. This will change its password to be Qwerty1.
- NET USER Administrator Qwerty1
- This changes the Administrator user's password to Qwerty1.
- NET USER Administrator /ACTIVE:YES
- This activates a disabled admin account.
- NET USER TEMP Qwerty1 /ADD
- This creates a new user.
- NET LOCALGROUP Administrators TEMP /add
- This makes the new user an admin.
- Open the Computer Management screen if you don't like my command-line examples.
Note: If you create a new user and the computer is part of a workgroup, you might need to boot the computer once more before you can log on with the user as it might not be listed on the logon screen.
Close the CMD and logon. After logon, there is still some cleanup to do because the computer is still "hacked," which you can verify by pressing the Shift key again five times. It still starts a command prompt. Close this command prompt and start a new one from the Start menu, elevating it with the Run as Administrator option.
From this new CMD.exe, type the following command: Robocopy C:\Windows C:\Windows\System32 sethc.exe /B
- This uses the backup with your restored privilege.
- A normal copy won't do, as the file is protected by Windows Resource Protection.
You can verify that everything is back to normal by pressing the Shift key five times. Notice the Sticky Keys notification pops up.
Now all that is left is to reboot the computer back to normal mode.
A few points to consider:
- This is not an attack. If you are worried that this would be used against you as an attack, just make sure you have BitLocker, as it will mitigate this.
- If StickyKeys is disabled via policy, you can try Utilman.exe or DisplaySwitch.exe. If those don't work either, there is a way to hack yourself in via Group Policy; however, that is a story for another post.
- If you can't access Safe Mode, you can also Disable Windows Defender by renaming MsMpEng.exe while in Windows PE.