As long as there is physical access to a computer, it is always possible to gain access to the operating system even if it is password protected. For example, you can use Kon-Boot to login to any user account in Windows with any password by booting up the computer with the CD or USB. If BIOS is secured with a password to prevent changing of boot order, you can change the jumpers or remove the battery from the motherboard to clear the CMOS settings. As long as you can boot up the computer with CD or USB, there are quite a lot of tools that allows you to reset the user account password even if you don’t know the original password.
Here is an interesting method which I recently discovered that allows you to plant a backdoor to your Windows 7 operating system so that you can always reset or even add a new user account without even first logging in to Windows. This method is a bit restrictive because it requires an administrator privilege to the computer in order to make changes to the system but it does not involve installing any third party software or changing any system files like the old DreamPackPL.
This backdoor allows you to run command prompt (cmd.exe) with system privilege from the Windows 7 login screen. So with a system privilege command prompt in your hands, you can actually do a lot of stuff including creating new accounts to resetting administrator password to gain access to the password protected Windows. Check out the step-by-step instructions:
1. First, make sure you are logged in as an administrator. Click on the start button, type cmd in the Search programs and files bar, right click on the cmd.exe that is displayed on the list and select “Run as administrator”.
2. Copy the command below and paste it to the command prompt.
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
If you see the message that says “The operation completed successfully”, that means you have installed the backdoor. If not, make sure you are logged in to a user account with administrator privilege and also run the cmd as administrator.
3. When you are at the login screen, you can either press the SHIFT key continuously for 5 times or Alt+Shift+PrintScreen which will open a command prompt with system privilege. You can now do whatever you want with it such as typing:
explorer – To launch explorer and give you access to Start menu and taskbar. Any attempt to run Windows Explorer will prompt an error saying “The server process could not be started because the configured identity is incorrect. Check the username and password”. If you need to check the files and folders on the sytem, use the dir command instead in cmd.
net user user_name new_password – This command allows you to set a new password to any username without knowing the current password.
net user user_name password /add – This command allows you to add a new user to the system so you can login to Windows without touching the existing user accounts.
This proof of concept has been around for a very long time and is not really an exploit which is why Microsoft does not intend to patch and block it. To remove or uninstall the backdoor, simply delete the registry value that you have added or paste the command below to an elevated command prompt followed by pressing the Y key to confirm the deletion.
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"
Here is a simple explanation on how this backdoor works. In the Windows login screen, you are allowed to turn on sticky keys or high contrast using the hotkeys (Shift x 5 OR Alt+Shift+PrintScreen). Attempting to turn on either one with launch the sethc.exe file. Adding the provided registry will tell Windows that you want to run cmd.exe as a debugger for sethc.exe but the problem is Windows does not check if it is a valid debugger. So whenever you try to launch sticky keys or high contrast in the Windows 7 login screen, you will run the command prompt instead.
Below is a video demo to show how the whole thing works.
I used this when my boss forgot his password in one of his laptiops.. I used the Win7 Installation CD to boot into command prompt, and copied cmd.exe to sethc.exe (after backing the original one up), and then rebooted, used the shift x 5 to get into command prompt and changed his password. Scored a point. :-)
This is very good but there’s a similar old trick where you boot into an externalOS such as windows PE (ie: win7 setup cd) and using the command prompt (Shift F10) , directly replacing sethc.exe with a copy of cmd.exe This way, you don’t need administrative privillages like your method. Much easier to remember to do than a registry key. You cant do this in the local windows installation itself because system files are write protected when in use
Modified Utilman Hack :)
this hack uses windows dvd and works vista, windows 7, Server 2008, 2008 R2…
youtube.com/watch?v=Ar-VoO9ogHc
Hi,
Thanks for this info .
Best regards !
PS. Please check the Forum Mr. Raymond . Thank you .
@Ublaze You only need to log in as admin in the prompt when you’re adding the initial registry values, not when you access the backdoor. If you don’t have admin rights in the first place then you should not have access to getting into the computer and should go get an admin.
@Raymond thanx for this. I have created a batch file to run form the prompt and called it backdoor.bat to help automate the preocess. Here’s the code:
@echo off
set name=
set pass=
set /P name=”Enter Username:”
set /P pass=”Enter Password:”
net user %name% %pass%
pause
Of course, you can take the pause out if you like.
@Hector Osorio: It should work on Vista but not sure if it will work on XP.
ublze: This is a proof of concept on how you can “plant a backdoor” to run command prompt in windows login screen.
Good Work
Does it works just in windows 7? Will it work in Vista or XP?
I dont get it ,with this method still u need to have an admin login to add the registry ryt so its worthless in my point of view .
thank u, very much ray…this is the useful information u have given.. of course i haven’t use it till now,but i think this is goona work….thanx again..i was waiting for this from a long time…
thanks ray
useful
V. Nice Thanks…