As long as there is physical access to a computer, it is always possible to gain access to the operating system even if it is password protected. For example, you can use Kon-Boot to login to any user account in Windows with any password by booting up the computer with the CD or USB. If BIOS is secured with a password to prevent changing of boot order, you can change the jumpers or remove the battery from the motherboard to clear the CMOS settings. As long as you can boot up the computer with CD or USB, there are quite a lot of tools that allows you to reset the user account password even if you don’t know the original password.
Here is an interesting method which I recently discovered that allows you to plant a backdoor to your Windows 7 operating system so that you can always reset or even add a new user account without even first logging in to Windows. This method is a bit restrictive because it requires an administrator privilege to the computer in order to make changes to the system but it does not involve installing any third party software or changing any system files like the old DreamPackPL.
1. First, make sure you are logged in as an administrator. Click on the start button, type cmd in the Search programs and files bar, right click on the cmd.exe that is displayed on the list and select “Run as administrator”.
2. Copy the command below and paste it to the command prompt.
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
If you see the message that says “The operation completed successfully”, that means you have installed the backdoor. If not, make sure you are logged in to a user account with administrator privilege and also run the cmd as administrator.
3. When you are at the login screen, you can either press the SHIFT key continuously for 5 times or Alt+Shift+PrintScreen which will open a command prompt with system privilege. You can now do whatever you want with it such as typing:
Explorer – To launch explorer and give you access to Start menu and taskbar. Any attempt to run Windows Explorer will prompt an error saying “The server process could not be started because the configured identity is incorrect. Check the username and password”. If you need to check the files and folders on the sytem, use the dir command instead in cmd.
Net user user_name new_password – This command allows you to set a new password to any username without knowing the current password.
Net user user_name password /add – This command allows you to add a new user to the system so you can login to Windows without touching the existing user accounts.
This proof of concept has been around for a very long time and is not really an exploit which is why Microsoft does not intend to patch and block it. To remove or uninstall the backdoor, simply delete the registry value that you have added or paste the command below to an elevated command prompt followed by pressing the Y key to confirm the deletion.
REG DELETE "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"
Here is a simple explanation on how this backdoor works. In the Windows login screen, you are allowed to turn on sticky keys or high contrast using the hotkeys (Shift x 5 OR Alt+Shift+PrintScreen). Attempting to turn on either one with launch the sethc.exe file. Adding the provided registry will tell Windows that you want to run cmd.exe as a debugger for sethc.exe but the problem is Windows does not check if it is a valid debugger. So whenever you try to launch sticky keys or high contrast in the Windows 7 login screen, you will run the command prompt instead.
Below is a video demo to show how the whole thing works.