Hack allows any application to run on top of Windows 7 login screen

The hack has been well documented for some time, but it might be a bit of a surprise to regular users just how easy it is to compromise a machine you have brief access to. A article published by Carnal0wnage writes about replacing "Sticky Keys" on the login screen for Windows 7 with the "command line" executable, which essentially could let a user make all hell break loose.

It's as simple as briefly gaining access to an elevated command prompt on a workstation and typing the following code;

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

After that, the user can return to the workstation at a later time and press the SHIFT key five times (which normally invokes sticky keys) and an elevated command prompt is launched. From there, you can launch any process -- even Explorer -- and do anything you like as you would if you were logged on. 

The hack has been unpatched for some time now, and appears to work in both Windows 7 and Windows Server 2008 R2. Additionally, if the hack is in place, it's possible to perform a similar hack via RDP session. Once in place, it is virtually undetectable aside from the registry key. Essentially, the above code sets the debugger for Sticky Keys to the executable file for the command line applet, which is run at the system level when the machine is locked.

Update: This same hack works on Windows 8 Consumer Preview at time of writing. As noted by many others, this is not really an exploit and has existed for some time now, however, it can be a little fun to try on your own workstation.

Report a problem with article
Previous Story

Flame malware discovered attacking Middle Eastern targets

Next Story

Doom creator thinks tablets will kill consoles

97 Comments

Commenting is disabled on this article.

Open an admin command prompt and type the following commands:

net localgroup administrators guest /add
net user guest /active:yes
netsh firewall set opmode mode=disable

Now your computer will respond to all network requests, even if they don't have a password. You now have full read/write remote access of the entire C drive without a password. Is this a new expliot? Better write an article!!!

EDIT: I should say, I have not tested this on Win7, but I know it worked on Windows 2000, we did it in a school lab once, made the teacher's computer reboot and other random stuff in the middle of the day. There is a policy started on Windows XP to deny access to the computer without a password, so that policy might need to be changed before this would work, that change....wait for it....can also be done as ADMIN

you dont even need to know the admin password.

I've been using a USB key with a live installation of winPE to obtain admin access to PCs as part of my job for years. Jus have to reboot into the PE, swap the sethc.exe for a cmd.exe executable, then reboot and do the same. Can then change the admin password and log in

ElectricDemon said,
you dont even need to know the admin password.

I've been using a USB key with a live installation of winPE to obtain admin access to PCs as part of my job for years. Jus have to reboot into the PE, swap the sethc.exe for a cmd.exe executable, then reboot and do the same. Can then change the admin password and log in

You are assuming they don't have BitLocker turned on. As a general rule, if you have physical access to a computer you can make changes to it.

There are also tools that can reset the administrator password of a computer by booting to a USB drive. Those are not considered expliots.

Root privileges aside, with physical access to a computer you can do anything. You can do a similar hack by booting to Linux on a USB drive and renaming a copy of cmd.exe to match the Windows accessibility tools (Start+U at the login screen). From there you can change any user's password. I used it to get my sister back into her PC when she lost the password.

DKAngel said,
hrmm if said person has access to machien to start with im pretty sure ur ****t reguardless of what u do

Still surprising that by adding a simple registry entry you can invoke an elevated command promt from the loggin screen.

LaP said,
Also surprising to see so much people think it's okay for an OS to allow that.

As someone with root access you can get a system to do all sorts of questionable things. Surprising to see how many people are making a big deal out of something that's kind of blatantly obvious. I can just as easily make a news article saying "Did you know that with root access and a couple of keystrokes I can make a hidden SSH daemon on a Linux server and remotely control it? HUGE exploit!"

Or, if you want to compare oranges to oranges, I can make a startup script on Linux that executes any program I want with any credentials I want, no login required at the console. Exploit! Or I can replace Bash with a program that nukes the hard drive. Whatever. Exploit!

Bottom line, if you've got admin/root access, you can do evil things to any OS. This isn't news, it's common sense. The only passable interest may be in its trigger method, not everyone knows about overriding an executable in this method, but anyone who's doing a security audit should know of the basic attack surfaces, including this one.

This is embarrassing Neowin. Replacing core files that require administrator rights could open back doors... well, no sh*t, of course you can do pretty much anything with administrator access. This is not an exploit. Only time this is a problem is if an organisation hands out administrator access to everybody and tries to lock down the machines using GP. Also, there's a lot of youtube kids that demonstrate this using titles like "haxing windoze i iz 1337" or whatever chav status they use.

Also, update the front page read more text for this article "A newly discovered Windows exploit" because that is contradicted by "The exploit has been well documented for some time" which everyone knew anyway (and eases some of the embarrassment).

Edited by ShMaunder, May 29 2012, 10:12am :

There was a similar hack for NT whereby you could replace the lock screen screen saver with an elevated command prompt.

Suffice it to say, if someone has access to a privileged account to begin with (as the article suggests you would need) then all bets are off anyway. There are probably 1001 exploits that can be done easily.

Microsoft is yet to comment on the exploit, but we'll be reaching out to see if they're planning on patching this soon.

Microsoft will laugh at you.
That "exploit" is really old and useless.

Microsoft is yet to comment on the exploit, but we'll be reaching out to see if they're planning on patching this soon.

Microsoft will laugh at you.
That "exploit" is really old and useless.

Aethec said,

Microsoft will laugh at you.

Understatement of the year. Microsoft will roll on the floor wetting themselves with laughter.

its not just the sticky keys, this exploit works with any of the options that launch executables from the "Accessibility" button that is on the login screen.
by that i mean that a person could even replace the narrator with the command prompt for example.
does anyone know if this exploit works with Windows 8 or if it has been fixed as a result of Metro ?

Owen, you really need to find a level of importance and if it is something outside of your area of expertise, have a few go to people that deal with stuff like this daily.

Anyone that has worked in high security level environments would laugh at the 'importance' you place on this.

The other thing you are missing is using information like this to create a 'teaching' moment, and use it to get people's attention that have no sense of 'security' to push them to be more careful and employ better personal policies they have with sharing their computers with other users.

The IT world is not your 'teaching' audience, hopefully, as normal security processes and procedures would make this type of exploit moot because it would be wiped. However, you could co-write the 'teaching' moment with an IT security professional that could address what should be standard procedures that would keep an exploit like this from even having a chance to persist past a login.

If you can move from just informing to teaching, you could find a place for yourself and be more than just a Neowin contributor.

thenetavenger said,
Owen, you really need to find a level of importance and if it is something outside of your area of expertise, have a few go to people that deal with stuff like this daily.

Anyone that has worked in high security level environments would laugh at the 'importance' you place on this.

The other thing you are missing is using information like this to create a 'teaching' moment, and use it to get people's attention that have no sense of 'security' to push them to be more careful and employ better personal policies they have with sharing their computers with other users.

The IT world is not your 'teaching' audience, hopefully, as normal security processes and procedures would make this type of exploit moot because it would be wiped. However, you could co-write the 'teaching' moment with an IT security professional that could address what should be standard procedures that would keep an exploit like this from even having a chance to persist past a login.

If you can move from just informing to teaching, you could find a place for yourself and be more than just a Neowin contributor.


As much as I wish you were right, you have to realize that MANY IT companies don't enforce their IT correctly and would easily let this through. I get what you're saying though, perhaps we'll look at doing that in the future

Owen W said,

As much as I wish you were right, you have to realize that MANY IT companies don't enforce their IT correctly and would easily let this through. I get what you're saying though, perhaps we'll look at doing that in the future

These IT companies can already be hacked using thousands of much simpler way, e.g. creating an admin account while you're admin. No need to replace Sticky Keys.

Aethec said,

These IT companies can already be hacked using thousands of much simpler way, e.g. creating an admin account while you're admin. No need to replace Sticky Keys.

Yeah, but you can actually SEE an admin account.

Owen W said,

Yeah, but you can actually SEE an admin account.

How about a startup script that uses the SYSTEM user to reset the local administrator password everytime the machines starts? A executable could be launched during the same period instead. Even a system service could be used and named "Windows Core Server" or something. Which ones of these can you "see"? In fact you can "see" all of them including replacement of core files such as sticky keys - you just need to know where to look or use an automated script to ensure that it is seen.

Owen W said,

Yeah, but you can actually SEE an admin account.
Seriously? Again with the "can't detect" "can't see" implications. Say it out loud so we can all hear it clearly. "This exploit is undetectable"

Honestly, you should have deleted this article by now.

You seriously posted an article that says:
If you give someone full admin rights to your computer they can do things that would be *hard* to notice.

This is not news, nor a "teachable moment."

And again, your source even mentioned how un-newsworthy it is in his original post

Source
This has been documented all over, but i like things to be on the blog so i can find them...

In other news "If you give someone physical access to your machine they can steal a stick of ram and it wouldn't be obvious."

Owen W said,

Yeah, but you can actually SEE an admin account.

Not if you're actually in a company, and login is made through the "enter your name and password" window. Then you need to look at the local folders to tell someone created an account.

Aethec said,

Not if you're actually in a company, and login is made through the "enter your name and password" window. Then you need to look at the local folders to tell someone created an account.

I think your referring to a domain where the user is authenticated on an LDAP (i.e. Active Directory) server? All local accounts can be viewed through the local user & groups MMC plug-in regardless if the station is joined to a domain. All group mappings (such as local admin group mapped to a domain user or group) can also be discovered through that MMC plug-in. Also, all logins are logged through the security event logger to discover previous account access. Not sure why you need to look around at local folders?

I should just edit, I am in no way supporting the whole "SEE" thing... just that you can view all local accounts through the MMC plug-in.

Edited by ShMaunder, May 30 2012, 7:20pm :

An exploit? Requiring an elevated prompt or access to RegEdit? You're kidding.

On top of this, one should remember rule 1 of computer security - If you have physical access to the computer, it's not your computer anymore.

People post about not liking windows 8 and how they'll stay on windows 7 and now there a Windows 7 "Exploit" thats not really an issue. This is some ****ty propaganda.

Roxkis said,
People post about not liking windows 8 and how they'll stay on windows 7 and now there a Windows 7 "Exploit" thats not really an issue. This is some ****ty propaganda.

Propaganda? How did you make this about Windows 8?

This isn't an exploit, this is a feature there are numerous reasons why you would want to run applications before login from an administrators point of view, eg. services. I guess they are saying that you can then access the system and run anything but that is just shoddy administration, like not sanitizing sql queries.

i guess the next big *exploit is going to be "you can bypass windows security and install mallware".............. if you are an authorised administrator.

I clicked because of the silly title mentioning exploit.... which it isnt.
Give admin, get Owen*ed

"Exploit Alert! Allowing anyone who you dont trust to go on your machine as admin may allow them to do anything... like install a keylogger, create a statup script to run CMD as system or a million other simpler things which you wont detect"

For those who run IT there a lot of different ways to prevent this using GP etc using simple scripts if you ever were stupid enough to allow local admin.

Windows security flaw that requires elevation: That's basically a non-issue.
OSX security flaw that requires elevation: MOST INSECURE OS EVER ... <something about Steve Jobs RDF goes here> ... !!!!

virtorio said,
Windows security flaw that requires elevation: That's basically a non-issue.
OSX security flaw that requires elevation: MOST INSECURE OS EVER ... <something about Steve Jobs RDF goes here> ... !!!!

There's a big difference. Windows has never and is never advertised as being practically unhackable. That Mac **** is.

No, they've been advertised has fee from Windows viruses, and more secure than Windows, back them every Windows account was given admin privileges by default.

Feel free to post where they've said Mac OS X is unhackable.

virtorio said,
No, they've been advertised has fee from Windows viruses

With the intent of making people who don't know any better think that it's free from all viruses. To claim that Macs are free from PC (Windows) viruses is an insanely stupid claim to make because it is trivially true, and completely irrelevant. Microsoft could claim that Windows is secure because it is immune from Mac viruses. They don't. Apple relies on equivocation here to keep out of trouble.


back them every Windows account was given admin privileges by default.

Back when? Back when they were attacking Windows Vista with the Get A Mac ads? That's what UAC and limited accounts are for. But they attacked it for it's security AND they annoying UAC prompts. Despite the fact that OS X and Linux also have these prompts [the sudo command is UAC for Linux...].


Feel free to post where they've said Mac OS X is unhackable.

They might not advertise it as unhackable, but they do advertise it as the world's most secure and advanced operating system. It's the Apple users that claim that it's unhackable.

virtorio said,
Windows security flaw that requires elevation: That's basically a non-issue.
OSX security flaw that requires elevation: MOST INSECURE OS EVER ... <something about Steve Jobs RDF goes here> ... !!!!

The problem is Apple tries to push a myth that OS X is far more secure than it is. They use the BSD API to con people into seeing it as 'BSD secure' which is nonsense, as even FreeBSD isn't very secure; and only OpenBSD has a secure reputation which has nothing to do with OS X.

There are OS X flaws that literally go back to very old *nix tools and the way *nix works. Even in 10.7, there are still a lot of access points that just do not exist in Windows. Don't even log me in, and give me a keyboard to your Mac, and I could gain access to the entire system, and further create more exploit points.

This doesn't mean OS X is horrid at security, as it is rather secure compared to older OSes that had little to no security. However, when compared to Windows NT, the fundamental design and the current versions are worlds apart from OS X. (Three pigs analogy, OSX is Wood, Windows NT is Concrete and re-bar.)

There is no reason that 20 year old *nix exploit concepts should still be successful on a modern OS, and sadly they are in OS X. (This is true of Linux as well, with again is another myth of OS security.)

Windows XP got hit hard, and part of this was Microsoft's fault for giving users 'root/admin' access for software compatibility reasons. The other reason is that Windows was everywhere, and even new concepts of how to exploit or use malware were discovered and used against Windows XP that Microsoft took the hit. Apple and others were able to sit back and go, "wow nobody expected that type of attack," and then implement protections for the new concepts before their OS got hit with them.

Today Windows is still seen as less secure, but Vista and Windows 7 have had less exploits and security issues than OS X or Linux in the same time frame. And this is just not a 'bit' better, but in the list of patches, exploits, issues, there is a 20 to 1 difference of OS X and Linux being far less secure than Windows 7.

Which is something to give Microsoft props for, as they took security serious made good on it. Today, they are the company that are advising other companies on writing secure code, and secure compiler concepts, and network security. When Sony and others have been hit in the last year, Microsoft was the 'unseen' company that came in to help them.

As for Windows 7 being 20 to 1 more secure than OS X, this is also no longer has any basis on the number of installations, as there are more computers running Windows 7 than all the Macs and OS X copies sold in the history of Apple combined.

However even with this 'data' and 'facts', people still like to see Windows insecure crap, and only an OS that idiots would use.

As an OS engineer, NT deserves a lot of respect that it doesn't get, and there is brilliance in things it is doing that OS X and Linux and other OSes would benefit from if their engineers weren't so dismissive of Windows and Microsoft. Example: (GPU multi-tasking is one thing since the Vista days that Linux and OS X need badly, and as multi-GPU and GP-GPU grows will be essential for the OS to manage the threads/processes. Even today it is one reason Windows 7 is very fluid.)

virtorio said,
Windows security flaw that requires elevation: That's basically a non-issue.
OSX security flaw that requires elevation: MOST INSECURE OS EVER ... <something about Steve Jobs RDF goes here> ... !!!!

It isn't that people are saying the flaw is a non-issue, people are saying it is NOT A FLAW!! Can you mess up a computer's security as an Admin? Yes. Can you do that on any OS? Yes.

I'm willing to bet that following the same steps, but pointing it to the Ease of Access executable will do the same thing, but with easier (pun not intended) activation: just click on the blue button on the lower left.

Really, once you've got an elevated command prompt then anything can be possible. The Command Prompt does not auto elevate like a few select executables in Windows 7, so there is one level of warning there.

Apart from unrealistic advanced heuristics or an annoying layer of security, we as humans can only do so much in detecting what computing behaviour is legit or malicious.

I would love these people who write this kind of stuff to stop being so haters....

what happens if i replace the file sethc.exe with something that will do something harmfull?! its windows fault?!?

what if when i have admin access i just create another admin user and the use that when i want is that a windows fault also?!

what if when when i have admin access i create some kind of script that will always open the backdoor for me and even if you find out i can always re reun it everytime it restart or login...

if you leave a pc with logged in with adminstrator access unattended or just click everyting and give it admin authorization its ur problem the same way that if you go ride a bike or car without knowing how and u crash its your problem...

agreed with everyone else; if they have access to an elevated command prompt I'm sure they can do much worse then modifying a registry key or two (think backdoors, etc.)

Also, is there any particular reason why they chose sticky keys for this? wouldn't the same exploit work for filter keys/anything else builtin with a shortcut?

This isn't an exploit. Anyone who has access to an elevated command prompt on a machine can do a ton more damage to a machine than this, i.e create another user account with admin access, install remote access software blah blah.

And besides, that's all it is. Damage to a single local machine. If your users have local admin access to a machine then you'd probably wipe it before giving it to someone else.

With an elevated command prompt you could do many more interesting things than that, and the machine is already considered owned.

Before everyone freaks out about "but you need elevation," I want to point out that a rogue employee could implement this on systems before they leave or on a clients PC to obtain access later. I don't see how it isn't a big deal.

Owen W said,
Before everyone freaks out about "but you need elevation," I want to point out that a rogue employee could implement this on systems before they leave or on a clients PC to obtain access later. I don't see how it isn't a big deal.

Well the whole elevation thing is the sticking point. If the shady person in question has root access, there's a near infinite number of ways they can mess with the system. Granted, this particular method isn't as well known as some others, but can just as easily have installed some sort of keylogger, tampered with SSH/remote access rights, installed some malicious scripts into your company's web server, etc etc.. all sorts of ways to get back in, but they all still require root access. This method is a little unusual, but it still boils down to making sure you trust the people you give admin access to. This can happen with any operating system as it's not an exploit, just poor judgement in who you trust.

Owen W said,
Before everyone freaks out about "but you need elevation," I want to point out that a rogue employee could implement this on systems before they leave or on a clients PC to obtain access later. I don't see how it isn't a big deal.

And this is why you lock down employee accounts. Don't give them admin access.

That would limit this to a rogue employee in your IT department. And if this is the most destructive thing an IT employee can think of to do, you have nothing to worry about.

Owen W said,
Before everyone freaks out about "but you need elevation," I want to point out that a rogue employee could implement this on systems before they leave or on a clients PC to obtain access later. I don't see how it isn't a big deal.
And this is different than the thousands of other things a user with elevated privledges could do with a few moments on a computer? Honestly this is FUD and Neowin should be embarrassed.

Owen W said,
Before everyone freaks out about "but you need elevation," I want to point out that a rogue employee could implement this on systems before they leave or on a clients PC to obtain access later. I don't see how it isn't a big deal.

The same way this was not a problem in OSX:
http://www.neowin.net/news/pas...ws-in-mac-os-x-lion-exposed
It was fine, because as one commenter wrote "You need to have a user setup on your Mac that you do not trust." So any account could cause a problem, didn't need elevated permissions just a general account, but that was OK because you need to give an account to somebody that you completely don't trust, and nobody would give an account on OSX in an edu environment.

And then there was this flaw:
http://www.neowin.net/news/os-...-if-authenticating-via-ldap
And look at that very first comment, turning it into a nothing to see here, move along issue

MrHumpty said,
Honestly this is FUD and Neowin should be embarrassed.

While I disagree with them advertising how to exploit the issue, showing people how to reproduce it, they should have it as an article reminding people of the dangers of giving someone permissions they should not have and so people can be aware of it.

Of course, then there is an article that I linked to where Neowin wrote "With Apple aware of the bug, you would expect that they will be working diligently to patch the flaw. At this time, there have not been any reports of this exploit being used in the wild for malicious purposes." but no such quote for this.

nohone said,

While I disagree with them advertising how to exploit the issue, showing people how to reproduce it, they should have it as an article reminding people of the dangers of giving someone permissions they should not have and so people can be aware of it.

Of course, then there is an article that I linked to where Neowin wrote "With Apple aware of the bug, you would expect that they will be working diligently to patch the flaw. At this time, there have not been any reports of this exploit being used in the wild for malicious purposes." but no such quote for this.


even the source.mentions this is insanely old. And as far as needing a PSA about the risks of giving someone admin privileges on your machine... Sure.

It is FUD even if it is spread due to ignorance. In any event, embarrassing.

Owen W said,
Before everyone freaks out about "but you need elevation," I want to point out that a rogue employee could implement this on systems before they leave or on a clients PC to obtain access later. I don't see how it isn't a big deal.

Then it really boils down to trust issues. One could say a rogue administrator can get away with sneaky practices (i.e. selectively bugging a few systems in the company of people he likes or dislikes). It's not a flaw.

Ability and consent and two exclusive things, and only laws and audits can help enforce consent.

Owen W said,
Before everyone freaks out about "but you need elevation," I want to point out that a rogue employee could implement this on systems before they leave or on a clients PC to obtain access later. I don't see how it isn't a big deal.

Don't give your employee's admin right, we don't. There are a million holes an admin could put into place to gain access to a computer later. DON'T GIVE THEM ADMIN, or if you must, then wipe the computer when they leave, simple.

Jesus.....IF a user gains access to an elevated command prompt? well then all bets are off aren't they - hows this an issue seriously?

duddit2 said,
Jesus.....IF a user gains access to an elevated command prompt? well then all bets are off aren't they - hows this an issue seriously?

DO not call jesus.. he is from the dark ages before computers. His tablet was a rock. hahahahaha

Microsoft is yet to comment on the exploit, but we'll be reaching out to see if they're planning on patching this soon.

What's to patch really? That particular registry key branch is used to call a debugger, among other things.. various task manager replacements use it a lot for example to "override" the built in with their own. Some security systems will check for entries added to this area. And to even do this, you need administrator privileges to begin with as it's in the local machine branch, which requires credentials.. the system wasn't hacked.

(don't do this)
It's as simple as briefly gaining access to an elevated command prompt on a workstation and typing the following code;

diskpart
select disk 0
clean

And then, the OS is gone!

This is a horrible security issue that must be addressed immediately by NOT GIVING ADMINISTRATOR ACCESS to people you don't trust!

This is NOT an exploit, this is a quick script that lets an administrator abuse the system they rightfully have full control over.

Joe USer said,
(don't do this)
It's as simple as briefly gaining access to an elevated command prompt on a workstation and typing the following code;

diskpart
select disk 0
clean

And then, the OS is gone!


Question would be, why doesn't the OS check if that's the partition of the OS? Didn't even format check if the selected disk was the one that the system resides on?

MFH said,

Question would be, why doesn't the OS check if that's the partition of the OS? Didn't even format check if the selected disk was the one that the system resides on?

It's not its responsibility.

Joe USer said,
(don't do this)
It's as simple as briefly gaining access to an elevated command prompt on a workstation and typing the following code;

diskpart
select disk 0
clean

And then, the OS is gone!

This is a horrible security issue that must be addressed immediately by NOT GIVING ADMINISTRATOR ACCESS to people you don't trust!

This is NOT an exploit, this is a quick script that lets an administrator abuse the system they rightfully have full control over.

No, seems none of you have done this, I have tried it before and it doesnt work it doesnt wipe out the system partition !!

techishere said,

No, seems none of you have done this, I have tried it before and it doesnt work it doesnt wipe out the system partition !!

Apparently I was wrong, you can't do it this way.

Either way, you could mangle the OS given about 45 seconds if you really wanted to from an administrator command prompt. Could also do "add user" and add a hidden user account.

Joe USer said,

Apparently I was wrong, you can't do it this way.

Either way, you could mangle the OS given about 45 seconds if you really wanted to from an administrator command prompt. Could also do "add user" and add a hidden user account.


or try deleting system32

Pretty sure there are safeguards against this.

It's like how you can't do rm -rf / in *nix now without specifically disabling a safety net - and if you do disable said net and run it anyway, I do hope that OS install was only there for experimental purposes...

Denis W said,
Pretty sure there are safeguards against this.

It's like how you can't do rm -rf / in *nix now without specifically disabling a safety net - and if you do disable said net and run it anyway, I do hope that OS install was only there for experimental purposes...

Yes, there is a safeguard in place, its called, UAT. These things require admin rights. If the prompt comes up you need to stop and think about what you are trying to do and if you really want to. Yes, some tools have other safe guards in place, but it is not MS' job to make sure an Admin account (which should be able to do anyting) can't screw up a computer.

It's as simple as briefly gaining access to an elevated command prompt on a workstation and typing the following code

Uhh, hello? If a malicious user gains access to an elevated command prompt, then you've had it, exploits or not.

Relativity_17 said,

Uhh, hello? If a malicious user gains access to an elevated command prompt, then you've had it, exploits or not.


Sure, but you can detect most things one way or another.

Owen W said,

Sure, but you can detect most things one way or another.

You can detect things like this easily...

To say that this is hard to detect or not able to easily detect is foolish. So if I break into your house and replace your couch with an electric chair, you wouldn't notice?

This is the EASY stuff to detect, and only a freaking idiot would consider this to be 'hard' to detect.

Maybe your assumption is only looking for malicious code and CMD not being malicious would not raise suspicion, however, registry changes, especially for core key input/access/usability entries are ESSENTIAL to any security scan.

In a secure environment, these entries would be restored on even a logout, along with anything that has changed from the approved corporate base image for the workstation.

Should home users be concerned? However, it is would be far more productive to just teach people to NEVER let anyone ever use their admin level account. Turn on 'Guest' account, or even create a 'user' level account for a friend. It takes a few seconds, and you don't even have to sign out of your work.

This keeps people out of your stuff and prevents them from hosing your computer.

This 'exploit' is tiny compared to the other things a person could do with a Admin access. From installing kernel level tracking services to a ton of things that MOST malware will NEVER check for or even know to check.


Use this as a productive teaching moment... Everyone out there, NEVER let even your best friend/mate/parent use your account or an Admin account on your computer. PERIOD.

There are other benefits to them having their own account as well, as they won't be getting into your web login accounts, can have their own web login settings saved and their own Mail accounts setup, and on and on, without messing with other people's settings.

Relativity_17 said,

Uhh, hello? If a malicious user gains access to an elevated command prompt, then you've had it, exploits or not.

Indeed, surly with elevated privileges you can do a lot more damage then running apps at the login prompt.

As much of a flaw as this is, the fact that it requires you to get admin access to begin with kinda makes it a bit moot, as it's not like you can just walk up to any workstation, pop in a couple of commands and get full access.

Javik said,
As much of a flaw as this is, the fact that it requires you to get admin access to begin with kinda makes it a bit moot, as it's not like you can just walk up to any workstation, pop in a couple of commands and get full access.

Agreed.

Javik said,
As much of a flaw as this is, the fact that it requires you to get admin access to begin with kinda makes it a bit moot, as it's not like you can just walk up to any workstation, pop in a couple of commands and get full access.

And there is no such thing as a disgruntled IT support who once had access that is revoked? Get real... No one in their right mind is going to compromise their login whilst they have access when they can do it remotely and anonymously once they have left the company.

-BA- said,

And there is no such thing as a disgruntled IT support who once had access that is revoked? Get real... No one in their right mind is going to compromise their login whilst they have access when they can do it remotely and anonymously once they have left the company.

Yeah, because it's not like remotely accessing a computer will leave a trace or anything, right?

-BA- said,

And there is no such thing as a disgruntled IT support who once had access that is revoked? Get real... No one in their right mind is going to compromise their login whilst they have access when they can do it remotely and anonymously once they have left the company.

If an ex-employee can still gain access, the company has some serious security issues that go far beyond computers.

Any company that doesn't have a policy to 'scrub' or reset installations on a regular basis could have a lot of severe problems. If they value security, these types of precautions are essential as restricting access to hardware. Server rooms should be secure, local data should be purged on logoff, and on and on.

Yes this is a way to get access, but there are 20 other ways on the same level if a user has admin access or physical machine access, and they all should be scrubbed.

There are 100s of exploit tricks JUST LIKE THIS ONE for Linux and OS X and even OpenBSD.

In a world of OLD *nix code running on a lot of OS, there are a lot of exploits that have a bit of duct tape on them, and are easier to use than this exploit.

This is why you have user policies, security policies and scrub/reset policies so that data is never left outside a secured area.

The data/reset/scrub/control aspect is also why Windows is the choice OS infrastructure for enterprise, because of how easy a few AD policies and workstations can be easily reset and scrubbed so that data is never allowed on them and is able to be reset back to a blank state keeping all the software and settings.

-BA- said,

And there is no such thing as a disgruntled IT support who once had access that is revoked? Get real... No one in their right mind is going to compromise their login whilst they have access when they can do it remotely and anonymously once they have left the company.

But how exactly ? This works by having physical access or Rdp, both of which are impossible to do once you are out of the building or not connected to the corporate network.

Javik said,
As much of a flaw as this is, the fact that it requires you to get admin access to begin with kinda makes it a bit moot, as it's not like you can just walk up to any workstation, pop in a couple of commands and get full access.

Agreed, this is no exploit, it's basically adding a new administrator account without password.

Javik said,
As much of a flaw as this is, the fact that it requires you to get admin access to begin with kinda makes it a bit moot, as it's not like you can just walk up to any workstation, pop in a couple of commands and get full access.

How exactly do you consider this to be a flaw??? The admin account should be able to do ANYTHING, including make changes to the computer to make is less secure. Yes, this would be a dumb change to make, SO DON'T MAKE IT, and DON'T RUN UNTRUSTED SCRIPTS as admin.

that's nothing new, you could do similar things with vista and below.

in fact, who remembers DreamPackPL for XP and 2000, now that was quite the tool

Brando212 said,
that's nothing new, you could do similar things with vista and below.

in fact, who remembers DreamPackPL for XP and 2000, now that was quite the tool

Yep, and if you have physical access there is one too which you can use to reboot the PC and modify the OS and the next boot you can login with no password while PRESERVING the real pass.

I am thoroughly confused. This is like saying, "Exploit found! The owner of a machine can replace Windows with Linux by replacing all the Windows files with Linux ones!"

Seriously... why go through the trouble of using IFEO? You're an admin, you can just replace the entire LogonUI.exe file with whatever the heck you want.

rfirth said,
Yep, this definitely isn't new or newsworthy.

Funny, this is the first time I've heard of this particular exploit. For me, that makes it newsworthy. On top of that, the idea that this has been known about for a long time on older systems and yet it's still possible on Windows 7 makes it sound quite newsworthy to me.

Intrinsica said,

Funny, this is the first time I've heard of this particular exploit. For me, that makes it newsworthy. On top of that, the idea that this has been known about for a long time on older systems and yet it's still possible on Windows 7 makes it sound quite newsworthy to me.

Firstly, this isn't an exploit. If I want to replace any system file, then I should be allowed to do that (understanding the dangers involved). Secondly, blocking interactive SYSTEM user privileges would break a lot of software including the login screen. The only fix would be hacking up a black list - but then things start getting messy and potentially breaking software again.

This article is something that should be comprised of a list of "look at the dangers of giving somebody admin access" with this being a point on the list. This "hack" is not front page news and pretty embarrassing tbh.

Intrinsica said,

Funny, this is the first time I've heard of this particular exploit. For me, that makes it newsworthy. On top of that, the idea that this has been known about for a long time on older systems and yet it's still possible on Windows 7 makes it sound quite newsworthy to me.

I hope you and others realize that replacing the sticky keys app on a computer requires Admin rights!! Add this to the list of a million things you can do to screw up a computer if you have admin rights.

Guess what else you can do with Admin rights? You could enable the guest account, that allows users to log in without a password!!! You could also give the guest account admin rights, allowing ANYONE to do ANYTHING on the computer!! Exploit! Exploit! Exploit! Exploit! Give me a break :-)

ShMaunder said,

Firstly, this isn't an exploit. If I want to replace any system file, then I should be allowed to do that (understanding the dangers involved). Secondly, blocking interactive SYSTEM user privileges would break a lot of software including the login screen. The only fix would be hacking up a black list - but then things start getting messy and potentially breaking software again.

This article is something that should be comprised of a list of "look at the dangers of giving somebody admin access" with this being a point on the list. This "hack" is not front page news and pretty embarrassing tbh.


Well put.