Exploit allows command prompt to launch at Windows 7 login screen

Shawn Knight

Posts: 15,240   +192
Staff member

An unpatched exploit in Windows 7, Windows Server 2008 R2 and Windows 8 Consumer Preview allows a user to launch an elevated command prompt by manipulating the sticky keys function. The hack requires very little knowledge and can be exploited in a matter of seconds.

Neowin says that this exploit has been documented for some time but most tech users are unaware of it and how easy it is to accomplish. To install, a user simply needs to first gain access to an elevated command prompt and type the following code:

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

exploit windows command prompt hacking windows 7 login screen exploit sticky keys

Depending on how fast you can type, this could easily be done in less than a minute. Once entered, a user can return to the workstation at a later date and launch the same high level command prompt at the login screen by pressing the Shift key five times. This usually activates sticky keys but the above code changes its function to launch the command prompt instead.

The publication points out that the hack is virtually undetectable aside from the registry key and even works via remote desktop session.

As you can imagine, this is a critical security hole should anyone get their hands on a workstation for a matter of seconds that isn’t authorized to use the system. One possible scenario could involve a disgruntled employee activating the hack on multiple systems then returning after they have been terminated to steal or delete valuable data.

Microsoft has yet to comment on the exploit.

Permalink to story.

 
Hmmm...this might explain some things a friend of mine has been seeing at work. The sad part is that if Microsoft overlooked such a fundamental exploit as this, there's probably several more exactly like it.
 
wow I cant believe this is still working!!, I never did the registry side, but just renaming the cmd.exe from system32 to the sethc.exe always worked for me. It would of been atleast 18 months ago since I originally read about it.
 
As long as it requires direct access to enable the hack its not going to be a severe threat. The same can be said about anyone having unauthorized access to any computer, it only takes seconds to upload something malicious and far worse than a simple exploit such as this one.
 
Microsoft refuses to do something about this, it has been possible all the way back to windows xp and probably even before that.
 
If it is an exploit that requires you to be logged in, then it isn't as serious a threat as it is made out to be... if the first step could be done at the log in screen, then that would be serious.........
 
<p>As long as it requires direct access to enable the hack its not going to be a severe threat. The same can be said about anyone having unauthorized access to any computer, it only takes seconds to upload something malicious and far worse than a simple exploit such as this one.</p>

Agreed. If the attacker has physical access to the machine, he can already do far worse.

What also limits the effectiveness of this, is it is the local SYSTEM account. So they can blow away the local workstation, but they still have no credentials to access any network resources. They'll need another exploit or will need to perform a bit of social engineering to break out from the local workstation.
 
"[FONT=Helvetica]To install, a user simply needs to first gain access to an elevated command prompt[/FONT][FONT=Helvetica] "[/FONT]

[FONT=Helvetica]There's the rub. [/FONT]

[FONT=Helvetica]Rule #1: Physical Access is complete access.[/FONT]
[FONT=Helvetica]Rule #2: Windows Key+L[/FONT]
[FONT=Helvetica]Rule #3: Full disk encryption[/FONT]
 
If a company does not do a very thorough check of its IT systems after an unpleasant separation with an IT employee, they're probably going have a lot of problems regardless.

But as people said, once you have physical access to the command prompt, you already have the potential to do far worse. The only difference here is that its relatively simple and hard to detect.
 
This is a VERY OLD hack. I saw it first before 2 years on a greek magazine. But it was greek. At least now it is known in USA so propably MS got it :p
 
Well, it's just one registry key entry while there are other tweaks that can be performed on a system with full access. But the question is, who would let you have elevated command prompt and regedit.exe in corporate environment. Being a system admin myself I know that all this kind of activity is blocked on networks.
<p>"<span style="font-size: 14px"><span style="font-family: 'Helvetica'"><span style="color: #111111">To install, a user simply needs to first gain access to an elevated command prompt</span></span></span><span style="font-size: 14px"><span style="font-family: 'Helvetica'"><span style="color: #111111"> "</span></span></span></p>
<p><br /></p>
<p><span style="font-size: 14px"><span style="font-family: 'Helvetica'"><span style="color: #111111">There's the rub. </span></span></span></p>
<p><br /></p>
<p><span style="font-family: 'Helvetica'"><span style="color: #111111"><span style="font-size: 14px">Rule #1: Physical Access is complete access.</span></span></span></p>
<p><span style="font-family: 'Helvetica'"><span style="color: #111111"><span style="font-size: 14px">Rule #2: Windows Key+L</span></span></span></p>
<p><span style="font-family: 'Helvetica'"><span style="color: #111111"><span style="font-size: 14px">Rule #3: Full disk encryption</span></span></span></p>
.

Nothing is guaranteed if someone with malicious intent has the physical access to any system including _nix, Windows or Mac. That's why employees work in good faith at workplace (regardless of auditing and logging of systems). Only one live USB, CD or DVD (e.g. Ubuntu etc) is required to break any kind of security and to access file system. In my point of view, it is just a trick and nothing serious, that is why MS hasn't patched it yet.
 
<p>If you're in a corporate environment, just disable sticky keys via GPO.</p>

Yep, that is the solution.

Funnily enough, this has been a long-standing issue with Windows. Maybe now that it has gotten some press, MS will patch this behavior. I suspect it is intentional since it deals with accessibility, but there must be a better way...
 
I think that techspot staff come up with over the top subjects for the articles to draw traffic to their website. This article clearly falls under that category.
From the article, "a user simply needs to first gain access to an elevated command prompt". Telling us that bad things can happen once a user gains access to an elevated command prompt isn't telling us anything we don't already know.
If the article were telling that it was possible to gain access to an elevated command prompt through a series of actions on any PC running Windows 7, that would be newsworthy.
High-five goes out to all the staff at Techspot for luring me to their websit to read this dribble.
 
Its good solid information for those that arent as PC savvy as some of the other TS users. It may be old news to some, but its information that can be used to help others.
 
"To install, a user simply needs to first gain access to an elevated command prompt..."

one can do anything after gaining an elevated command prompt...

so, this is not an exploit aat all...
 
Breaking news!

A user can bypass security and install viruses and malware.. if they have administration previeledges.

This post is a joke and I thought after all the slack that neowin got for posting it other 'tech' websites would stay clear.
 
The fundamental problem with windows: Users running with root privileges... and people are surprised that this is possible and start whining. Anything is possible if the user has full privileges over the system - incredibly that includes changes to the registry hive...
 
<p>Breaking news! </p>
<p><br /></p>
<p>A user can bypass security and install viruses and malware.. if they have administration previeledges.</p>
<p><br /></p>
<p>This post is a joke and I thought after all the slack that neowin got for posting it other 'tech' websites would stay clear.</p>
Orly
 
Back