Exploit allows command prompt to launch at Windows 7 login screen

By on May 29, 2012, 9:30 AM

An unpatched exploit in Windows 7, Windows Server 2008 R2 and Windows 8 Consumer Preview allows a user to launch an elevated command prompt by manipulating the sticky keys function. The hack requires very little knowledge and can be exploited in a matter of seconds.

Neowin says that this exploit has been documented for some time but most tech users are unaware of it and how easy it is to accomplish. To install, a user simply needs to first gain access to an elevated command prompt and type the following code:

REG ADD "HKLMSOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe" /v Debugger /t REG_SZ /d "C:windowssystem32cmd.exe"

Depending on how fast you can type, this could easily be done in less than a minute. Once entered, a user can return to the workstation at a later date and launch the same high level command prompt at the login screen by pressing the Shift key five times. This usually activates sticky keys but the above code changes its function to launch the command prompt instead.

The publication points out that the hack is virtually undetectable aside from the registry key and even works via remote desktop session.

As you can imagine, this is a critical security hole should anyone get their hands on a workstation for a matter of seconds that isn’t authorized to use the system. One possible scenario could involve a disgruntled employee activating the hack on multiple systems then returning after they have been terminated to steal or delete valuable data.

Microsoft has yet to comment on the exploit.




User Comments: 29

Got something to say? Post a comment
Guest said:

Indeed very dangerous exploit.

mevans336 mevans336 said:

If you're in a corporate environment, just disable sticky keys via GPO.

Kibaruk Kibaruk, TechSpot Paladin, said:

If you are a normal user, just lock the screen when you leave your computer on.

psycros psycros said:

Hmmm...this might explain some things a friend of mine has been seeing at work. The sad part is that if Microsoft overlooked such a fundamental exploit as this, there's probably several more exactly like it.

R3DP3NGUIN R3DP3NGUIN said:

wow I cant believe this is still working!!, I never did the registry side, but just renaming the cmd.exe from system32 to the sethc.exe always worked for me. It would of been atleast 18 months ago since I originally read about it.

Adhmuz Adhmuz, TechSpot Paladin, said:

As long as it requires direct access to enable the hack its not going to be a severe threat. The same can be said about anyone having unauthorized access to any computer, it only takes seconds to upload something malicious and far worse than a simple exploit such as this one.

Guest said:

Microsoft refuses to do something about this, it has been possible all the way back to windows xp and probably even before that.

m4a4 m4a4 said:

If it is an exploit that requires you to be logged in, then it isn't as serious a threat as it is made out to be... if the first step could be done at the log in screen, then that would be serious.........

mevans336 mevans336 said:

<p>As long as it requires direct access to enable the hack its not going to be a severe threat. The same can be said about anyone having unauthorized access to any computer, it only takes seconds to upload something malicious and far worse than a simple exploit such as this one.</p>

Agreed. If the attacker has physical access to the machine, he can already do far worse.

What also limits the effectiveness of this, is it is the local SYSTEM account. So they can blow away the local workstation, but they still have no credentials to access any network resources. They'll need another exploit or will need to perform a bit of social engineering to break out from the local workstation.

Guest said:

"To install, a user simply needs to first gain access to an elevated command prompt "

There's the rub.

Rule #1: Physical Access is complete access.

Rule #2: Windows Key+L

Rule #3: Full disk encryption

gwailo247, TechSpot Chancellor, said:

If a company does not do a very thorough check of its IT systems after an unpleasant separation with an IT employee, they're probably going have a lot of problems regardless.

But as people said, once you have physical access to the command prompt, you already have the potential to do far worse. The only difference here is that its relatively simple and hard to detect.

Guest said:

This is a VERY OLD hack. I saw it first before 2 years on a greek magazine. But it was greek. At least now it is known in USA so propably MS got it :P

Opus Opus said:

Well, it's just one registry key entry while there are other tweaks that can be performed on a system with full access. But the question is, who would let you have elevated command prompt and regedit.exe in corporate environment. Being a system admin myself I know that all this kind of activity is blocked on networks.

<p>"<span style="font-size: 14px"><span style="font-family: 'Helvetica'"><span style="color: #111111">To install, a user simply needs to first gain access to an elevated command prompt</span></span></span><span style="font-size: 14px"><span style="font-family: 'Helvetica'"><span style="color: #111111"> "</span></span></span></p>

<p><br /></p>

<p><span style="font-size: 14px"><span style="font-family: 'Helvetica'"><span style="color: #111111">There's the rub. </span></span></span></p>

<p><br /></p>

<p><span style="font-family: 'Helvetica'"><span style="color: #111111"><span style="font-size: 14px">Rule #1: Physical Access is complete access.</span></span></span></p>

<p><span style="font-family: 'Helvetica'"><span style="color: #111111"><span style="font-size: 14px">Rule #2: Windows Key+L</span></span></span></p>

<p><span style="font-family: 'Helvetica'"><span style="color: #111111"><span style="font-size: 14px">Rule #3: Full disk encryption</span></span></span></p>

.

Nothing is guaranteed if someone with malicious intent has the physical access to any system including _nix, Windows or Mac. That's why employees work in good faith at workplace (regardless of auditing and logging of systems). Only one live USB, CD or DVD (e.g. Ubuntu etc) is required to break any kind of security and to access file system. In my point of view, it is just a trick and nothing serious, that is why MS hasn't patched it yet.

Staff
Rick Rick, TechSpot Staff, said:

<p>If you're in a corporate environment, just disable sticky keys via GPO.</p>

Yep, that is the solution.

Funnily enough, this has been a long-standing issue with Windows. Maybe now that it has gotten some press, MS will patch this behavior. I suspect it is intentional since it deals with accessibility, but there must be a better way...

Guest said:

I think that techspot staff come up with over the top subjects for the articles to draw traffic to their website. This article clearly falls under that category.

From the article, "a user simply needs to first gain access to an elevated command prompt". Telling us that bad things can happen once a user gains access to an elevated command prompt isn't telling us anything we don't already know.

If the article were telling that it was possible to gain access to an elevated command prompt through a series of actions on any PC running Windows 7, that would be newsworthy.

High-five goes out to all the staff at Techspot for luring me to their websit to read this dribble.

Tygerstrike said:

Its good solid information for those that arent as PC savvy as some of the other TS users. It may be old news to some, but its information that can be used to help others.

Guest said:

Oh my god. I feel so exploited.

Guest said:

"To install, a user simply needs to first gain access to an elevated command prompt..."

one can do anything after gaining an elevated command prompt...

so, this is not an exploit aat all...

Lionvibez said:

comments = win!

Guest said:

Breaking news!

A user can bypass security and install viruses and malware.. if they have administration previeledges.

This post is a joke and I thought after all the slack that neowin got for posting it other 'tech' websites would stay clear.

Guest said:

The fundamental problem with windows: Users running with root privileges... and people are surprised that this is possible and start whining. Anything is possible if the user has full privileges over the system - incredibly that includes changes to the registry hive...

NTAPRO NTAPRO said:

<p>Breaking news! </p>

<p><br /></p>

<p>A user can bypass security and install viruses and malware.. if they have administration previeledges.</p>

<p><br /></p>

<p>This post is a joke and I thought after all the slack that neowin got for posting it other 'tech' websites would stay clear.</p>

Orly

Guest said:

An unpatched exploit in Windows...

It is not an unpatched exploit; it is an official feature of Windows.

...a user simply needs to first gain access to an elevated command prompt...

A user who with elevated access is already omnipotent; he doesn't need another exploit.

Guest said:

Nope... to windows users, anything which means that the OS allows them to do stupid things, is an "exploit" or "vulnerability"...

To everyone else an exploit is something like a buffer overrun...

Guest said:

Funny, I use this hack all the time to break passwords. People often lock themselves out of their computers, and the fastest way for me to get past them is using Sticky-Keys. I plug in their drive to a second computer, rename SETHC.exe (the Sticky Keys executable), and copy CMD.EXE. Turn the computer back on, and voila.

And once you've got the command prompt open, it's just a matter of "net user %username% *" to blank the password.

Guest said:

So Like the next computer I buy will be required to run windows 8 for security purposes and it's already been cracked. I guess I will have to get to now my bank teller, tax accountant, and any other official business type personally again. Since my ability to do secure transactions by computer is now controlled by the most insecure company.

AlleyTrotter

Guest said:

"So Like the next computer I buy will be required to run windows 8 for security purposes and it's already been cracked. I guess I will have to get to now my bank teller, tax accountant, and any other official business type personally again. Since my ability to do secure transactions by computer is now controlled by the most insecure company.

AlleyTrotter"

Amazing! Have you read the comments? This "hack" or "exploit" requires admin access and in this case, physical access to the computer. If you can't even lock your own computer and allow someone to do what they need to with your computer, it's your own damn fault. It does not matter whether it's Windows, Linux, or MacOS.

Anyways with that said, I hope Windows can do something about this.

Guest said:

"So Like the next computer I buy will be required to run windows 8 for security purposes and it's already been cracked. I guess I will have to get to now my bank teller, tax accountant, and any other official business type personally again. Since my ability to do secure transactions by computer is now controlled by the most insecure company.

AlleyTrotter"

Actually the "bad guy" does not even need to use this exploit. Since he have admin access and/or physical access, he might as well just install a trojan or a keylogger and secretly disable any antivirus or firewall. Voila! Who cares about this exploit when you can do so much more with the admin access and/or physical access.

Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.