Sticky keys attack (Part1)

During my apprenticeship I was sent to a lot of different customers and middle-sized companies to support their IT environment or just analyse and solve their computer problems. Manytimes I was completely alone and it was in my own responsibility to do a good job and satisfy the customer at the end. Believe me I had to deal with a lot of chaotic IT environments or difficult customers. If I look back I remember that I was manytimes in unplesant situations that had challenged myself psychologically and technically. Forexample the company sold me as a specialst for a specific product or technology where I had only less knowledge to find a error and I couldn’t tell the customer that I had no plan! In such cases I had to learn howto arrange myself and find useful informations in a short time. I also had a CD Box with me with different kind of tools that helped me in solving or analysing computer problems. From time to time and case to case this collection did grow and I also had this kind of tools with me later as I worked as a „technician on the field“. This collection did also contain some hacking tools that I could bypass the login of a windows system. I give you a practical example of a typical situation where this kind of tools saved my day!

I was sent to a customer where I had to stage some notebooks. This customer had a lot of internal applications and it would take hours to install them all manually. To save time they gave me a Image that contained the operatingsystem and most of the core applications. I did install that image on the first machine, but I couldn’t login with the local administrator credentials they gave me. No one did know the password and the person who built this setup wasn’t available anymore  😈

I’ve decided to reset the password and could finish the work in time. Anyway this was just a little introduction! In this article I want to show you a elegant way how you can bypass the windows 10 login without anykind of special tools.

Sticky keys is an accessibility feature of some graphical user interfaces to assist users who have physical disabilities. By default this feauture is turned on an can be activated by pressing the shift key five times. Our goal is to replace the sticky key tool with a cmd prompt to install a admin access to the system! Let’s go.

Boot the Windows 10 system and hold down the power button for 5 seconds to turn it of. After starting the system again it will initate a automatic repair. If this should not work we also can boot with a windows operatingsystem CD. Then we can hit Shift + F10 to get a cmd prompt.


Hit Shit + F10 to get the cmd prompt


Windows 10 is initiating the automatic repair

If you did it correctly you should get a screen like this: (Choose Adcanced options)


Select Troubleshoot


Here we have two options, we use a cmd prompt or do the manipulation with the GUI. If you want to use the cmd use the following commands:

cd \windows\system32
rename sethc.exe sethc1.exe
xcopy cmd.exe sethc.exe
 For the GUI Version choose Systemrecovery and then press cancel:
Click next and choose select choose a system image
Choose install a driver and click OK
Browse to C:\Windows\System32
By default X:\System32 is selected.  In order to make changes, go to System32 of Local Disk(C:) i.e the Windows drive
Clone cmd.exe
Press CTRL-c and CTRL-v to make a copy of cmd
Rename sethc.exe
Left click on sethc and press <f2> to rename sethc to sethc1
(Right click will let crash the browser window)
Time to boot Windows 10
Let’s continue with Part 2 to learn howto bypass the login and take a countermeassure against this type of attack.

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.