By setting password protection on access to your Windows PC, the notion is that you’re safe from intrusion, and although this is largely true in most cases, that doesn’t mean there are not ways to circumvent the apparently strict security. You would presume – as should be the case – that the only way one could access a locked account is to have guessed the password, but thanks to a few tricks involving command prompts and sticky keys, anybody with a short amount of elevated access could easily start running executables right from the login screen.
It’s not a particularly new exploit, but it is still quite frightening how easy it is to do. It’s something anybody with basic-to-intermediate knowledge could easily perform, and has been brought to the spotlight by Neowin. It works by replacing "Sticky Keys" on Windows 7’s login screen with the "command line" executable, which could then allow the imposter to cause all manner of carnage.
To elaborate, if one was to briefly acquire access to an elevated command prompt and type in:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
All the user would then need to do upon returning to the PC later on is tap SHIFT five times to arouse sticky keys, and like magic, an elevated command prompt is launched. From then on, a user is free to run executables as he or she pleases – including explorer.
It’s quite a scary concept, no less because of the simplicity in which it can be done, although by deactivating sticky keys, the trick cannot be performed. The thought of somebody deleting entire folders or launching apps at will from the login screen is not something that’ll be sitting comfortably with most of you, I’m sure, and it’s certainly something that we hope Microsoft is aware of and plans to patch.
With Windows 8 on the horizon, the software maker can ill afford holes in its software – particularly when the privacy of users is at stake. Whenever the pitchforks are out for the big companies, it usually has something to do with leaking of data, but with the Consumer Preview of the eighth edition of Windows having gone down so well with those using it, Microsoft will surely be doing its level best to avoid any launch disasters.