The column below was originally published in the August 18, 2016, Windows Secrets newsletter.

Today, it supplements a new column, scheduled for the March 11, 2019 AskWoody Plus Newsletter, focused on what to do if an error causes you to lose all admin privileges on your own PC. Click on over to read the new column!

(I’m reprinting selected Windows Secrets columns here to help ensure readers can find and access information I’m referencing in new columns; until older Windows Secrets/LangaList columns are moved to their new home at AskWoody.com.)

The original, verbatim, un-updated text follows:

How to hack a ‘back door’ into Win10, 8, and 7

By Fred Langa on August 18, 2016 in Insider Tricks, Top Story

This unofficial hack can give you full administrator access to Windows, even if a PC’s accounts and passwords are mangled, unknown, or blocked.

It involves a new way to take advantage of an ancient security vulnerability (dating to Windows 95!) that lets you trick the OS into opening a system-level command environment.

Yes, this hack has the potential for misuse — I’ll come back to this later — but it’s also a powerful, last-ditch method that can be used legitimately to repair, recover, or restore systems that are beyond the reach of normal rescue methods. (Any competent hacker already knows about this trick.)

Here are some examples: Say you’re faced with accessing a PC that boots, but whose badly scrambled sign ins make it impossible to access all local user accounts. Or, let’s say a co-worker/friend/family member asks for help with accessing, repairing, or recovering a PC, but they’ve lost the needed account information. Or you acquire a PC of unknown provenance, and you don’t want to access the existing accounts because they might contain malware or other problematic content.

In all these and similar cases, the following hack can usually get you in.

Understanding the hack, and its roots

This method is an updated version of an ancient, very well-known hack that dates back to the early days of Windows. It uses Windows’ Sticky Keys function as a back door to spoof the OS.

Sticky Keys, introduced way back in Windows 95, is an accessibility feature. Some people have trouble with keystroke combinations — take for example, simultaneously pressing CTRL + ALT + DEL to bring up Task Manager or to reboot. Once enabled, Sticky Keys (Wikipedia info) serializes those keystrokes so users can press keys one by one, in succession. The app then stitches them together and sends the key-combination to the OS.

The hack involves replacing the Sticky Keys executable (sethc.exe) with the command window executable (cmd.exe). Invoking Sticky Keys then actually launches a System-level command window, giving you full access to the system.

You used to be able to do this with no tools at all. On any Windows system, you’d start the PC and then power off as Windows was loading. You’d repeat this step (possibly several times) until Windows assumed the system was broken and loaded Startup Repair, which (among other things) would offer to show you the log files from the failed starts. Startup Repair would then show the log in Notepad. Once there, you could use Notepad’s File/Open command to go anywhere in the system.

Microsoft closed this too-easy back door with Windows 7 — the original, super-simple, tool-less hack no longer works. But in Windows 7, 8 and 10, a similar back door still exists; it’s just buried a little deeper.

For the following hack, all you need is a Windows Recovery disk/drive. Some Linux “live” discs will work, too, especially if the PC’s Secure Boot is disabled. But a Windows Recovery disk/drive will work on just about any PC — even those with Secure Boot active — and it’s readily available.

Win7, Win8, and Win10 all have the “Create a recovery disc” tool (RecDisc.exe) built-in. Win8 and 10 also include the “Create a recovery drive” tool (RecoveryDrive.exe). (Recovery media created on a system with generic, retail Windows should work on another machine. You need to match the Windows version and bittedness of the two systems.)

Working through the hack, step by step

Here’s how to gain admin-level access, using a Windows-recovery disc or drive. I used Win10, but Win7/8 are similar.

• Boot the PC with the Windows Recovery disc/drive and enter the Recovery Environment. (For detailed, step-by-step info, see the June 23 Top Story, “Using Windows’ powerful Recovery Environment.”)
• The Recovery Environment typically temporarily changes the drive letters of a PC, so explore the PC to find what used to be its C: drive. (The aforementioned Top Story has instructions.)
• Navigate to the system’s original \Windows\System32 folder — for example, if the Recovery Environment has temporarily labeled the original C: drive as E:, you’ll go to E:\Windows\System32/ (I use E: in the following steps.)
• Type in ren sethc.exe sethc.bak to rename the Sticky Keys app. (You’ll restore this renamed file later, when you restore the PC to its original configuration.)
• Still in E:\Windows\System32, enter copy cmd.exe sethc.exe to create a copy of the standard command-window app (cmd.exe) with the name sethc.exe (See Figure 1).

• Enter Exit to leave the command portion of the Recovery Environment.
• Reboot or select Exit and continue to Windows 10 to restart the system.
• Back at the Windows sign-in screen, press the Shift key five times in rapid succession, which normally launches Sticky Keys. This time, however, a command window will open (because sethc.exe is a renamed copy of cmd.exe). You’ll now be inside the system’s \Windows\System32 folder (Figure 2) and signed in as System — the highest-possible privilege level. You now have complete control over everything.

• Command-line environments can be awkward to use. Entering the following commands will create a new, full-featured, administrator account you can use with a standard Windows screen: net user tempadmin /add net localgroup administrators tempadmin /add net user tempadmin 123456
  The above commands create a new temporary administrator account with the username tempadmin and the password 123456 (see Figure 3). You’re free to substitute any username and (more secure) password you wish. Figure 3. These commands create an unrestricted admin-level account with your choice of username/password (tempadmin/123456, in this example).

• Reboot the system.
• When Windows starts there’ll be a new account — in this case, called tempadmin — on the sign-in page (see Figure 4). It’s an utterly standard, full-featured, unrestricted administrator-level account that will let you do anything allowed in such accounts.

• Select the new account and sign in with the password you created. Let Windows finish setting up the new account and then carry out your repair/recovery/restoration activity.

When you’re done, clean up. Delete the bogus sethc.exe file you created and rename sethc.bak to sethc.exe — you might also wish to delete the admin account you just created.

For this hack, we’re all on the honor system

Obviously, there’s the potential for misuse and malicious acts with this hack. Windows Secrets debated long and hard on whether we should publish this information.

But this particular horse left the barn long, long ago — back in the days of Windows 95. The basic hack is well known in hacker communities.

And the positive uses are compelling: It lets you gain access to a PC where none of the user accounts or admin accounts is known, accessible, or working.

This is one Windows secret worth sharing!

Permalink: https://langa.com/?p=2159

COMMENT / QUESTION on THIS ITEM? See the Comment box at bottom of this page!

NEW QUESTION? Ask here!

(Want free notification of new content? Click here!)