Hack the Sticky Keys Feature to Reset a Forgotten Windows Password

Blog

Requirements

  • Drive letter of your Windows installation. For instance, it is C in my case.
  • Windows installation disk or Windows repair disk.
  • The most important, you shouldn’t be able to recall your Windows password.

Video

But how does the exploit work?

Well, there are some variations to this, but the most common begins with a Windows Startup Repair, be it from the host OS or an installation device. From there you would get a Cmd window, and if all goes well, you should have enough privileges to make changes inside the System32 folder.

All you have to do then is to replace the Cmd (cmd.exe) executable with the Sticky Keys () one (all in the same folder). You could then boot normally into the OS and from the lock screen, once you press shift key 5 times, a Cmd window pops up. From there you can change the user password, or exploit the machine in any other way you wanted.

Sounds good? It probably does, but it's so old that it makes you wonder:

Does it really still work? Were there any efforts to fix the "vulnerability"?

Well, first mistake. Sticky Keys is not a vulnerability.

One definition of vulnerability, given by NIST:

“Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.”

In this case, it's not a system vulnerability that is being exploited, but the exploit itself. It can be exploited through the user’s lack of security measures, so it ends being a user responsibility. And it's more like an OS native characteristic.

Now you could ask: but the exploit still works without the need for user improper configuration, right?

Certainly! But perhaps it falls short of importance for the fact it requires physical access to use it. 

So, back to the question, I think that to some extent, there’s a chance that Windows doesn’t want to fully fix this problem.

First, the fact that it's not a vulnerability breaks the need for fixes.

But there's also a chance that this was left on purpose as a way to break into the machine when needed. After all, there are some other tools capable of achieving the exact same thing.

The truth is, I've been following this vulnerability for some time, and if you did it too, you would tell that little or no changes were made for long periods. 

I found and keep finding a lot of material on this vulnerability, from blog posts to YouTube tutorials teaching how to use the exploit. I also found that people keep asking for ways to protect against this, and they even use Microsoft forums. 

Moreover, you can also find some old tutorials telling how this vulnerability has been “documented all over” or old posts where people even then were asking for a solution.

But after all, it appears Microsoft has taken a few measures to protect users against this exploit. I gathered some (there may be others):

  • Windows firewall preventing sethc.exe to run Cmd.
  • SFC restoring sethc.exe file back to it’s original.
  • Forbidding file modifications on the “System32” folder.
  • Removing "sethc" from the “System32” folder when accessing through the recovery mode.
  • Password protecting Cmd access in the troubleshooting mode.

Given these measures and because I didn't find any recent post, I wanted to be sure that this vulnerability was still exploitable on the latest Windows 10 version.

Let me show you how it went because everyone likes demonstrations. And before you tell me you saw this a hundred times, I tell you that this one had unexpected turns…

How to revert what youve done?

Now, you have successfully changed your password but you don’t want some other person to do the same. You can easily revert the changes you’ve made:

  1. Follow the process as described earlier till step no. 4.
  2. In the command prompt window, type the following command:

    copy /y c:\sethc.exe c:\windows\system32\sethc.exe

  3. Press Enter and restart your machine.
  4. Now, at the login screen, if you press Shift key for 5 times the sticky keys option will show up instead of the command line.

This way, you can reset Windows password and have a sense of relieve. If you are concerned that someone can type those commands and gain access to your machine, you disable the USB ports on your machine.

If you have something to add, tell us in the comments below.

Also Read: 3 Simple Commands To Disable Forced Windows 10 Updates

Tags