From then on, a user is free to run executables as he or she pleases – including explorer. REG ADD 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe' /v Debugger /t REG_SZ /d 'C:\windows\system32\cmd.exe'Īll the user would then need to do upon returning to the PC later on is tap SHIFT five times to arouse sticky keys, and like magic, an elevated command prompt is launched. To elaborate, if one was to briefly acquire access to an elevated command prompt and type in:
It works by replacing 'Sticky Keys' on Windows 7’s login screen with the 'command line' executable, which could then allow the imposter to cause all manner of carnage. It’s something anybody with basic-to-intermediate knowledge could easily perform, and has been brought to the spotlight by Neowin. It’s not a particularly new exploit, but it is still quite frightening how easy it is to do. You would presume – as should be the case – that the only way one could access a locked account is to have guessed the password, but thanks to a few tricks involving command prompts and sticky keys, anybody with a short amount of elevated access could easily start running executables right from the login screen. By setting password protection on access to your Windows PC, the notion is that you’re safe from intrusion, and although this is largely true in most cases, that doesn’t mean there are not ways to circumvent the apparently strict security.
