WARNING: This post is for educational purposes only. Well, that and possibly to underscore the importance of full-disc encryption (FDE) of a machine in the event an adversary has physical access to the computer but not the account passwords. Play nice, kids.
As much as I want to get some of my fiction writing up here, far too many opportunities arise in the technology security arena. And … well, I can’t just leave a sleeping bear lie… I have to poke it several times with a sharp stick.
Let’s say you work in I.T. and need to gain access to a computer of an old employee but they disabled your admin and maintenance accounts in Win10. Or, you only have a local account (good choice, you) on a Win10 machine and somehow forgot your login password (bad luck, you). Or you simply want to break into a Windows account on a computer you physically have (stolen, from your cheating spouse that ran off with Nigerian royalty to cash in a massive bank account … whatever – I’m not here to judge and this is supposed to be theoretical).
Breaking into a Windows computer without a password or password-reset disc should be difficult, right? Wrong. Five reboots and five tiny commands are all it takes. Let’s dive in:
First, you want to get a Command Prompt at the Windows login screen (you know, where you would normally enter the password that you obviously don’t have). This is primarily done by getting into the Recovery mode of the machine. Don’t have a Recovery Disc or similar? No problem… Windows 8 and 10 will automatically go into Recovery mode after three failed boot-up sequences. In other words, power on the computer, let the computer get somewhere in the boot-up process (but before the login screen appears) and pull the power plug. Sure, this is potentially damaging to the Operating System, but if you want to make an omelette you have to break a few eggs.
In the Recovery section, usually under Advanced Options, there should be a choice for Command Prompt. But alas, this terminal is locked to only the recovery partition (like the X: drive of the system). DOS commands to change directory (cd) will not work. Stuck like Chuck, right?
Not to worry – we are going to use this terminal window to change the Ease of Access shortcut available on the login screen (the Utility Manager) to a far more useful process – a terminal window for the C: drive with elevated privileges. Yes, that icon no one ever uses.
From your currently (fairly useless) Command Prompt at the X:, type the following two commands (the “move” command is one line, and the “copy” command is the other line, but the spacing of the page here may display those separate commands on two lines… just type the “move” and “copy” commands on one line before hitting Enter after each):
move c:\windows\system32\utilman.exe c:\windows\system32\utilman.exe.bak
copy c:\windows\system32\cmd.exe c:\windows\system32\utilman.exe
And voila, we have replaced the Ease of Access function on the login screen with cmd.exe. Next, type the following command into the (not so) useless X: terminal window to reboot:
Upon reboot, click the following icon between the WiFi icon and Power icon (yeah, I never used this icon before either):
You should now be presented with a Command Prompt for C: overlaid on the login screen (no authentication or password necessary). From here, type the following two commands to add a new account to the machine (with no password), and then elevate that account into the administrators group:
net user username /add
net localgroup administrators username /add
Obviously the “username” above is your choice of a new user login (like GetRekt or something similarly clever and haxxorz). You can close the terminal window, reboot, and see your new admin account with no password allowing you entry to the computer.
pwnage and WEAK SAUCE.
It should also be noted that the (rather weak) security of this computer is now even more broken until the above steps are undone and the icon reverted back to its far less useful, albeit original, function.
Lesson for today boys and girls? Always use full-disc encryption to prevent kiddie level compromise like this. Any sort of FDE (BitLocker, VeraCrypt, TrueCrypt, et al) will prevent this exploit from being a possibility on your computer.
Featured image used under CC license from NASA.gov