Hacking Windows Login with Sticky Keys, from Starry Sky

 

 

Starry keeps cranking out videos for School for Hackers, and we keep working to build some video production expertise. In this short tutorial on hacking Windows login, Starry demonstrates using a bootable CD to get around file system protections, so he can replace the utilman file with cmd.exe.

The hack is a classic Windows Sticky Keys Exploit. Here’s how it works: when you boot and arrive at the Windows login screen, you have a limited group of choices. You can click on your user icon to start the login process. Or you can power down using the icon in the bottom right corner of the screen. Or, look at the bottom left corner. If you use any of Windows’ enhancements for users with limited vision or other issues, you’ve used clicked this button before. But it’s likely you haven’t.

This button provides tools – like large-font, high-contrast visual themes, for one example – are collectively known as “Sticky Keys,” because the keyboard ease-of-use setting actually called “sticky keys” is the core of these tools.

In any case, low-vision and other users are used to clicking the Sticky Keys button and getting an easier-to-use Windows login, provided by a file called utilman. If you somehow get administrative access to a Windows computer, you can replace the OEM utilman with cmd.exe, cleverly renamed – you guessed it – utilman. Now when you click the Sticky Keys button, voila! You get a command prompt – as Administrator!

Depending on restrictions, you may not be able to pull this switch off while a system is live. But if you have physical access to it … the game changes. Starry shows us exactly how this works. Thanks, Starry Sky!