Professional Documents
Culture Documents
sethc.exe
This is the executable file which provides Accessibility Options (also known as Ease of Access) like the Narrator, Magnifier, On-Screen Keyboard, Sticky Keys, etc. while using Windows. If you go to the Windows login screen and press the [SHIFT] key 5 times or click on the button on the lower left corner on the screen, you will be able to see it. What you need to do is, remove this file from the System32 folder (better move it to another place for safekeeping). Next, we need a counterfeit sethc.exe. And to do that, Windows itself provides us with the best possible solution - the well-known cmd.exe - our very own Command Prompt. So, simply create a copy of cmd.exe, paste it in the same System32 folder and just rename it to sethc.exe. Step 3: Rebooting into Windows and triggering it Now, remove the bootable media from the computer and simply reboot back into Windows.
Next on the login screen, simply trigger the Accessibility Options using the [SHIFT] key or the button provided on the screen as mentioned before. And out comes the magic. Instead of the usual Accessibility Options, what you see is the Windows Command Prompt - open and ready for your instructions. Now, before we proceed to resetting the user account password, lets understand the implications of what just happened. When you see the Command Prompt running, potentially the computer is fully exposed. All the security that the user account password offered has been bypassed and your computer is ready to be played with. Any person skilled enough at using the Windows Command can make your machine do whatever s/he desires. And of course, this is what we are going to exploit. But before that, there are a few more issues that we must refer to. Dealing with Windows XP, which is more of a childs play - a toy in terms of security now, its not a problem. But Windows Vista/7 introduced a bit more advanced security features in them. And so to do changes to the system whatever we wish to do using the Command Prompt, we need to be able to run it with elevated privileges i.e. run as administrator. Fortunately, youll find that Microsoft strongly lacks an aptitude for security in its products and so, when we run the Command Prompt in place of the Accessibility Options, it runs with elevated privileges by default, though no one knows why it should. You can call it the stupidity of the most celebrated Operating System in the market, but this is how it goes. Microsoft Windows is vulnerable. Unsecure. But this is good for us now. Isnt it? Step 4: Resetting the password Once the Command Prompt is running, all you need to do is to use the NET USER command that changes the password for a user account in Windows, without asking the previous password, thus being another security flaw. The basic syntax for the command is:
In case you dont want the password to be echoed on screen, you can type in the command as:
This on the next line will ask you to input the password without displaying the keystrokes on screen (and so needing to retype it for confirmation). On a successful password reset, the Command will display a message reading The command completed successfully. Now, you can simple log in to your user account with the new password that you just provided. Its done!
An epilogue: To end, Id like to mention two things the first, being that as you can all see, the above process utilizes two very major security flaws in Microsoft Windows be it XP, Vista or 7 an O/S that costs thousands of bucks and we all are very fond of, due to its ease of use but in reality, Windows is very unsecure. Microsoft spends millions of dollars in its research and production; so if it wanted, it could have easily fixed the flaws but it didnt (need to ponder why?). And second, since it didnt, and as one of our favourite childhood heroes said once, With power comes responsibility, so, given the knowledge, we must use it responsibly.