Bypassing Windows 10 Login (and Creating an Admin User)
*This method requires you to have physical access to the computer you are attempting to bypass login for.
Recently, I had the chance to help a friend “break in” to a laptop they had forgotten the password for. Within 10 minutes of tinkering with the laptop, I was able to spawn a system shell and essentially do whatever I wanted. In this case, I created a new admin user for my buddy to use in recovering his things. I’m not even sure I’d call this method an exploit, as it really feels like an intentional back door.
TL;DR: With a fresh Windows 10 image on a CD or USB, a user can run system image repair to access and manipulate local system files. Using this access, we can make a copy of the cmd.exe binary within C:\Windows\System32 and rename it to “sethc”, which specifies what happens after sticky keys are triggered. With this in place, we are able to spawn a system shell at the login prompt using the sticky key combination (typically shift x5).
To start, insert your Windows 10 USB or CD into the target machine and reboot it. As it’s booting, press whichever key triggers the one time boot menu, usually it will be F2, F8 or F12. Select your inserted media as the one time boot device and you should be prompted with the Windows 10 setup shortly after. At the initial setup screen, select the “Repair your computer” option.
At the next prompt, select “Troubleshoot” and then “System Image Recovery”
You may get a few errors on this screen regarding the absence of a system image. Cancel through this errors and select the “Advanced” option in the bottom left corner and then “Install a driver”.
Now, this is the most involved portion of our technique. With a limited file explorer open, navigate to C:\ (“This PC”) \Windows\System32. Within System32, find “sethc” and rename it to “sethc bak”. Sethc is the binary that controls the action of what follows the sticky key trigger- we’ll be replacing it with a command prompt binary.
Note that when you rename a file within this file explorer, it most likely will not update the file name in real time. You may just need to trust that the operation worked successfully. After your poor man’s backup of “sethc”, find the “cmd” file within the same System32 directory, copy it and paste it. You should see a “cmd – Copy” file now.
Now you can rename your “cmd – Copy” file to “sethc.” With this change, a system shell should spawn the next time we trigger sticky keys.
Cancel out of the current screens and menus until we get back to the option to “Continue” into a normal boot.
Upon boot, trigger the sticky keys prompt. In our example, we’ll need to hit the shift key 5 times. Doing that spawns us a persistent system shell.
From here we can pretty much do whatever we want. Even if you’re unfamiliar working with a Windows shell- Google is your friend. In this case, we’ll create a new user with the command “net user bypass password123 /add”. This new user will have a login name of “bypass” and password of “password123”.
We’ll add our user to the administrators group by using the command “net localgroup administrators bypass /add”
We can now login and retrieve files, reset other local user passwords, or really do whatever we want on the system now.