How to hack a ‘back door’ into Win10, 8, and 7

How to hack a 'back door' into Win10, 8, and 7

This unofficial hack can give you full administrator access to Windows, even if a PC’s accounts and passwords are mangled, unknown, or blocked.

It involves a new way to take advantage of an ancient security vulnerability (dating to Windows 95!) that lets you trick the OS into opening a system-level command environment.

Yes, this hack has the potential for misuse — I’ll come back to this later — but it’s also a powerful, last-ditch method that can be used legitimately to repair, recover, or restore systems that are beyond the reach of normal rescue methods. (Any competent hacker already knows about this trick.)

Here are some examples: Say you’re faced with accessing a PC that boots, but whose badly scrambled sign ins make it impossible to access all local user accounts. Or, let’s say a co-worker/friend/family member asks for help with accessing, repairing, or recovering a PC, but they’ve lost the needed account information. Or you acquire a PC of unknown provenance, and you don’t want to access the existing accounts because they might contain malware or other problematic content.

In all these and similar cases, the following hack can usually get you in.

Understanding the hack, and its roots

This method is an updated version of an ancient, very well-known hack that dates back to the early days of Windows. It uses Windows’ Sticky Keys function as a back door to spoof the OS.

Sticky Keys, introduced way back in Windows 95, is an accessibility feature. Some people have trouble with keystroke combinations — take for example, simultaneously pressing CTRL + ALT + DEL to bring up Task Manager or to reboot. Once enabled, Sticky Keys (Wikipedia info) serializes those keystrokes so users can press keys one by one, in succession. The app then stitches them together and sends the key-combination to the OS.

The hack involves replacing the Sticky Keys executable (sethc.exe) with the command window executable (cmd.exe). Invoking Sticky Keys then actually launches a System-level command window, giving you full access to the system.

You used to be able to do this with no tools at all. On any Windows system, you’d start the PC and then power off as Windows was loading. You’d repeat this step (possibly several times) until Windows assumed the system was broken and loaded Startup Repair, which (among other things) would offer to show you the log files from the failed starts. Startup Repair would then show the log in Notepad. Once there, you could use Notepad’s File/Open command to go anywhere in the system.

Microsoft closed this too-easy back door with Windows 7 — the original, super-simple, tool-less hack no longer works. But in Windows 7, 8 and 10, a similar back door still exists; it’s just buried a little deeper.

For the following hack, all you need is a Windows Recovery disk/drive. Some Linux “live” discs will work, too, especially if the PC’s Secure Boot is disabled. But a Windows Recovery disk/drive will work on just about any PC — even those with Secure Boot active — and it’s readily available.

Win7, Win8, and Win10 all have the “Create a recovery disc” tool (RecDisc.exe) built-in. Win8 and 10 also include the “Create a recovery drive” tool (RecoveryDrive.exe). (Recovery media created on a system with generic, retail Windows should work on another machine. You need to match the Windows version and bittedness of the two systems.)

Working through the hack, step by step

Here’s how to gain admin-level access, using a Windows-recovery disc or drive. I used Win10, but Win7/8 are similar.

• Boot the PC with the Windows Recovery disc/drive and enter the Recovery Environment. (For detailed, step-by-step info, see the June 23 Top Story, “Using Windows’ powerful Recovery Environment.”)
• The Recovery Environment typically temporarily changes the drive letters of a PC, so explore the PC to find what used to be its C: drive. (The aforementioned Top Story has instructions.)
• Navigate to the system’s original \Windows\System32 folder — for example, if the Recovery Environment has temporarily labeled the original C: drive as E:, you’ll go to E:\Windows\System32/ (I use E: in the following steps.)
• Type in ren sethc.exe sethc.bak to rename the Sticky Keys app. (You’ll restore this renamed file later, when you restore the PC to its original configuration.)
• Still in E:\Windows\System32, enter copy cmd.exe sethc.exe to create a copy of the standard command-window app (cmd.exe) with the name sethc.exe (See Figure 1).
  

  Figure 1. These simple commands are the heart of the hack.

• Enter Exit to leave the command portion of the Recovery Environment.
• Reboot or select Exit and continue to Windows 10 to restart the system.
• Back at the Windows sign-in screen, press the Shift key five times in rapid succession, which normally launches Sticky Keys. This time, however, a command window will open (because sethc.exe is a renamed copy of cmd.exe). You’ll now be inside the system’s \Windows\System32 folder (Figure 2) and signed in as System — the highest-possible privilege level. You now have complete control over everything.
  

  Figure 2. Windows thinks it's running Sticky Keys (sethc.exe), but it's actually opening a system-level command window (cmd.exe).

• Command-line environments can be awkward to use. Entering the following commands will create a new, full-featured, administrator account you can use with a standard Windows screen:

  net user tempadmin /add

  net localgroup administrators tempadmin /add

  net user tempadmin 123456

  The above commands create a new temporary administrator account with the username tempadmin and the password 123456 (see Figure 3). You’re free to substitute any username and (more secure) password you wish.

  

  Figure 3. These commands create an unrestricted admin-level account with your choice of username/password (tempadmin/123456, in this example).

• Reboot the system.
• When Windows starts there’ll be a new account — in this case, called tempadmin — on the sign-in page (see Figure 4). It’s an utterly standard, full-featured, unrestricted administrator-level account that will let you do anything allowed in such accounts.
  

  Figure 4. The newly created, admin-level account can be opened normally, via the Windows sign-in page.

• Select the new account and sign in with the password you created. Let Windows finish setting up the new account and then carry out your repair/recovery/restoration activity.

When you’re done, clean up. Delete the bogus sethc.exe file you created and rename sethc.bak to sethc.exe — you might also wish to delete the admin account you just created.

For this hack, we’re all on the honor system

Obviously, there’s the potential for misuse and malicious acts with this hack. Windows Secrets debated long and hard on whether we should publish this information.

But this particular horse left the barn long, long ago — back in the days of Windows 95. The basic hack is well known in hacker communities.

And the positive uses are compelling: It lets you gain access to a PC where none of the user accounts or admin accounts is known, accessible, or working.

This is one Windows secret worth sharing!

Windows 10-style updating comes to Win7/8.1

Despite complaints from many quarters about Windows 10’s forced, cumulative updates, Microsoft is pushing its new patching standard onto Win7 and Win8.1.

From Microsoft’s perspective, the change is an attempt to get rid of the archaic releases and fracturing in the updating process. Whether the new model will be good or bad for consumer-Windows users, only time will tell.

Trading complex LDR for simpler GDR branches

The Windows ecosystem is nothing if not complex. Microsoft has had to continually support multiple versions of Windows, Office, and Internet Explorer, installed on a bewildering array of desktop, portable, and all-in-one PCs, attached to an even wider array of peripherals. All that diversity means Microsoft must constantly build, test, and distribute multiple versions of its many updates. Adding support for dozens of languages makes patching even more difficult.

The consequences of that updating complexity are significant expenses for Microsoft and failed patching for users. With that in mind, Microsoft has begun a process of simplifying product support. For example, this past January, it announced that Internet Explorer 11 would be the last and only supported version of IE on most systems. (IE 9 was the last version for Vista, and IE 10 would be kept for some server models. All support for Vista ends April 11, 2017.)

Then, in May, Microsoft announced in a TechNet post that future nonsecurity patches for Win7 and Win8.1 would be sent out as monthly roll-up updates. The post also noted a new Win7 SP1 “convenience rollup” (more info) for those who are doing from-scratch installs of the OS. The goal with the monthly rollup is to get Win7 and Win8.1 PCs on effectively the same basic platform. (The “common platform” initiative is likely another reason Microsoft is pushing Office users to move to the subscription-based Office 365, versus the standalone editions.)

A final announcement in the post noted that Microsoft would be phasing out MS Download Center as a source for Windows updates. In the future, you’ll have to go to the MS Update Catalog for manually downloading patches.

Microsoft’s next push for a standard platform is ensuring we’re all on General Distribution Release (GDR), as opposed to the current fractured system in which some patches come from Limited Distribution Release (LDR).

As discussed in an older MSDN post, GDR patches are designed for all Windows systems and include security fixes, new features, rollups, drivers, and other widely applicable updates. On the other hand LDR-based patches are mostly hotfixes, created to fix some specific problem. You typically install LDR updates/hotfixes only when needed.

Packages of patches delivered via Windows Update might contain both GDR and LDR versions (branches) of a patch, so they can replace the appropriate GDR- or LDR-branch file. In most cases, LDR patches are removed and Windows is reset back to an all-GDR branch when you install a service pack.

The combining of GDR and LDR updates adds complexity but rarely causes problems — we usually see issues in server/network situations. For example, a recent TechNet Windows Server forum post noted that some small business networks developed authentication problems after admins installed a specific update. The issue was resolved by installing the LDR version of the patch.

Bottom line: Patching with two branches is complex to implement — Microsoft is effectively coding updates twice, which is obviously inefficient. It’s even difficult to explain; Microsoft’s attempt to do so goes as far back as a 2009 TechNet blog post. The goal of the current changes is to reduce this complexity by pushing Win7 and Win8.1 back to a single patch-release model.

Summarizing the future methods for updating Windows

An Aug. 15 TechNet IT Pros post describes Microsoft’s new updating model for Win7 and Win8.1 in some detail. I urge you to read the post. In short, starting in October, there will be a roll-up patch for both security and nonsecurity fixes that will show up in Windows Update. Over time, these monthly updates will become cumulative, containing both current and previous patches (as happens with Win10 now).

There will also be a monthly update with only security patches that will not show up in Windows Update. It’ll be available only via WSUS, SCCM, and the MS Update Catalog. It’s designed to be a small package for enterprise deployment. (Note: Microsoft is working on making the Update Catalog easier to use; it’s removing the requirement that you use Internet Explorer and ActiveX.)

Note that there’ll be separate monthly roll-up patches for .NET Framework and Internet Explorer. I expect that Adobe Flash Player updates will also be released separately, due to their frequency.

I understand why Microsoft is making the changes. The complexity of maintaining patches for many configurations might explain the various updating problems — such as the slow update-scanning issue on many Win7 systems — we’ve experienced over the past year. The new cumulative-updating model might fix those problems.

However, I’m also concerned about pushing Win10’s cumulative-update system down to Win7 and Win8.1, an ecosystem that’s still extremely messy. I don’t feel that Win7 and Win8.1 have the telemetry Microsoft needs to identify side effects that arise from patching. (And then there’s the question of whether we want Microsoft to add more telemetry to our non-Win10 systems.)

Currently, if there’s an issue with a specific Win7 or Win8.1 update, we can put it on hold. Under the new model, we have to put the entire package of updates on hold until there’s a fix. An enterprise typically gets extensive and immediate Microsoft support to resolve update problems. However, consumer Windows users, many of whom consider their PCs no less important than some line-of-business system, will probably not get the support and resources from Microsoft needed to fix a broken update package.

I truly hope I’m wrong. As we adapt to the new system, I’ll do my best in the Patch Watch column to continue watching for and tracking patch problems — with a focus on balancing safety versus PC functionality.

A fix for a Windows system-font problem

This story introduces a new and occasional feature in the Windows Secrets newsletter — quick tips to solve computing problems we and our readers run across while using our PCs.

The inaugural tip is about a font issue that cropped up recently.

Problem: Recently, I noticed that the menu fonts on one of my Windows 7 systems had suddenly shrunk to an almost unreadable size. It first showed up in Firefox, but I soon noticed it in Windows Explorer and other apps. In all cases, the content was a normal size.

Solution: I first assumed there was a problem with either the screen resolution or Windows text-magnification option. But fix proved to be in the Themes options (Control Panel/Personalization). I deleted the current theme and created a new custom theme. To do so, I selected the default “Window 7” Aero theme and then used the Desktop Background link to re-create my preferred background — a slide show of personal photos.

I still don’t know what caused the problem, but it might have started after I tried different Windows text-sizing options (Control Panel/Display). A Microsoft Community forum thread discusses a similar event.

Have your own quick tip? Send it along to editor@windowssecrets.com.

Licensing tribulations when upgrading PCs

One of the seemly never-ending confusions about Windows is licensing. Is an OEM license the same as a Retail license? How far can you upgrade hardware before the installed version of Windows is no longer authorized?

When a forum member asks a question about physically upgrading an older system with Windows 10 newly installed, those questions make up a longish debate. The answer: As with all things Microsoft, it’s complicated.

The following links are this week’s most interesting Lounge threads, including several other new questions for which you might have answers:

Office Applications
General Productivity	Office 365 vs. Office 2007 — work process differences, if any
Word Processing	Why styles don’t always change properties when selected
	Unwanted change to the title bar
Spreadsheets	Index Indirect Match function on closed workbook
	Help needed: Excel not displaying all work sheets
	Identifying text vs. a number in a cell question
Databases	Help needed: Invalid argument to function
Visual Basic for Apps	Create multiple Word docs from Excel data
Microsoft Outlook	Outlook 2016 folders missing after upgrade to Win10 1511
	Help needed: Synching calendar between desktop and laptop
Windows
General Windows	Code for recovering product key for Windows
	Cloning missed a drive
Windows 10	Transfer Windows 10 to an upgraded PC?
	Cortana: The spy in Windows 10
	MS account or local account
Windows 7	WU makes CPU run continually at 25 percent
	Help needed: Can’t delete Users folder
	Is this site reliable?
	Windows Update deletes some passwords
Windows XP	Just powered up 12-year-old laptop after off for two years.
Windows Servers	SMTP server constantly crashes on 2007 SP2
Internet/Connectivity
Internet Explorer and Edge	IE 11 wants links to open in new Tab by default
Networking	Can’t control my Windows network
Software Development
Web Design & Development	Verio Hosting sold — Transferred to Endurance; nothing works now
Other Technologies
Security & Scams	Can’t remove ‘Yahoo Powered’ program
Maintenance	Concerned about Administrative Events warnings
Hardware	How to test an ATX power supply
	Suggested way to format SSD drive
Graphics/Multimedia	Ongoing: Paint Shop Pro dilemma

Starred posts are particularly useful

If you’re not already a Lounge member, use the quick registration form to sign up for free. The ability to post comments and take advantage of other Lounge features is available only to registered members.

If you’re already registered, you can jump right into today’s discussions in the Lounge.