Ever thought of how to get into your friend’s system and see the access denied files and folders? Or ever wanted to hack into someone’s admin account? Well here is a method which exploits yet another windows bug.
- Have you ever noticed that if you press your system’s SHIFT key >= 5 times continuously a pop up windows occurs with the name “Sticky Keys”? If it doesn’t pop up on your comp, then may be your shortcut is turned off. For enabling it, goto Control
Panel -> Accessibility Options. In the accessibility options under the
keyboard tab, in sticky keys , click on settings and enable the
shortcut for sticky keys. And u can do this even with a guest account.
- Finally if the following 2 requirements are setup on your system, then you are all set to enter into your admin’s account.
- On Pressing SHIFT >= 5 times, a pop up should appear.
- The windows System32 directory should be writable.
When u press, the SHIFT key >= 5 times, a file with the name “sethc.exe” is
executed. You can verify this in TASK manager (don’t close the pop up
window). This file is located in C:WINDOWSsystem32 folder, or
where ever your windows is installed.
- When SHIFT key is pressed >=5 times, windows executes a file named
“sethc.exe” located in system32 folder. It doesn’t even check if its the
same file. Also it runs with the privilege of the CURRENT USER
which is executing the file i.e if u have logged on as a guest then in
the TASK manager under processes, it shows your user name as guest.
- The file executes even if u log off, and have the windows login screen is
showed up, BUT THIS TIME SINCE NO USER HAS LOGGED IN IT RUNS WITH
If u understand this much, then the exploitation is very simple for you. What we will do is that,
we pick cmd.exe , copy it at a folder other than system32, (because windows
won’t allow u to copy) rename it to sethc.exe, go to system32 folder,
and paste it. Windows will ask, “that another file exists, do u want to
replace?” and after pressing OK, you have replaced the sethc.exe with ur own
cmd.exe. Now if u press SHIFT key >=5 times, a command prompt will
- Now log-off or restart. When you reach the windows
login screen, press the shift key >=5 times. A command prompt will
pop up with SYSTEM privilege.
- Enter the normal commands as follows:
- net user username /add
- net user localgroup administrators username /add
- And a new user called username with admin privilege will be added.
And thats it, you have admin privilege of the system and you can do what ever you want to with it.
Hiding your fake admin profile
Now you surely don’t want the real admin to track you. Here is what you will have to do to hide yourself from login screens as well as from control panel
- Goto registry editor and open this place.
- [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSpecialAccountsUserList]
- Here create a new DWORD value, write its name as the “user name” that u created for your admin account.
Thats it now you are invisible but still admin of the system. Live as admin forever and keep screwing the real admin forever.
Last but not the least (IMPORTANT)
Windows has two type of login screens:
- Where the accounts are listed with some pictures.
- Where u have to write username and password.
After making the hidden account u will have to login through the 2nd step only. If ur login screen is of Type 1, press ALT-CTRL-DEL twice to get the 2nd type screen.
This is a sureshot way to gain admin, if u r a lamer or a newbie
then please do some googling.
I have written almost every detail.
Thanks for reading this far 🙂 Make a comment if you liked this one.
Thanks for digging and shouting it out to your friends.